**4. Cloud forensics challenges**

This section elucidates the forensic challenges in private and public cloud. It is observed from the literature that most of the challenges are applicable to the public cloud while fewer challenges are applicable to the private cloud environment.

### **4.1 Accessibility of logs**

Logs are generated in different layers of the cloud infrastructures [2–7]. System administrators require relevant logs to troubleshoot the system, developers need logs for fixing up the errors, and forensic investigators need relevant logs to investigate the case. With the help of an access control mechanism, the logs can be acquired from all the parties, that is, from a user, CSP, and forensic investigator.

### **4.2 Physical inaccessibility**

The data are located in different geographical areas of the hardware device. It is difficult to access these physical access resources since the data reside in different CSPs and it is impossible to collect the evidence from the configured device. If an incident occurs, all the devices are acquired immediately in case of a private cloud environment since an organization has full control over the resources. The same methods cannot be used to access the data in case of a public cloud environment.

### **4.3 Volatility of data**

Data stored in a VM instance in a cloud will be lost when the VM is turned off. This leads to the loss of important evidence such as syslog, network logs, registry entries, and temporary Internet files. It is important to preserve the snapshot of the VM instance to retrieve the logs from the terminated VMs. The attacker launches an attack and turns off the VM instance, hence these traces are unavailable for forensic investigation.

### **4.4 Identification of evidence at client side**

The evidence is identified not only in the provider's side but also the client side. The user can communicate with the other client through the Web browser. An attacker sends malicious programs with the help of a Web browser that communicates with the third parties to access the services running in the cloud. This, in turn, leads to destroying all the evidence in the cloud. One way of collecting the evidence is from the cookies, user agent, etc., and it is difficult to obtain all the information since the client side VM instance is geographically located.

**111**

**Table 5.**

*Challenges of cloud forensics.*

*Data Collection Techniques for Forensic Investigation in Cloud*

services, which in turn leads to loss of confidential data.

The consumers blindly depend on CSPs to acquire the logs for investigation. The problem arises when CSPs are not providing the valid information to the consumer that resides in their premises. CSPs sign an agreement with other CSPs to use their

In cloud infrastructures, multiple VMs share the same physical infrastructure, that is, the logs are distributed across various VMs. The investigator needs to show the logs to court by proving the malicious activities occurring from the different service providers. Moreover, it also preserves the privacy of other tenants.

In cloud infrastructures, the log information is located on different servers since it is geographically located. Multiple users' log information may be collocated or spread across several layers and tiers in the cloud. The application log, network log, operating system log, and database log produce valuable information for a forensic investigation. The decentralized nature of the cloud brings the challenge for cloud

Logs are available in heterogeneous formats from different layers of a cloud at CSP. The logs provide information such as by whom, when, where, and why some incidents occurred. This is an important bottleneck to provide a generic solution for all CSPs and all types of logs. **Table 5** indicates the survey of literature that deals with the challenges of cloud forensics mainly for evidence collection

**Authors Discussion Forensic process** Sang et al. Log accessibility for SaaS & PaaS Evidence collection Zawood et al. Focus on the integrity of log files Evidence collection Dystra et al. Log collection and accessibility of logs Evidence collection Thorpe et al. VM kernel logs for forensic investigation Log contention Boeck et al. Confidentiality and log integrity Evidence collection Zaferulla et al. Uses Eucalyptus logs for forensic investigation Evidence analysis

Patrascu et al. Collection of specific logs Evidence collection

Log retention

retention

Evidence collection

Evidence collection and log

*DOI: http://dx.doi.org/10.5772/intechopen.82013*

**4.5 Dependence of CSP trust**

**4.6 Multitenancy**

**4.7 Decentralization**

synchronization.

process.

**4.8 Absence of standard format of logs**

Marty et al. Collection of logs from different cloud components

Sibiya et al. Uses data mining techniques to collect logs for forensic investigation

Nakahara et al. Evidence identification from different types of

logs
