Pre processing of evidences from cloud components for effective forensic analysis

Business organizations are migrating from capital expenditure models to the pay per use model of Cloud computing and avoiding infrastructural costs. Cloud systems being prone to attacks, there is a need of cyber forensic mechanisms. Traditional digital forensics models and solutions cannot be applied directly in cloud platform due to its distinct features such as multi tenancy, virtualization, rapid elasticity and the segregation of duties among cloud actors. Several technical challenges under variability of architecture, data collection, analysis and anti-forensics exist in cloud forensics. In this paper, firstly a cloud forensic clustering model is proposed across multiple virtual machine instances. Every virtual machine constitutes a virtual machine disk and its corresponding RAM image. This forensic clustering solution reduces the search space, enables multi drive correlation and forms a social network of virtual machine instances. Secondly addressing variability of cloud architectures, open source cloud platforms OpenNebula and OpenStack are compared with respect to location of evidence artifacts. An acquisition approach with the pre-processing engine to handle different architectures is designed and implemented.