VM snapshots for efficient Forensic Investigation

Cloud computing is a technology which allows users to access storage, software, and infrastructure and deployment environment based on a model named “pay-for-what-they-use”. The nature of the cloud environment is that it is multi-tenant and dynamic as there is a need for addressing the various legal, technical and organizational challenges regarding the cloud storage.

With the dynamic nature of the cloud environment, it is possible for digital investigations to be carried out in the cloud environment. Digital forensics has to adhere to a number of steps as it was the case with traditional computer forensics. These steps include Identification, Collection, Examination and Reporting/ Presentation. The first step involves identifying the source of evidence, while the collection phase involves identifying the actual evidence and collecting the necessary data. The examination stage involves analyzing the forensic data, while in the reporting phase, the found evidence is presented in a court of law.

The digital investigators experience challenges as a result of the legal, technical and organizational requirements. If some compromise is made on the part of the CSP, then the evidence which is provided will not be genuine. It might have happened the data you are relying on as evidence was injected by a malicious individual.

A number of digital devices are currently using the cloud, but the investigators are given little chance to obtain the evidence. The available Agreement may not be stating the role of the CSP in carrying out the investigation and its responsibility during the time of happening of the crime. The CSP might have failed to keep logs which are an important part in getting evidence regarding the occurrence of a crime. The investigator also has to rely on the CSP for collection of the necessary log files, and this is not easy. Many researchers have clearly stated that many investigators experience difficulties in trying to collect the log files.

The cloud service provider will provide their clients with a number of different services, and it has been found that only a few customers from the same organization will be accessing the same services. Malicious users are capable of stealing sensitive data from the other users and this can negatively affect the trust of the CSP. There is a need for the cloud to protect against these malicious activities by use of Intrusion Detection Mechanisms for monitoring the customer VMs and in detecting malicious activity.

A user can create his or her physical machine to create a VM. Other than for the user having to request, some cloud software such as the OpenStack and eucalyptus will create snapshots from a VM which is running and then store the snapshots till when the VM has terminated. If you reach the maximum VMs, then the older VMs will be deleted from the system. The snapshots from a cloud environment are a great source of digital evidence and they can be used for the purpose of regenerating events. It is hard for us to store numerous snapshots. The snapshots have also been found to slow the virtual machine, and this is determined by the rate at which it has changed since when it was taken and the period of time for which it is stored.

Malicious activities will always be identified in case the users of the VM carry out actions such as uploading a malware to the systems in our cloud infrastructure, excessive access from a location, or by performing numerous downloads or uploads within a short period of time. Other activities which can be suspicious include cracking of passwords, launching of dynamic attack points and deleting or corrupting some sensitive organization data.