• *Sample Syslog Entries*

Mar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from 172.30.128.115 port 21,011 ssh2.

Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from 10.20.30.108 port 1070 ssh2.

Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!

Mar 1 07:26:28 server1 sshd[22572]: Accepted public key for server2 from 172.30.128.115 port 30,606 ssh2.

Mar 1 07:28:33 server1 su: BAD SU kkent to root on /dev/ttyp2.

Mar 1 07:28:41 server1 su: kkent to root on /dev/ttyp2.


## **Table 1.**

*Different types of logs, attacks, and the log analysis tool.*


### **Figure 2.** *Sample access log trace as evidence.*


**107**

**Figure 3.** *Dropbox evidence.*

URLs,

*Data Collection Techniques for Forensic Investigation in Cloud*

It is the process of collecting evidence from cloud storage such as Dropbox, Microsoft SkyDrive, Google drive, etc., using the Web browser and also by downloading files using existing software tools [11–13]. This helps to identify the illegal modification or access of cloud storage during the uploading or downloading of file contents in storage media and also checks whether the attacker alters the timestamp information in user's accounts. The Virtual Forensic Computing (VFC) tool is used by forensic investigators to identify evidence from VM image file. The evidence is accessed for each account using the Web browser running in the cloud environment by recording the encoded value of VM image. The packets are captured using network packet tools, namely Wireshark, snappy, etc., of each VM instance running in hosts. The account information is synchronized and downloaded using client accessing software of each device which is used to identify the source of evidence. The evidence is isolated from the files found in VM using "C:\Users\[username]\ Dropbox\" for Dropbox as shown in **Figure 3**. The zip file contains the name of the folder that can be accessed via the browser to determine the effect of a timestamp in a drive. If an attacker modifies the contents of a file, the evidence is found by analyzing the VM hard drive, history of files stored in the cloud, and also from a cache. It can also be analyzed by computing the hash value of the VM image. The evidence of Google Drive cloud

The clients communicate with the server in the cloud environment with the help of a Web browser to do various tasks, namely checking email and news, online shopping, information retrieval, etc. [14–18]. Web browser history is a critical source of evidence. The evidence is found by analyzing the URLs in Web browser history, timeline analysis, user browsing behavior, and URL encoding, and is recovered from deleted information. Here is an example of Web browser

Similarly, the evidence stored in Web browser cache at the root directory of a Web application is used to identify the source of an attack. **Table 3** indicates the evidence collection process and recovery method for various Web browsers.

https://www.nitt.edu/en#files:/Documents/<Folder name>,

https://www.nitt.edu/en#files:/E:<Folder ID>.

*DOI: http://dx.doi.org/10.5772/intechopen.82013*

storage is depicted in **Figure 4**.

**3.3 Evidence collection via a Web browser**

**3.2 Evidence collection from cloud storage**

### **Table 2.**

*Description of the access log format.*
