Every cloud environment would have the administration and management of its services performed by an entity called the Cloud Service Provider (CSP) . The approach to cloud computing varies with different providers and different service models and deployment models. Thus digital forensics in cloud varies according to the
service and deployment models. In SaaS and PaaS, log information is collected as evidence and in IaaS model, VM image is taken as
evidence. We can get access to the physical devices in
private deployment model but not in the public cloud.
When users request for VM, the associated data will be
stored in cloud datacenters based on the users’ request. Once
a user terminates the VM, the associated data will be lost. If
VM performs malicious activity, he can terminate the VM
losing the volatile data which makes forensic investigation
impossible. Terminating VM does not allow reconstruction
of crime scene which would have help d in finding the user
responsible for the attack.
There is an significant increase of digital devices
using the cloud but limited power is given to investigators to obtain
the data legally. The Service-level Agreement may not
mention the terms and conditions regarding the role of the
CSP in the investigation and responsibility of the CSP during a crime incident . Also the CSP may not have
maintained the log files and logging mechanism which
are really useful for identifying malicious activities. Collecting
these log files for investigation is difficult because the investigator need to depend on the CSP.
Virtual Machine Monitor (VMM) or a VM running under
the VMM analyzes the attacked VM when attack is
identified. This technique is called Virtual Machine
introspection (VMI). Malicious events can be identified by
performing Virtual Machine Introspection which is the
technique of examining a running VM from either another
VM not under examination or from the hypervisor.
Many tools exist for performing traditional digital forensics . These
tools access the physical devices and perform forensic analysis. D
ue to inaccessibility to physical devices in cloud, it lacks the