INSPECT- An Intelligent and Reliable Forensic Investigation through Virtual Machine Snapshots

Full Text (PDF, 1148KB), PP.17-28

Views: 0 Downloads: 0


K. Umamaheswari 1,* S. Sujatha 2

1. Research and Development Centre, Bharathiar University, Coimbatore, India

2. Department of Computer Science, Bharathi Womens College, Chennai, India

* Corresponding author.


Received: 13 Nov. 2017 / Revised: 26 Dec. 2017 / Accepted: 15 Jan. 2018 / Published: 8 Mar. 2018

Index Terms

Forensic investigation, VM snapshots, SLA, FCM clustering, chain of custody, privacy, and multi-tenant


Cloud computing is emerging as a popular paradigm that provides significant advances and utility-oriented services over shared virtualized resources. Despite the advantage of the cloud services, the majority of cloud users are reluctant to access the cloud due to unprecedented security threats in the cloud environment. The increasing cloud vulnerability incidences show the significance of cloud forensic techniques for the criminal investigation. It is challenging to gather the evidence from the abundant cloud data and identifying the source of the attack from the crime scene. Moreover, the Cloud Service Provider (CSP) confines the investigator to carry out the forensic investigation due to the prime concerns in the multi-tenant cloud infrastructure. To cope up with these constraints, this paper presents INSPECT, an investigation model that accomplishes adaptive evidence acquisition with adequate support for dynamic Chain of Custody presentation. By utilizing the VM log files, the INSPECT approach forensically acquires the corresponding evidence from the cloud data storage based on the location of malicious activity. It enhances the evidence acquisition and analysis process by optimally selecting and exploiting the required forensic fields alone instead of analyzing the entire log information. The INSPECT applies the Modified Fuzzy C-Means (M-FCM) clustering with contextual initialization method on the acquired evidence to recognize the source of the attack and improves the trustworthiness of the evidence through the submission of the chain of custody. By analyzing the Service Level Agreement (SLA) of the cloud users, it facilitates the source of attack identification from the clustered data. Furthermore, it isolates the evidence to avert deliberate modification by an adversary in the multi-tenant cloud. Eventually, INSPECT presents the evidence along with the chain of custody information regarding the crime scene. It enables the law enforcement authority to explore the evidence through the chain of custody information and to reconstruct the crime scene using the VM snapshots associated with timestamp data. The experimental results reveal that the INSPECT approach accomplishes a high level of accuracy in the investigation with the improved trustworthiness over the multi-tenant cloud infrastructure.

Cite This Paper

K. Umamaheswari, S. Sujatha, " INSPECT- An Intelligent and Reliable Forensic Investigation through Virtual Machine Snapshots", International Journal of Modern Education and Computer Science(IJMECS), Vol.10, No.3, pp. 17-28, 2018. DOI:10.5815/ijmecs.2018.03.03


