Cloud Investigation Automation Framework (CIAF): An AI-Driven Approach to Cloud Forensics
Dalal Alharthi, Ivan Roberto Kawaminami Garcia
TL;DR
The paper tackles the inefficiency of manual cloud forensics by introducing CIAF, an ontology-driven framework that standardizes and validates cloud forensic logs to improve analysis accuracy. It integrates structured ontology-guided validation with LLM-based log analysis to automate evidence collection, analysis, and reporting, demonstrated through a Microsoft Azure ransomware case study achieving about 93% in key metrics. The findings suggest substantial gains in investigation efficiency and accuracy, with a modular design that generalizes beyond ransomware to broader cyber threats. This work establishes a foundation for deterministic prompt engineering and ontology-based validation in AI-driven cloud forensics, with future directions including real-time deployment and multi-cloud generalization to broaden practical impact.
Abstract
Large Language Models (LLMs) have gained prominence in domains including cloud security and forensics. Yet cloud forensic investigations still rely on manual analysis, making them time-consuming and error-prone. LLMs can mimic human reasoning, offering a pathway to automating cloud log analysis. To address this, we introduce the Cloud Investigation Automation Framework (CIAF), an ontology-driven framework that systematically investigates cloud forensic logs while improving efficiency and accuracy. CIAF standardizes user inputs through semantic validation, eliminating ambiguity and ensuring consistency in log interpretation. This not only enhances data quality but also provides investigators with reliable, standardized information for decision-making. To evaluate security and performance, we analyzed Microsoft Azure logs containing ransomware-related events. By simulating attacks and assessing CIAF's impact, results showed significant improvement in ransomware detection, achieving precision, recall, and F1 scores of 93 percent. CIAF's modular, adaptable design extends beyond ransomware, making it a robust solution for diverse cyberattacks. By laying the foundation for standardized forensic methodologies and informing future AI-driven automation, this work underscores the role of deterministic prompt engineering and ontology-based validation in enhancing cloud forensic investigations. These advancements improve cloud security while paving the way for efficient, automated forensic workflows.