Evidence Detection in Cloud Forensics

Cloud forensics is different than digital forensics because of the architectural implementation of the cloud. In an Infrastructure as a Service (IaaS) cloud model. Virtual Machines (VM) deployed over the cloud can be used by adversaries to carry out a cyber-attack using the cloud as an environment. Investigation of such a crime requires sufficient evidence data to prove the attack in the court of law. Electronic evidence (EE) is any data that produce information relevant to the investigation. Identifying evidence from the data generated in a cloud environment is a tedious and manual process. Adhering to RFC 3227 the evidence collection can be carried out once the evidence data is detected with appropriate triage.Cyber attack originating from a VM leaves its trails on the resource that it utilizes. These patterns of attacks on the resource and its properties can be used to detect and acquire evidence data generated in a cloud.We have generated a dataset using the following settings:To generate the dataset a private cloud was set up. The system configuration included Intel® CoreTM i5-4590 Processor with 12 GB of RAM with 1TB of HDD. The private cloud setup was done using a KVM type-1 hypervisor along with OpenNebula (version 5.12) as a cloud management platform. To simulate the real-time cloud environment a script generating synthetic workload was deployed on the virtual machines of the cloud. An attack was carried out. The dataset is manually tagged with the known state of attack or normal to respective VM.

云取证与数字取证之别，在于云架构的实施方式。在基础设施即服务（IaaS）的云模型中，部署在云上的虚拟机（VM）可能被对手用作实施网络攻击的环境。此类犯罪的调查需要充分的证据数据以在法庭上证明攻击行为。电子证据（EE）是指任何能够产生与调查相关的信息的资料。从云环境中生成的大量数据中识别证据是一项既繁琐又需人工完成的任务。根据RFC 3227标准，一旦检测到证据数据，即可进行证据收集的适当分类。源自虚拟机的网络攻击会在其利用的资源上留下痕迹。这些针对资源和其属性的攻击模式可被用于检测和收集云中生成的证据数据。我们采用以下设置生成了数据集：为生成数据集，我们搭建了一个私有云。系统配置包括Intel® CoreTM i5-4590处理器、12 GB的RAM以及1TB的硬盘。私有云的搭建使用了KVM类型1的虚拟化 hypervisor，以及OpenNebula（版本5.12）作为云管理平台。为了模拟实时云环境，在云虚拟机上部署了一个生成合成工作负载的脚本。随后执行了一次攻击。数据集被手动标记为已知攻击状态或正常状态，分别对应相应的虚拟机。