Forensics – T Clouds Project

Legalities Over the Cloud and Who Owns your Data

Posted on July 10, 2016

When trying to figure out who has rights to your data there are three things to consider: you, the cloud provider, and the region your data is held in. A lot of the issues become issues because of the varying laws; where your data is held might be in different country than the country you uploaded from. So, even after you figure out what your agreement is with a Cloud provider they can be subject to the particular laws of another country; fore instance America has a set of laws known as the Patriot Act which grants the US government access under certain conditions. So even after you figure out who owns the data, and what that means, you might not have control over who is accessing the data.

When you decide on a Cloud provider there are a number of things that you want to look at. One of them being the terms of service that will, most likely, define how a provider views your data, and what they can do with it. The terms of service will be restricted by your regions governing principles. Fore-instance in England they have the ‘Copyright and Rights in Databases Regulations 1997’ to help clear up some of the vagaries of this new technological development. The law defines two types of data one that is protected by copyright law, and ones that aren’t but are still regulated in their way. The existence of the law is a step in the right direction towards clarifying ownership of the information that is being stored in the Cloud.

Although to confuse this issue even further is the fact that some of your information may be stored in your own database but you are using a Cloud service to handle it from time to time. Or your Cloud provider is servicing out to another Cloud provider; so they may host your information in a storage unit that isn’t their own. Each of these situations has unique problems and each part of this chain of concerns depends on user agreements and the particular governing bodies. So there is no single solution to answer the question of who owns your data, and as this issue becomes generally understood hopefully we will see some best practices winning out. Although I wouldn’t necessarily say there is no way to find out. There are some things that can be done to better understand what is happening. Unfortunately one of those things is reading over all your relevant user agreements, and as one source claims it would take roughly 250 working hours to read all the user/privacy agreements most of us come across in one year. So you have to balance your need to know with your time, but be warned the details are important.

Understanding governing rules of where your data is being held or processed is not insignificant either. Each region is going to have its own governing rules about what happens when data is processed and the processing of the data may influence who owns the data now that it has been changed. So each step and movement of your data becomes an important issue to consider when deciding on a Cloud provider.

Who owns your data, then? It depends on the governing laws and user agreement made between you and the Cloud provider. It also depends upon the governing laws of where your data is being held, in addition to the agreements that your cloud provider may be making with their cloud provider. The Cloud has so much under the umbrella of Cloud services, that often one type of Cloud provider will outsource to another type of Cloud provider.

Data protection Forensics Use cases

VM snapshots for efficient Forensic Investigation

Posted on June 18, 2016

Cloud computing is a technology which allows users to access storage, software, and infrastructure and deployment environment based on a model named “pay-for-what-they-use”. The nature of the cloud environment is that it is multi-tenant and dynamic as there is a need for addressing the various legal, technical and organizational challenges regarding the cloud storage.

With the dynamic nature of the cloud environment, it is possible for digital investigations to be carried out in the cloud environment. Digital forensics has to adhere to a number of steps as it was the case with traditional computer forensics. These steps include Identification, Collection, Examination and Reporting/ Presentation. The first step involves identifying the source of evidence, while the collection phase involves identifying the actual evidence and collecting the necessary data. The examination stage involves analyzing the forensic data, while in the reporting phase, the found evidence is presented in a court of law.

The digital investigators experience challenges as a result of the legal, technical and organizational requirements. If some compromise is made on the part of the CSP, then the evidence which is provided will not be genuine. It might have happened the data you are relying on as evidence was injected by a malicious individual.

A number of digital devices are currently using the cloud, but the investigators are given little chance to obtain the evidence. The available Agreement may not be stating the role of the CSP in carrying out the investigation and its responsibility during the time of happening of the crime. The CSP might have failed to keep logs which are an important part in getting evidence regarding the occurrence of a crime. The investigator also has to rely on the CSP for collection of the necessary log files, and this is not easy. Many researchers have clearly stated that many investigators experience difficulties in trying to collect the log files.

