Abstract
Researchers in the field of cloud forensics need to
move away from insisting on acquiring all data -as has historically
been the case in computer forensics- and yet still be able to prove
the accuracy, sufficiency and soundness of partially acquired
data. Virtualization is considered to be one of the main pillars in
providing cloud services. In some cases, investigators might end
up having to rely on suspect Virtual Machine (VM) snapshots
in the form of memory dumps and user activity logs. Then, in
these cases the main challenge is to analyse these memory dumps
without altering the evidence. In this paper, we propose a forensic
process model based on the NIST model to examined the VM
snapshots. Moreover, we examine snapshots using existing digital
forensic tools and were able to successfully acquire data without
the need to transform the snapshot files.
move away from insisting on acquiring all data -as has historically
been the case in computer forensics- and yet still be able to prove
the accuracy, sufficiency and soundness of partially acquired
data. Virtualization is considered to be one of the main pillars in
providing cloud services. In some cases, investigators might end
up having to rely on suspect Virtual Machine (VM) snapshots
in the form of memory dumps and user activity logs. Then, in
these cases the main challenge is to analyse these memory dumps
without altering the evidence. In this paper, we propose a forensic
process model based on the NIST model to examined the VM
snapshots. Moreover, we examine snapshots using existing digital
forensic tools and were able to successfully acquire data without
the need to transform the snapshot files.
Original language | English |
---|---|
Publication status | Published - 2016 |
Keywords
- Cloud Forensics