Real Time Forensics and Intrusion Detection Systems [6CC092] First Assignment

9 March 2012 Marking Tutor: Olga Angelopoulou Authored by: Bartosz Inglot

Table of Contents 1. Introduction ........................................................................................................................................ 2 2. Background ......................................................................................................................................... 2 2.1. Cloud Computing ......................................................................................................................... 2 2.2. Cloud Forensics ............................................................................................................................ 2 3. Cloud Forensics Research and Techniques ......................................................................................... 3 3.1. Challenges .................................................................................................................................... 3 3.1.1. Technical Dimension ............................................................................................................. 3 3.1.2. Organisational Dimension ..................................................................................................... 6 3.1.3. Legal Dimension .................................................................................................................... 6 3.2. Opportunities ............................................................................................................................... 7 4. Critical Criteria for Forensics Capability .............................................................................................. 7 4.1. Technical ...................................................................................................................................... 7 4.1.1 Data Provenance .................................................................................................................... 7 4.1.2 Data Distribution .................................................................................................................... 7 4.1.3. Evidence Segregation ............................................................................................................ 8 4.1.4 Virtualised Environments ....................................................................................................... 8 4.1.5 Proactive measures ................................................................................................................ 8 4.2. Legal ............................................................................................................................................. 8 4.2.1 Jurisdiction ............................................................................................................................. 8 4.2.2. Instruction Sheet ................................................................................................................... 8 5. Conclusion ........................................................................................................................................... 8 6. References .......................................................................................................................................... 9

1

1. Introduction Cloud computing is perhaps one of the most widely discussed information technologies today. It offers many promising technological and economic opportunities. However, as with every new technology, it poses the threat of the unknown (Birk and Wegener, 2011). This report aims to understand the difficulties faced by a digital forensics investigator in collecting and analysing data from a cloud environment. The report is organised as follows: It starts with fundamental background information of cloud computing, reasons behind its popularity and the impact of cloud computing on computer forensics. Section three describes the challenges of cloud forensics in all three dimensions: technical, organisational and legal; and then outlines the opportunities of cloud forensics. In section four, the author focuses on possible solutions to the stated problems.

2. Background Cloud computing is fundamentally changing how information technology (IT) services are created, delivered, accessed and managed (Ruan et al., 2011a). According to the research firm Gartner (2010a), the worldwide cloud service market should reach $148.8 billion in 2014. This trend toward cloud computing is creating multiple challenges for forensic investigators (Zimmerman and Glavach, 2011).

2.1. Cloud Computing Although cloud computing is becoming very common, it still remains a confusing and evolving term in the industry (Ruan et al., 2011a), with differing definitions offered by numerous respected organisations, such as NIST (Mell and Grance, 2011), Cloud Security Alliance (CSA, 2009), Gartner (2009) and Oracle (Farber, 2008). Buyya et al. (2008) give a succinct definition of cloud computing, stating that, it is a paradigm where software, platforms, and infrastructure are treated as virtualised units which are accessed by users. Cloud services are provisioned on demand and regulated by service level agreements (SLAs) between users and providers. Cloud users can range from governments and research institutions to individuals or businesses. There are various reasons for the recent trend in cloud computing. Some believe that it is a result of reduction in IT costs due to the recession (Ruan et al., 2011b), and others that it redefines the value of IT organisations as service enablers (Gartner, 2010b). Regardless of this, cloud computing involves potentially greater exposure to security threats and privacy breaches than traditional IT service provisioning (Taylor et al., 2011). The threats it inherits include those of virtual machines, web services and mobile computing. Furthermore, the risks that existed before cloud computing are still present, such as phishing attacks, malicious software and spam (Hussain and Abdulsalam, 2011).

2.2. Cloud Forensics Computer forensics has developed in recent years as an important tool in the fight against crime. It is the application of computer investigation and analysis techniques to gather potential evidence (Li and Seberry, 2003).

