Requirements for a Forensically Ready Cloud Storage Service

Requirements for a Forensically Ready Cloud Storage Service

Theodoros Spyridopoulos (Democritus University of Thrace, Greece) and Vasilios Katos (Democritus University of Thrace, Greece)
Copyright: © 2011 |Pages: 18
DOI: 10.4018/jdcf.2011070102
OnDemand PDF Download:
No Current Special Offers


This paper examines the feasibility of developing a forensic acquisition tool in a distributed file system. Using GFS and KFS distributed file systems as vehicles and through representative scenarios and examples, the authors develop forensic acquisition processes and examine both the requirements of the tool and the distributed file system must meet in order to facilitate the acquisition. The authors conclude that cloud storage has features that can be leveraged to perform acquisition (such as redundancy and replication triggers) but also maintains a complexity, which is higher than traditional storage systems leading to a need for forensic-readiness-by-design.
Article Preview

2. Background

The term cloud refers to an infrastructure that enables convenient, on-demand network access to a shared pool of resources (e.g., storage, networks, servers, applications and services) that can be rapidly provisioned and released (Mell & Grance, 2009). Cloud systems essentially compose a network of distributed clusters forming a pool of resources ready to be used from clients. The physical distance between the location of each cluster varies from some meters in one data center to thousands of kilometers between data centers located in different countries or even different continents. Thus, when someone uses a cloud, her data are distributed in a network of clusters around the world. To achieve distribution of data, cloud systems make use of a distributed file system (Thanh et al., 2008). Such distributed file systems include Google File System (GFS) (Ghemawat et al., 2003), Hadoop Distributed File System (HDFS) (Hadoop, n. d.), Cloudstore (formerly Kosmos File System) (Cloudstore, n. d.), Sector (Gu & Grossman, 2009) and Ceph (Weil et al., 2006).

Digital forensics in traditional computational environments is a subject thoroughly examined in the last decade. The procedures followed in order to gather digital evidence whilst ensuring admissibility in court (Meyers & Rogers, 2004), are described in standard operating procedures documentation such as the ACPO guidelines (ACPO, 2011). In addition, a variety of forensics acquisition tools has been developed (e.g., the Forensic Toolkit (FTK), EnCase and Foremost) which can automate, to some extent, the collection and analysis of evidence.

However data distribution and resource pooling in a cloud make the investigator’s work much more challenging than in a traditional computational environment as existing digital forensics tools seem inappropriate.

In addition, every country is governed by its own privacy policies and laws. Thus, gathering digital evidence from a cloud’s server that is located in a foreign country, outside of our jurisdiction area, could result in violating the country’s privacy protection legislation (Taylor et al., 2010; Garrison et al., 2010). Still, the legal procedure to gain access to evidence held in a public cloud may lead in acquiring wrong data and result into privacy violations. Grobauer and Schreck (2010) present incident handling issues in the cloud.

Complete Article List

Search this Journal:
Volume 14: 1 Issue (2022)
Volume 13: 6 Issues (2021)
Volume 12: 4 Issues (2020)
Volume 11: 4 Issues (2019)
Volume 10: 4 Issues (2018)
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing