In this survey paper the author explores the technical as well as high level conceptual trust issues that arise in acquiring log forensic evidence from the virtual machine (VM) hosted operating systems within the data clouds. This specific survey work is done at the University of Technology [UTECH], Jamaica, which currently functions as its own independent private data cloud provider. The data acquisition is particular to the hypervisor system logs that can be used to track VM incidences which are later used to compile potential evidence for a cloud investigation. This work also presents a model to show the layers of virtualization trust that can arguably be used to support the collection of such log evidence. The paper provides the context for the support of such cloud digital investigations and analyzes the choices available to a forensic investigator using proof of concept experiments. The experimental work is achieved by making a comparative evaluation of popular forensic acquisition tools including Guidance EnCase and AccessData Forensic Toolkit, as to how volatile and non-volatile hypervisor log data can be collected. Finally the paper explores three solutions for the managed log evidence data acquisition phase within a cloud investigation.
Keywords
Forensic, Log, Cloud, Trust, Hypervisor.
User
Font Size
Information