The cloud service provider will provide their clients with a number of different services, and it has been found that only a few customers from the same organization will be accessing the same services. Malicious users are capable of stealing sensitive data from the other users and this can negatively affect the trust of the CSP. There is a need for the cloud to protect against these malicious activities by use of Intrusion Detection Mechanisms for monitoring the customer VMs and in detecting malicious activity.

A user can create his or her physical machine to create a VM. Other than for the user having to request, some cloud software such as the OpenStack and eucalyptus will create snapshots from a VM which is running and then store the snapshots till when the VM has terminated. If you reach the maximum VMs, then the older VMs will be deleted from the system. The snapshots from a cloud environment are a great source of digital evidence and they can be used for the purpose of regenerating events. It is hard for us to store numerous snapshots. The snapshots have also been found to slow the virtual machine, and this is determined by the rate at which it has changed since when it was taken and the period of time for which it is stored.

Malicious activities will always be identified in case the users of the VM carry out actions such as uploading a malware to the systems in our cloud infrastructure, excessive access from a location, or by performing numerous downloads or uploads within a short period of time. Other activities which can be suspicious include cracking of passwords, launching of dynamic attack points and deleting or corrupting some sensitive organization data.

Data protection Forensics

Logging Framework for Forensic Environments in Cloud Computing

Posted on June 1, 2016

The field of cloud computing has attracted many researchers. It is good for you to know the conditions under which the data is stored in data centres or is processed, and then it becomes an interest for cloud computing forensics. The use of cloud computing in forensics has increased, and this is as a result of emergence of new technologies. The architecture of a cloud logging system is layered, and is composed of 5 layers, each with its own task. Let us discuss these layers:

The management layer
The modules which are responsible for most operations in the cloud can be found in this level, together with the ones targeted for the forensics, like the “Cloud Forensic Module”.

Virtualisation layer
This is the second layer in the architecture, and this is the layer in which we can find the servers and workstations which host our virtual machines. Although the virtual machines are the main building blocks in our environment, it is good for us to have virtualisation enabled in the hardware. A Local Logging Module should be installed in the Cloud Forensic Interface in the physical machine that we have. This will be the one tasked with gathering of the raw data from the virtual machines which are being monitored. The investigator can choose to adjust the amount of data, and they can select a particular virtual machine to monitor it, or maybe choose to monitor the whole activity which is taking place in the virtual machine.
For the data to be gathered reliably from your virtual machine, the local logging module has to be fully integrated with the running hypervisor inside our physical machine. We have to be keen on the kind of data which we intercept from the virtual machine, and then send it for further processing. It is possible for any activity to be intercepted, you will experience some penalties in terms of processing speed and timer.

Storage layer
This is the third layer in the logging architecture. It is where the RAW data which has been send from the modules which exist in the virtualisation layer is stored. The RAW data will be send by the logging modules in the form that it has been gathered from the hypervisor. From this, we can say that the layer has functionality similar to one of a distributed storage.

Analysing Layer
This is the fourth layer in the logging architecture. It is responsible for ordering, analysing, aggregating and processing the data which has been stored in our previous layer. As you might have noticed, the processes will use the computing resources intensively, and this calls for the analysing process to be done in an offline manner, and it is made available to the investigators immediately the job is ready. Once the process is completed, the investigators will be having all the relevant information regarding what happened in the remotely monitored machine, and they will be capable of navigating throughout the activities of the virtual machine so as to know what happened. In most cases, the layer is implemented in the form of distributed computing applications. This is mostly the case when the application needs a great computing power

Storage layer
This is the fifth layer in the architecture. This is where the results published from the rest of the layers is stored. This is the layer at which the forensics investigator will interact with the virtual machine snapshots they are monitoring, and this is done by use of the Cloud Forensic Module which is obtained from the Management layer.