However, the authors contend that there may be cases where this assumption does not hold, or there is a dispute between the CSCs and CSPs, and where other models are needed. CSP side forensics evidence collection can be acceptable when the CSC has good reasons to trust the CSP of not accidentally or maliciously contaminating the critical forensic evidence. The distinguishing feature of the CSP side evidence collection is that it seems to be unilateral.
This dependency further leads to serious issues surrounding trust in the CSPs, like originality of the evidence and timely response to litigation holds. In this light, CSCs and Law Enforcement Agents (LEAs) are heavily dependent on the CSPs to obtain the evidence required for a cloud forensics case, as they have limited control on the cloud systems and data residing in it. In other words, the CSPs have a higher degree of control over most of the critical evidence needed for investigations involving cloud environments. However, in contrast to traditional digital investigations, the infrastructure responsible for the CFaaS model is deployed at the premises of the CSPs. Consequently, an implemented CFaaS interface is made available to the CSCs, via the Service Level Agreements (SLAs) signed with their CSPs, to assist them in their investigation of their adopted cloud services.Ĭentral to this CFaaS model is the issue of accountability for the digital evidence: who performs the investigation and decides what kind of digital evidence is required for a specific cloud forensics case –– the provider, the consumer, a trusted third party, or some combination of them? Traditional digital forensics investigations (non-cloud), investigators had the ability to seize any suspected device. The authors are interested in providing a Cloud-Forensics-as-a-Service (CFaaS) model that is integrated into cloud architectures for the purpose of forensic investigations involving cloud environments. Leaving aside specific technical details, the authors consider there to be Cloud Service Providers (CSPs) that sell the three basic IaaS services including storage, compute power and network to remote CSCs. According to the National Institute of Standards and Technology (NIST), cloud services can either be offered as an Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) model. The focus of this research is on cloud forensic services provided remotely to Cloud Service Consumers (CSCs) over the internet.
The paper explicitly discusses the concept of a bilateral Cloud-Forensic-as-a-Service model. The authors have developed a cloud forensic process model to lead common and significant aspects of a bilateral Cloud-Forensics-as-a-Service model.
To address the problem, the paper proposes a conceptual bilateral Cloud-Forensic-as-a-Service model where both consumers and providers can independently collect, verify the equity of the forensic analysis process and try to resolve potential disputes emerging from the independently collected results. A serious limitation of this approach is that it does not offer the consumer sufficient means of performing reasonableness checks to verify that the provider is not accidentally or maliciously contaminating the evidence. Currently, types of ‘Cloud-Forensic-as-a-Service’ systems in the literature show that the system is controlled and implemented by the cloud provider, where they unilaterally define the type of evidence that can be collected by the system. The ‘Cloud-Forensic-as-a-Service’ model raises the question of how it collects digital evidence pertaining to an incident which occurred in the cloud. A common cloud forensic model proposed by researchers is ‘Cloud-Forensic-as-a-Service’ where consumers have to access it as a service to collect forensic data from cloud environments.