[1]Zhang, Q., Cheng, L., and Boutaba R, “Cloud computing: state-of-the-art and research challenges”, Journal of internet services and applications, Vol.1, No.1, pp.7-18, 2010
[2]Mohit Agarwal, Gur Mauj Saran Srivastava, “Cloud Computing: A Paradigm shift in the way of Computing”, I.J. Modern Education and Computer Science, Vol. 12, No.1, pp.38-48, 2017
[3]K. Higgings, “Dropbox, WordPress Used As Cloud Cover In New APT Attacks”, Dark reading, 2013[Online]Available:
[4]Taylor, M., Haggerty, J., Gresty, D., and Lamb, D, “Forensic investigation of cloud computing systems”, Network Security, Vol.2011, No.3, pp.4-10, 2011
[5]Zawoad, S., and Hasan R, “Cloud forensics: a meta-study of challenges, approaches, and open problems”, arXiv preprint arXiv:1302.6312, 2013
[6]Dykstra, J., and Sherman A. T, “Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques”, Digital Investigation, Vol.99, pp.S90-S98, 2012
[7]Suneja, S., Isci, C., de Lara, E., and Bala V, “Exploring vm introspection: Techniques and trade-offs”, In ACM SIGPLAN Notices, Vol.50, No.7, pp.133-146, 2015
[8]Ruan, K., Carthy, J., and Kechadi, T, “Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis”, In Proceedings of the Conference on Digital Forensics, Security and Law, Association of Digital Forensics, Security and Law, p.55, 2011
[9]Ruan, K., James, J., Carthy, J., and Kechadi T, “Key terms for service level agreements to support cloud forensics”, Springer, In IFIP International Conference on Digital Forensics, pp.201-212, 2012
[10]Ahmed Fahim, “A Clustering algorithm based on local density of points”, I.J. Modern Education and Computer Science, Vol.12, pp.9-16, 2017
[11]Pichan, A., Lazarescu, M., and Soh S. T, “Cloud forensics: Technical challenges, solutions and comparative analysis”, Digital Investigation, Vol.13, pp.38-57, 2015
[12]Alqahtany, S., Clarke, N., Furnell, S., and Reich C, “Cloud forensics: a review of challenges, solutions and open problems”, IEEE International Conference on Cloud Computing (ICCC), pp.1-9, 2015.
[13]Umamaheswari, K. and Sujatha, S. “Impregnable defence architecture using dynamic correlation-based graded intrusion detection system for cloud”, Defence Science Journal, Vol.67, No.6, pp.645-653, 2017.
[14]F. Xinwen, L. Zhen, Y. Wei, and L. Junzhou, “Cyber Crime Scene Investigations (C2SI) through Cloud Computing”, IEEE 30th International Conference on Distributed Computing Systems Workshops (ICDCSW), pp.26-31, 2010
[15]Hay, B., and Nance K, “Forensics examination of volatile system data using virtual introspection”, ACM SIGOPS Operating Systems Review, Vol.42, No.3, pp.74-82, 2008
[16]Thorpe, S, and Ray I, “File timestamps for digital cloud investigations”, Journal of Information Assurance and Security, Vol.6, No.6, 2011
[17]Zawoad, S., and Hasan, R, “Chronos: Towards Securing System Time in the Cloud for Reliable Forensics Investigation”, IEEE 40th Annual In Computer Software and Applications Conference (COMPSAC), Vol.1, pp.423-432, 2016
[18]Thorpe, S., and Ray I, “Detecting temporal inconsistency in virtual machine activity timelines”, Proceedings of Journal of Information Assurance and Security (JIAS), Vol.7, No.1, 2012
[19]Wook Baek H, Srivastava A, and Van der Merwe J, “Cloudvmi: Virtual machine introspection as a cloud service”, IEEE International Conference on Cloud Engineering (IC2E), pp.153-158, 2014
[20]Hirwani M, Pan Y, Stackpole B, and Johnson D, “Forensic acquisition and analysis of vmware virtual hard disks”, Proceedings of the International Conference on Security and Management (SAM), The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), 2012
[21]Rani DR, and Geethakumari G, “An efficient approach to forensic investigation in cloud using VM snapshots”, IEEE International Conference on Pervasive Computing (ICPC), pp.1-5, 2015
[22]Zhou G, Cao Q, and Mai Y, “Forensic analysis using migration in cloud computing environment”, Information and Management Engineering, pp.417-423, 2011
[23]Delport W, Köhn M, and Olivier MS, “Isolating a cloud instance for a digital forensic investigation”, In ISSA, 2011
[24]Delport, W., and Olivier, M, “Isolating instances in cloud forensics”, Springer, In IFIP International Conference on Digital Forensics, pp.187-200, 2012
[25]Belorkar, A., and Geethakumari G, “Regeneration of events using system snapshots for cloud forensic analysis”, In India Conference (INDICON), Annual IEEE, pp.1-4, 2011
[26]Martini, B., and Choo, K. K. R, “An integrated conceptual digital forensic framework for cloud computing”, Digital Investigation, Vol.9, No.2, pp.71-80, 2012
[27]Dykstra, J., and Sherman A. T, “Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform”, Digital Investigation, Vol.10, pp.S87-S95, 2013
[28]Pasquale, L., Hanvey, S., Mcgloin, M., and Nuseibeh B, “Adaptive evidence collection in the cloud using attack scenarios”, Computers and Security, Vol.59, pp.236-254, 2016