Congratulations to Dr. Shams Zawoad, from SECRETLab, for successfully defending his thesis, titled “Trustworthy and Efficient Forensics in the Cloud”, supervised by Dr. Ragib Hasan.
Dr. Ragib Hasan (UAB CIS), Chair
Dr. Alan Sprague (UAB CIS)
Dr. Purushotham Bangalore (UAB CIS)
Dr. Marjan Mernik (UM FERI)
Dr. Anthony Skjellum (AU CSSE)
The rise of cloud computing has changed the way of using computing services and resources. However, the black-box nature of clouds and the multi-tenant cloud models have brought new security risks, especially in terms of digital forensics. Current cloud computing architectures often lack support for digital forensic investigations since many of the assumptions that are valid for traditional computing environment are invalid in clouds.Current digital forensics tools and procedures rely on the physical access to the evidence. In clouds, computing and storage resources are no longer local and these resources are also shared between multiple cloud users. Hence, even with a subpoena, forensics investigators cannot confiscate a suspect’s computer and get access to the digital evidence that reside in the cloud. Data in the virtual machines (VM) are not also accessible after terminating the VMs. Hence, investigators need to depend on the Cloud Service Providers (CSP) to acquire various important evidence, such as activity logs of VMs, files stored in clouds, VM images, etc. Unfortunately, current cloud architectures do not guarantee that a CSP is providing valid evidence to investigators. A CSP in its entirety or a malicious employee of the CSP can collude with an adversary or a dishonest investigator to tamper with the evidence. Moreover, forensics investigators can also alter the evidence before presenting to a court. Hence, for a reliable digital forensics investigation in clouds, we need to ensure the integrity of the evidence and the privacy of users in the multi-tenant cloud environment.
In this dissertation, we explore techniques for ensuring the trustworthiness of various types of evidence in a strong adversarial scenario. We show that, without incurring high performance overheads, we can preserve and provide required evidence for digital forensics investigations involving clouds, while protecting the privacy and integrity of the evidence. We propose an Open Cloud Forensics model (OCF) and adapt this model to design forensics-enabled architectures for Infrastructure-as-a-Service (IaaS) and Storage-as-a- Service (STaaS) clouds. For IaaS clouds, we first focus on the trustworthiness of activity logs of cloud users. We design a logging scheme to securely retrieve, store, and expose these activity logs to forensics investigators. To ensure the trustworthiness of the time associated with the logs, we propose a tamper-evident scheme to prove the correctness of the system time of cloud hosts and VMs. To parse and store heterogeneous formats of logs securely in a convenient way, we develop the Forensics Aware Language (FAL) – a domain specific language. Next, we focus on the data possession information for STaaS clouds. In this regard, we first design a proof of past data possession scheme to prove the data possession of a particular user at a given past time. We then develop a secure litigation hold management scheme to provide the assurance of maintaining litigation holds on data stored in the cloud. Next, we investigate secure provenance for clouds and develop an efficient, secure data provenance scheme. We integrate all the proposed schemes with an open source cloud platform – OpenStack, and show the efficiency of the schemes. Finally, we investigate the big data forensics domain and design a cloud-based system to expedite the process of digital forensics investigations involving big data.