Cloud Evidence Tracing System: An integrated forensics investigation system for large-scale public cloud platform

Abstract

With the rise of cloud computing, many systems are migrating to public cloud platforms. Numerous crimes are committed in the cloud, including the establishment of illegal websites and the storage of illegal data. Using virtualization technology, data can be logically stored in the same virtual host, but also physically distributed across multiple hard drives, clusters, or even countries. In these circumstances, using the traditional forensic method of physical preservation will consume a great deal of resources, which will clog the forensic process. In order to develop an effective cloud investigation solution, two challenges must be overcome. First, the difficulty of collecting data consistently when the VMs (Virtual Machines) involved are deployed across multiple CSPs. Second, the difficulty of keeping track of all the files created during the forensic workflow. We developed CETS (Cloud Evidence Tracing System), which utilizes CSP's existing API to perform a variety of forensic operations including acquisition, preservation, and emulation, as well as data analysis and file management. To evaluate the system, we created three cloud environments in the laboratory, including a forensic target cloud, a preservation cloud, and an emulation cloud, and conducted a series of forensic experiments. CETS was shown to significantly increase the investigator's investigative efficiency and reduce the investigation workflow's resource consumption. Currently, CETS has collected data exceeding 2 PB, rerun more than 2000 virtual hosts, including servers and databases, supported more than 300 investigation cases related to cloud platforms. CETS can be an example system for efficient forensic investigation in large-scale cloud environment.