| The advent of Cloud Computing introduces new challenges in forensics investigation. Due to the multi-tenant nature of cloud, the traditional forensics investigation solutions are approaching their limits. The term digital forensics describes the discovery, examination, and analysis of digital evidence typically stored on or generated by a digital device. The forensics investigation should be able to analyze the digital information and reconstruct a timeline of events that describes, as best as possible, what happened, when it happened, and who did it. Composing Service-Oriented Architectures (SOAs) of web services from different vendors in a cloud creates what is called the service cloud model. The segregation of forensics data in an infrastructure shared by multiple tenants as in the service cloud model, has been identified as the top legal concern among digital forensics experts. Given the service interactions among different tenants of service clouds, the lack of security forensics translates to serious privacy and confidentiality risks that, if exploited, could result in information disclosure, financial loss, and loss of reputation. To mitigate these issues while ensuring that service clouds meet users? needs, forensics investigation systems must be able to a) consolidate a list of proactive forensics artifacts across the cloud tenants, b) quickly capture malicious events and identify their timeframes, attack categories, targets, and responsible parties as close to near real-time analysis as possible and c) consider the awareness rights of tenants regarding the security of their data by alerting them about their data-related incidents in form of forensics investigative reports. The process of forensics investigations in service clouds has specific challenges. First, the traditional auditing systems use eavesdropping tools which make them vulnerable to confusion. In addition, they log all messages exchanged between cloud provider and requestor which increases the volume of log files and overwhelms the investigation process. Moreover, detection techniques in clouds have proven their inability to deduce attacks inside the SOAP message which is a fundamental data exchange tool in service clouds. To resolve these issues, this work defines a service cloud forensics framework that distributes targeted audit assets to investigate a range of security threats and vulnerabilities at different points within the cloud. The proposed audit techniques locally log security events to identify attacks and threat evidence corresponding to the major security vulnerabilities of data breach, availability, and data transmission. The first part of the research is based on defining, deriving, and refining the distributed architecture of the auditing process, which is done by using multiple scoped databases called security monitoring databases (SMDBs). The second part focuses on designing a distributed detection system to capture the threat evidence from individual and composed audit logs across the cloud. Finally, the framework is designed to deliver forensics investigative reports regarding the detected attacks to the involved entities to facilitate incident handling. |
