As ISO/IEC 27037 addresses the process of how the digital evidences are to be handled but all these processes addresses the traditional digital environment. But as with the development of cloud the scenario has changed a lot. Cloud computing brings new challenges in front of investigators. These challenges may include various issues like virtualization of servers to multiple locations, dependence on CSP for access to logs etc.
So in the document “Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing” which has been given by the incident management and forensics working group of Cloud Security Alliance, an organization dedicated to development and improving cloud. This document has tried to address the issues relating to how to handle evidence in cloud environment. Also they have tried to explain how ISO/IEC 27037 can be used effectively in cloud environment. Using this document i have tried to explain how to mitigate the impact that cloud is having on computer forensics. So with reference to that document I have tried to explain the identification, collection, acquisition and preservation of evidence from the cloud environment.
There are four stages as mentioned in the ISO 27037 for the purpose of evidence collection and analysis identification, collection, acquisition and preservation. So here we will be addressing all these methods in the cloud computing environment.
Identification of objects which can be used as potential evidences is the initial stage of investigation. In standard environment it is very much easy to identify any device or object that can be used as an evidence. But in case of cloud this is not so easy. So with reference to this document solution to this problem has been suggested.
Documents or devices that can be identified as potential evidences vary according to the service layers as cloud provides three types of services SaaS, PaaS and IaaS.So for each of these service layers identifying the evidences and the sources which can be used as an evidence will be different.
In software as a service (SaaS) layer following can be identified as evidences
• Application logs
• Session logs
• IP addresses
• Activity logs
All these mentioned above can be used as potential evidences for investigation purpose. As application logs will store information about what activity has been performed by these applications, who has used that application etc. Session logs will store information relating to sessions time when the session has been created and terminated. IP address of user can be used as an evidence as it will tell us who was the user and from...