**2. Types of forensics**

The forensic process is initiated after the crime occurs as a post-incident activity. It follows a set of predefined steps to identify the source of evidence. It is categorized into five groups, namely digital forensics, network forensics, Web forensics, cloud forensics, and mobile forensics.


**103**

*Data Collection Techniques for Forensic Investigation in Cloud*

exceptions, malware software warnings, etc.

located in a different geographical area.

state his findings about the case.

where they reside.

**Figure 1.**

*Cloud forensic process flow.*

**3. Evidence collection**

**3.1 Cloud log analysis**

• **Identification**: The investigator identifies whether crime has occurred or not.

• **Evidence collection**: The investigator identifies the evidence from the three different sources of cloud service model (SaaS, IaaS, and PaaS) [8]. The SaaS model monitors the VM information of each user by accessing the log files such as application log, access log, error log, authentication log, transaction log, data volume, etc. The IaaS monitors the system level logs, hypervisor logs, raw virtual machine files, unencrypted RAM snapshots, firewalls, network packets, storage logs, backups, etc. The PaaS model identifies the evidence from an application-specific log and accessed through API, patch, operating system

• **Examination and analysis:** The analyst inspects the collected evidence and merges, correlates, and assimilates data to produce a reasoned conclusion. The analyst examines the evidence from physical as well as logical files

• **Preservation:** The information is protected from tampering. The chain of custody has been maintained to preserve the log files since the information is

• **Presentation and reporting:** An investigator makes an organized report to

Evidence collection plays a vital role to identify and access the data from various sources in the cloud environment for forensic investigation. The evidence is no longer stored in a single physical host and their data are distributed across a different geographical area. So, if a crime occurs, it is very difficult to identify the evidence. The evidence is collected from various sources such as router, switches, server, hosts, VMs, browser artifacts, and through internal storage media such as hard disk, RAM images, physical memory, etc., which are under forensic investigation. Evidence is also collected through the analysis of log files, cloud storage data

Logging is considered as a security control which helps to identify the operational issues, incident violations, and fraudulent activities [9, 10]. Logging is mainly used to monitor the system and to investigate various kinds of malicious attacks. Cloud log analysis helps to identify the source of evidence generated from various

collection, Web browser artifacts, and physical memory analysis.

*DOI: http://dx.doi.org/10.5772/intechopen.82013*
