Managing Forensic Recovery in the Cloud
George R. S. Weir, Andreas Aßmuth, Nicholas Jäger
TL;DR
The paper addresses the challenge of maintaining forensic integrity in cloud environments by introducing digital forensic readiness and a multi-level interpretation framework. It proposes enhanced monitoring across all cloud layers, coupled with secure, tamper-resistant logging that uses chained MACs and Shamir-inspired secret sharing to preserve evidence even under partial system compromise. Key contributions include a cross-layer data-capture strategy, off-system log storage, and a call for proactive, multi-level forensic analytics to link events across software layers. The work aims to mitigate legal and regulatory risks as organizations migrate to cloud platforms and to enable reliable post-incident investigations with practical, deployable techniques for cloud environments.
Abstract
As organisations move away from locally hosted computer services toward Cloud platforms, there is a corresponding need to ensure the forensic integrity of such instances. The primary reasons for concern are (i) the locus of responsibility, and (ii) the associated risk of legal sanction and financial penalty. Building upon previously proposed techniques for intrusion monitoring, we highlight the multi-level interpretation problem, propose enhanced monitoring of Cloud-based systems at diverse operational and data storage level as a basis for review of historical change across the hosted system and afford scope to identify any data impact from hostile action or 'friendly fire'.