Procedures for a harmonised digital forensic process in live forensics

Abstract

Cloud computing is a novel computing paradigm that presents new research opportunities in the field of digital forensics. Cloud computing is based on the following principles: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. These principles require that cloud computing be distributed internationally. Even if the cloud is hosted locally, it is based on multi tenancy, which is a challenge when using an advanced "dead" forensic approach. For these reasons, digital forensic investigations in cloud computing need to be performed on live systems. There are challenges in cloud forensics itself, as there are no standardised digital forensic procedures and processes. This paper is part of an effort by the authors to standardise the digital forensic process, and we therefore focus specifically on live forensics. Since cloud computing services are provisioned over the Internet, live forensics and network forensics form an integral part of cloud forensics. In a bid to standardise a digital forensic process in cloud computing, there is a need to first focus on live forensics and network forensics. In this paper we present digital forensic procedures on live forensics that follow the draft international standard for Investigation Principles and Processes. A standardised live digital forensic process will form part of a standardised cloud forensic process.