Cloud computing provides several benefits to organizations such as increased flexibility, scalability and reduced cost. However, it provides several challenges for digital forensics and criminal investigation. Existing forensics analysis frameworks and tools are largely intended for off line investigation and it is assumed that the logs are under the control of the investigator. In cloud computing, the evidence can be distributed across several machines and they can be stored on machines that are beyond the control of the investigator. Some other challenges are the dependence of forensically valuable data on the cloud deployment model, multiple virtual machines running on a single physical machine and multiple tenants on the same physical machine.
In this part of the project, we show what evidence from the cloud would be useful to re-construct the attack scenario by using a Prolog logic based forensic analysis tool. Our example attacks show how evidence from three different sources can help investigators to construct attack scenarios, which include (1) IDS and application software logging, (2) cloud service API calls and (3) system calls from VMs.