**2.1 Cloud forensic process flow**

The cloud forensic process flow is shown in **Figure 1**, which is described as follows:

**Figure 1.** *Cloud forensic process flow.*

*Digital Forensic Science*

**2. Types of forensics**

cloud forensics, and mobile forensics.

client side with the help of Web browser.

tion log, database log, etc.

**2.1 Cloud forensic process flow**

history, SMS, or from the memory.

is an application of scientific principles, practices, and methods to reorganize the events through identification, collection, preservation, examination, and reporting of digital evidence [5]. Evidence can reside anywhere in the cloud and it is more

The advancement of new technologies, frameworks, and tools enables the investigator to identify the evidence from trusted third parties, that is, cloud service provider (CSP). There are numerous techniques in cloud forensics that arises on the basis of cloud service models and deployment models. In the Software as a Service (SaaS) and Platform as a Service (PaaS) models, the customer does not have any control of the hardware and they need to depend on CSP for collecting the evidence, whereas, in the case of Infrastructure as a Service (IaaS) model, customers

The forensic examiner isolates the attacked system in the virtualized environment by segregating and protecting the information from a hard disk, RAM images, log files, etc. This evidence is analyzed based on the artifacts of the attack traces left by the attacker [6, 7]. The forensic investigator relies on finding a series of information such as where, why, when, by whom, what, and how attack has happened. This chapter details the challenges in cloud forensics and also details the data collection techniques in the cloud.

The forensic process is initiated after the crime occurs as a post-incident activity. It follows a set of predefined steps to identify the source of evidence. It is categorized into five groups, namely digital forensics, network forensics, Web forensics,

• **Digital forensics**: According to National Institute of Standards and Technology (NIST) standards, it is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the

• **Network forensics**: It identifies and analyzes the evidence from the network. It retrieves information on which network ports are used to access the information.

• **Web forensics**: It identifies the evidence from the user history, temporary log files, registry, chat logs, session log, cookies, etc. as digital crimes occur on the

• **Cloud forensics**: It is the application of digital forensics in the cloud and it is a subset of network forensics. It is harder to identify evidence in cloud infrastructure since the data are located in different geographical areas. Some examples of evidence sources are system log, application log, user authentica-

• **Mobile forensics:** It is the branch of digital forensics that identifies evidence from mobile devices. The evidence is collected from the mobile device as call

The cloud forensic process flow is shown in **Figure 1**, which is described as

information and maintaining a strict chain of custody for the data.

complex to identify the traces located in the cloud server.

can acquire the virtual machine (VM) image and logs.

**102**

follows:

