Cloud Forensics

Throughout history, it has been observed that general technological developments have continually created new opportunities for criminal activity. This is also true for the emergence of cloud computing. While the high degree of scalability, very convenient pay-as-you-go service, and low cost computing provided by clouds drive the rapid adoption of clouds, the same features can motivate a malicious individual to launch attacks from machines inside a inside a cloud, or use clouds to store contraband documents . To investigate these type of cases, we need to execute digital forensics procedures in the cloud to determine the facts about an incident, which is known as cloud forensics. Currently, forensics investigators need to depend on the cloud service providers to collect evidence. However, investigators need to believe the CSPs blindly as
they cannot verify whether a cloud provider is providing valid evidence. In this project, we are working towards designing a complete trustworthy forensics-enabled cloud computing architecture.

SecLaaS: Secure Logging-as-a-Service

Collection and analysis of various logs (e.g., process logs, network logs) are fundamental activities in computer forensics. Hence, we first focus on securing various activity logs of cloud users. The current secure logging schemes, which consider the logger as trusted cannot be applied in clouds since there is a chance that cloud providers (logger) collude with malicious users or investigators to alter the logs. We analyze the threats on cloud users’ activity logs considering the collusion between cloud users, providers, and investigators and propose Secure-Logging-as-a-Service (SecLaaS), which can ensure the confidentiality and integrity of logs. Investigators or the court authority can access these logs by the RESTful APIs provided by SecLaaS.

PPDP: Proof of Past Data Possession

One of the key tasks of digital forensics is to prove the presence of a particular file in a given storage system. Unfortunately, it is very hard to do so in a cloud given the black-box nature of clouds and the multi-tenant cloud models where many users share the same storage and the content of the storage changes frequently. In clouds, analyzing the data from a virtual machine instance or data stored in a cloud storage only allows us to investigate the current content of the cloud storage, but not the previous contents. We introduce the idea of building proofs of past data possession in the context of a cloud storage service.

FAL: Forensics Aware Language

Applying a secure logging schemes on heterogeneous formats of logs is tedious. Here, we propose Forensics Aware Language (FAL), a domain-specific language (DSL) through which we can apply a secure logging mechanism on any format of logs. Using FAL, we can define log structure, which represents the format of logs and ensures the security properties of a chosen secure logging scheme. This log structure can later be used by FAL to serve two purposes: it can be used to store system logs securely and it will help application developers for secure application logging by generating the required source code.

CURLA: Cloud-based spam URL Analyzer

To prepare an effective blacklist of phishing websites, it is necessary to analyze possible threats and include the identified malicious sites in the blacklist. URLs collected from spam emails are great source of potential malicious websites. However, the number of URLs acquired from spam emails is quite large and there is a high degree of duplicacy in the URLs extracted from spam emails. Hence, preserving the contents of all the websites causes significant storage waste. Additionally, fetching content from a fixed IP address introduces the possibility of being reversed blacklisted by malicious websites.

In this project, we developed CURLA – a Cloud-based spam URL Analyzer, built on top of Amazon Elastic Computer Cloud (EC2) and Amazon Simple Queue Service (SQS). CURLA allows deduplicating large number of spam-based URLs in parallel, which reduces the cost of establishing equally capable local infrastructure. Our system builds a database of unique spam-based URL and accumulates the content of these unique websites in a central repository. This database and website repository will be a great resource to identify phishing websites and other counterfeit websites. We also developed a Java-based application to help a URL analyst to easily deploy and manage a cloud-based distributed and parallel URL deduplication infrastructure.


Journal Publications

• Shams Zawoad, Marjan Mernik, and Ragib Hasan. “Towards Building A Forensics Aware Language For Secure Logging“, Journal of Computer Science and Information Systems (ComSIS), 2014, Vol. 11, No. 4, pp.1291-1314. [pdf]

• Shams Zawoad and Ragib Hasan, “Digital Forensics in the Cloud“, The Journal of Defense Software Engineering (CrossTalk) Sept 2013, Vol. 26, No 5, pp. 17-20 [pdf]

• Shams Zawoad and Ragib Hasan, “Towards Building Proofs of Past Data Possession in Cloud Forensics”, Academy of Science and Engineering Journal 2012, Vol. 1, Issue 4, pp. 195-207 (Acceptance rate: 3%). [pdf].

Book Chapter

• Shams Zawoad and Ragib Hasan, “Cloud Forensics” in “Encyclopedia of Cloud Computing “, WILEY, 2014. [Amazon]

Conference/Workshop Publications

• Shams Zawoad, Ragib Hasan, Gary Warner, and Anthony Skjellum, “UDaaS: A Cloud-based URL-Deduplication-as-a-Service for Big Datasets”, 4th IEEE International Conference on Big Data and Cloud Computing (BDCloud 2014), Sydney, Australia, December 2014.

• Shams Zawoad, Ragib Hasan, Md Munirul Haque, and Gary Warner, “CURLA: Cloud-Based Spam URL Analyzer for Very Large Datasets“, In Proceedings of the 7th IEEE International Conference on Cloud Computing June 27 – July 2, 2014, Alaska, USA. (Acceptance Rate 20%). [pdf]

• Shams Zawoad, Marjan Mernik , and Ragib Hasan “FAL: A Forensics Aware Language for Secure Logging”, In Proceedings of the 4th Workshop on Advances in Programming Languages (WAPL), 2013. [pdf]

• Shams Zawoad, Amit Dutta, and Ragib Hasan, “SecLaaS: Secure Logging-as-a-Service for Cloud Forensics”, In Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2013. (Acceptance rate: 16.2%). [pdf]

• Shams Zawoad and Ragib Hasan, “I Have the Proof: Providing Proofs of Past Data Possession in Cloud Forensics”, In Proceedings of the ASE International Conference on Cyber Security, December 2012. (Acceptance rate: 9.4%). [pdf]