A Persistent Cloud Forensics Model for Reliable Digital Forensics by Investigative Agencies in Kenya

Abstract

The rapid growth of cloud computing and the ever increasing demand for computing resources is gradually driving the migration from the traditional on-premise ICT infrastructure to the Cloud Computing Space. As the trend continues, adoption of cloud solutions by public sector institutions will continue to gain traction as well. It is therefore paramount that mechanisms are put in place to ensure safety and security of both enterprise Systems and data that significantly falls under the control of cloud service providers and could easily be exposed to the risks of cyber crime and Fraud. Traditional digital forensics techniques are often challenged by the nature and environments presented by cloud architectures where, infrastructure is largely distributed, computing resources are shared among subscribers especially in multi-tenancy arrangements and location of provisioning systems is often unreachable. This study focuses on the Infrastructure as a Service model and identifies the required needs of overcoming the challenges mentioned. Further, the study proposes the persistent cloud forensics framework to aid in the carrying out of digital forensics for public sector institutions where involvement of cloud service providers is avoided in carrying out cloud forensics. This study advances a framework where cloud resources can autonomously transmit evidentiary logs of system and user transactions that are securely stored in a remote repository and are made available to investigative agencies mandated to prosecute crimes perpetrated through the cloud resources. The proposed framework provides a form of autonomous log aggregation that is devoid of any intervention from service providers and cloud users, while providing a solution on investigative issues such as collusion, chain of custody, privacy where cloud infrastructure is shared, conflicting laws where hardware and systems provisioning cloud services are distributed and the admissibility of acquired evidence.