Ranking of Remote

Hosts for Digital

Forensic
Investigation in a
Cloud Environment
Uma Chittoor

ETAKECS064

Contents
Issues in a Cloud
Digital Forensics
Examples of Computer Crimes
Digital Forensic Readiness
Ten Steps of DFR
Twelve Phases of an Investigation
Limitations of Digital Forensics
Proposed Model Host Selection Model
Example KDD99
Conclusion

Issues in a Cloud
Technical Issues
Power Outages
Network Problems
Security
Prone to attacks and threats
Identifying attackers

Digital Forensics
The collection, preservation, analysis, and

presentation of digital evidence

Admissible in a court of law
Usable for internal disciplinary hearings
Assisting/furthering other investigations
Started in 1984 by the FBI
Need : Escalated cyber crime rates

Examples of Computer Crimes

Unauthorized modification of data
Piracy
Cyber Bullying
Cyber Stalking
Online Predators
Child Pornography

Digital Forensic
Readiness
Making of digital evidence readily available at

the time of DFI

Continuous collection of evidence

Digital Forensic
Readiness
Effective against:
Threats and extortion
Accidents and negligence
Disagreements, deceptions, and malpractice
Property rights infringement
Economic crime e.g. fraud, money laundering
Privacy invasion and identity theft
Employee disciplinary issues

12 Phases of an Investigation
First response
Planning
Preparation
Incident scene
Documentation
Potential evidence
Potential evidence
Potential evidence
Potential evidence
Potential evidence
Presentation
Conclusion

identification
collection
transportation
storage
analysis

Limitations of Digital Forensics

Large size of cloud
Too many remote hosts
Too many connections between hosts
Difficulty in obtaining digital evidence
Highly time consuming
Not cost-effective

Proposed Model - Host Selection

Model
Incident Scene Modeling:
Set of remote hosts:
H = { hi | hi is a remote host, I N }
H = HA HD
Set of incident types:
I = { ik | ik is an incident type, i N }
Set of Network connection attributes:
A = { ai | ai is a connection attribute }

Host Selection Model

Incident Scene Modeling:
Set of connection attribute values:
V = in vi = { x | x vi, i N }
Set of network connections:

C = { ci | ci is a network connection, i N }

Host Selection Model

Algorithm:
Obtain attributes from incident type:
f : I -> A
Compute the set of network connections, C:
RAC
g : R -> C
Compute the set of remote hosts, H:
h : C -> H

Host Selection Model

Algorithm:
Consider two sets Cj C and Hj H, j N
Function to check whether a connection c Cj
kcj =
1, if c Cj
0, if c Cj
Function to check whether a host h Hj
lhj =
1, if h Hj
0, if h Hj

Host Selection Model

Set H is reduced based on:
Distance between remote host and victim host
Number of connection between remote host
and victim host

Algorithm - Flowchart

Example KDD99
Anomaly detection used to overcome

weakness of Intrusion Detection Systems

KDDCUP99 most common data set for
anomaly detection
Determination of four attack types:
Denial of Service (DoS)
User to Root (U2R) attack
Remote to Local (R2L) attack
Probing attack

KDD99 Forensic Investigation

Model
Set of incident types:
Four types of incidents

I = { ik | ik is an incident type, 1 i 4, i N }
Set of network connection attributes:
41 network connection attributes
A = {ai | ai is a connection attribute, 1 i 41, i
N}

KDD99 Forensic Investigation

Model
Set of network connections:
409021 network connections

C = { ci | ci is a network connection,
1 i 409021, i N }
Set of initial hosts:
Hinit = { Is Id | Is Id = }
Is is the set of source IP addresses
Id is the set of destination IP addresses

KDD99 Forensic Investigation

Model
Removing duplicate entries and local host IP

address,
|H| =
n-1-|hi|, if hk H hi=hk
n-1, if ! hk H hi=hk
where n = |Hinit|
Assuming no duplicate entries,
|H|= 409020

Conclusion - Advantages
of the Proposed System
Reduced effort in finding evidence
Investigation of less number of hosts
Reduced cost in finding evidence

References
George Sibiya, Thomas Fogwill, H.S. Venter, Selection and

ranking of remote hosts for Digital Forensic investigation in a

Cloud environment
R. Rowlingson, A Ten Step Process for Forensic Readiness,
vol. 2, no. 3, pp. 128, 2004.
Bruce J. Nikkel, The Role of Digital Forensics within a
Corporate Organization, May 2006, IBSA Conference, Vienna
Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A.
Ghorbani, A Detailed Analysis of the KDD CUP 99 Data Set,
2009 IEEE Symposium on Computational Intelligence
Venansius Baryamureeba, Florence Tushabe, The Enhanced
Digital Investigation Process Model,
http://www.forensicfocus.com/Content/pid=56/page=1/

THANK YOU!