VM snapshots for efficient Forensic Investigation

Cloud computing is a technology which allows users to access storage, software, and infrastructure and deployment environment based on a model named “pay-for-what-they-use”. The nature of the cloud environment is that it is multi-tenant and dynamic as there is a need for addressing the various legal, technical and organizational challenges regarding the cloud storage.

With the dynamic nature of the cloud environment, it is possible for digital investigations to be carried out in the cloud environment. Digital forensics has to adhere to a number of steps as it was the case with traditional computer forensics. These steps include Identification, Collection, Examination and Reporting/ Presentation. The first step involves identifying the source of evidence, while the collection phase involves identifying the actual evidence and collecting the necessary data. The examination stage involves analyzing the forensic data, while in the reporting phase, the found evidence is presented in a court of law.

The digital investigators experience challenges as a result of the legal, technical and organizational requirements. If some compromise is made on the part of the CSP, then the evidence which is provided will not be genuine. It might have happened the data you are relying on as evidence was injected by a malicious individual.

A number of digital devices are currently using the cloud, but the investigators are given little chance to obtain the evidence. The available Agreement may not be stating the role of the CSP in carrying out the investigation and its responsibility during the time of happening of the crime. The CSP might have failed to keep logs which are an important part in getting evidence regarding the occurrence of a crime. The investigator also has to rely on the CSP for collection of the necessary log files, and this is not easy. Many researchers have clearly stated that many investigators experience difficulties in trying to collect the log files.

The cloud service provider will provide their clients with a number of different services, and it has been found that only a few customers from the same organization will be accessing the same services. Malicious users are capable of stealing sensitive data from the other users and this can negatively affect the trust of the CSP. There is a need for the cloud to protect against these malicious activities by use of Intrusion Detection Mechanisms for monitoring the customer VMs and in detecting malicious activity.

A user can create his or her physical machine to create a VM. Other than for the user having to request, some cloud software such as the OpenStack and eucalyptus will create snapshots from a VM which is running and then store the snapshots till when the VM has terminated. If you reach the maximum VMs, then the older VMs will be deleted from the system. The snapshots from a cloud environment are a great source of digital evidence and they can be used for the purpose of regenerating events. It is hard for us to store numerous snapshots. The snapshots have also been found to slow the virtual machine, and this is determined by the rate at which it has changed since when it was taken and the period of time for which it is stored.

Malicious activities will always be identified in case the users of the VM carry out actions such as uploading a malware to the systems in our cloud infrastructure, excessive access from a location, or by performing numerous downloads or uploads within a short period of time. Other activities which can be suspicious include cracking of passwords, launching of dynamic attack points and deleting or corrupting some sensitive organization data.

DLP (Data Loss Prevention) in the Cloud

Most organizations have moved their sensitive data to the cloud, but they lack policy controls for the cloud data. Research has shown that 21% of the documents uploaded to the cloud have sensitive data such as protected health information (PHI), personally identifiable information (PII), intellectual property or payment card data and this creates concerns in terms of cloud compliance. In the year 2014, breaches in cloud data rose.
Most organizations have made an investment in tools for data loss prevention so as to protect loss or theft of their on-promise information and adhere to data compliance laws. The problem is that most of these tools have been made to protect data contained in emails and file servers, meaning that they address issues to do with mobile security and cloud governance since the data will always be passed to unsanctioned cloud services which are regularly accessed by unsecured devices. It has been found each average organizations will upload 3.1GB of data each day, and it is expected that 1/3 of organization data will be in the cloud by 2016. You have to recognize that migration of unprotected data to the cloud is risky, thus, there is a need for any organization to extend data prevention policies to take care of the data in the cloud to protect against being exposed.
Whenever you are addressing DLP, consider the following requirements:
1. Know the activity-level usage in your apps, and then use DLP to identify the activities dealing with sensitive data, anomalies and non-compliant behavior.
2. The cloud DLP software to be used should know the context which surrounds all the activity whenever you are dealing with sensitive data.
3. Restrictions and controls should be formulated in the organization to ensure that sensitive data is used safely.
4. Cloud activities should be tracked at app, user and activity level for compliance and auditing purposes.
5. Sensitive content which is residing in the cloud or moving to the cloud apps has been encrypted.


A number of tools for preventing data loss in the cloud have been developed. With NetScope Active Cloud, sensitive data for an organization can be protected from breaches and leaks. The tool provides advanced mechanisms for data loss prevention such as custom regular expressions, over 3000 data identifiers, support for over 500 file types, double-byte characters for international support, proximity analysis, exact match and fingerprinting. Once the tool detects some sensitive data, it use context for narrowing the content down, increasing the accuracy of detection and in reducing false positives.
Skyhigh is another DLP tool, and it extends the ability of an organization to protect against loss of data to the data stored in the cloud. With Skyhigh, DLP policies are enforced in a real-time manner, and we are provided with the capability to carry out an on-demand scan for the data which has been stored in the cloud so as to know whether we have some data outside the cloud policy. When configuring the DLP policies, you can choose a number of policy actions such as quarantine, alert, tombstone, or maybe choose to block the sensitive data from being uploaded to the cloud service. With Skyhigh, you are free to leverage the policies which you have created in other DLP solutions such as the EMC, Symantec, Websense and Intel McAfee using a closed loop remediation.
Symantec is also another tool which provides mechanism for data loss prevention in the cloud. It has partnered with Box, which is an online tool for file sharing and this improves the functionality of the tool. The tool is also expected to extend the data loss prevention of sensitive data which has been stored on mobile devices.