Isolating a Cloud Instance for a Digital Forensic Investigation
Delport, Olivier, and Köhn
2011
Citation information
W. Delport, M. S. Olivier, and M. D. Köhn. “Isolating a Cloud Instance for a Digital Forensic Investigation”. In: Proceedings of the 2011 Information Security for South Africa (ISSA 2011) Conference. Ed. by H. S. Venter, M. Coetzee, and M. Loock. (Work in Progress Paper; published electronically). Johannesburg, South Africa, Aug. 2011Abstract
Cloud Computing is gaining acceptance and increasing in popularity. Organizations often rely on Cloud resources to effectively replace their in house computer systems. In a Cloud environment an instance is typically accepted to be a virtual system resource established within that Cloud. Multiple instances can be contained a single node. The Cloud itself consists of multiple nodes. The Cloud structure has no predefined or fixed boundaries.
Digital Forensics (DFs) can be considered the science of finding a root cause of a particular incident. Isolating the incident environment is generally accepted within the Forensic Community to be an integral part of a Forensic process. We consider this isolation is also needed in a Digital Forensic Investigations (DFIs). The isolation prevents any further contamination or tampering of possible evidence.
In order to isolate the incident the Cloud instance is isolated. The node instance is effectively placed in a controlled environment to enable a controlled DF investigation to be conducted. This paper will introduce possible techniques to isolate these Cloud instances to facilitate an investigation. The techniques include, but are not limited to Instance Relocation, Server Farming, Address Relocation, Failover, Sandboxing, Man in the Middle (MITM) and Let’s Hope for the Best (LHFTB). A discussion of each of these techniques will be given. This discussion will include a description of each techniques, the advantages and disadvantages of using the techniques and the visibility of the techniques.
Full text
A pre- or postprint of the publication is available at https://mo.co.za/open/cloudiso2.pdf.BibTeX reference
@inproceedings(cloudiso2,author={Waldo Delport and Martin S Olivier and Michael D K∖"{o}hn},
title={Isolating a Cloud Instance for a Digital Forensic Investigation},
editor={Hein S Venter and Marijke Coetzee and Mariaan Loock},
booktitle={Proceedings of the 2011 Information Security for South Africa (ISSA 2011) Conference},
month=aug,
year={2011},
address={Johannesburg, South Africa},
note={(Work in Progress Paper; published electronically)} )