2

Cloud forensics is a cross discipline of cloud computing and digital forensics, which constitutes a new challenge for investigators. Because of the decentralised nature of data being stored and processed in the cloud, traditional approaches to evidence collection and recovery are not always practical (ClaWSLab, 2010). Some of these issues can be resolved by applying the same tools and processes but in a different manner, while other problems require novel approaches and systems to be developed (Zimmerman and Glavach, 2011). Researchers argue on the impact of cloud computing on forensics: some say it makes forensics more complex (Sawyer, 2009), while others say it makes forensics easier (Morrill, 2008). What follows is an outline of shortcomings and opportunities of cloud forensics to let the readers decide for themselves.

3. Cloud Forensics Research and Techniques Numerous works have been published regarding cloud security and privacy, mainly revolving around isolation of multi-tenant platforms (Ristenpart et al., 2009), secure network infrastructures (Chow et al., 2009) and security of hypervisors in order to protect virtualised guest systems (Azab et al., 2010; Azab et al., 2011). A hypervisor is a piece of software which monitors and provisions instances of virtual machines (Ruan et al., 2011a). The aspects of forensic investigations in cloud computing, on the other hand, have mostly been neglected by the research community and industry (Birk and Wegener, 2011).

3.1. Challenges At the moment there are a number of complications involved in conducting a forensic investigation. Aspects such as standardised processes, court-approved methods and tools, data integrity and jurisdictional concerns stand in the way of cloud forensics. Part of the problem is that the old rules of investigation are no longer practical and cloud forensics, likewise mobile forensics, requires a different approach to traditional post-mortem analysis (Barret and Kipper, 2010). In order to embrace the wide domain of cloud forensics and to stress the fact that it is a multidimensional issue, what follows is a discussion of the three facets of cloud forensics’ challenges: technical, organisational and legal.

3.1.1. Technical Dimension The technical dimension comprises the tools and procedures that are necessary to perform a forensic investigation in a cloud computing environment (Ruan et al., 2011a). Suspect’s Trail As there is no physical interaction between a user and a cloud environment, identities within this environment rely on some sort of authentication, such as usernames and passwords. Therefore, if an account becomes compromised, it is more difficult to link a suspect to malicious activities (Taylor et al., 2011). Moreover, data could be modified or damaged either by an attacker or the CSP, e.g. because of storage reasons, in which case the customer has no way of proving otherwise (ClaWSLab, 2010).

3

The need for further research on evidence tracking, incident handling and accountability in cloud environments is confirmed by other authors: Haeberlen (2010), Grobauer and Schreck (2010), Wolthusen (2009). Data Attribution Digital provenance, also known as meta-data which describes the origin or history of data, still remains a challenging issue for cloud environments. Most of the CSPs do not offer any possibility for the customers to find out if their accounts have been compromised and subsequently any data accessed (Birk and Wegener, 2011). Data Collection Data collection in the cloud can pose several problems. One of them is the fact that forensic data includes both client-side artefacts that reside on client premises and provider-side artefacts. Thus, the procedures and tools to collect data vary depending on the cloud model in place (Ruan et al., 2011a). The client-side artefacts usually reside in the browser history/caches (Birk and Wegener, 2011). Obtaining the complete set of evidence may be impossible or may require seizing a high number of machines at home, work, and potentially mobile devices (Taylor et al., 2011). Access to forensic data in the cloud, however, varies considerably depending on the service and deployment model. However, regardless of the model, an investigator faces the challenge of decreased access to forensic data (Ruan et al., 2011a). The second issue concerns network forensics, which although is theoretically feasible in the cloud, in practice takes no place as regular CSPs do not provide any network data captures (Birk and Wegener, 2011). The implementation of the circumstances within the cloud and technical architecture bias the way an investigation may be processed (Grobauer and Schreck, 2010). For instance, evidence collection may have to occur through virtualisation software, which in turn can render the evidence forensically unsound (Taylor et al., 2011). Data Distribution Before data collection can even take place, evidence identification has to occur. Because of the decentralised nature of data storage and processing in a cloud environment, traditional approaches to evidence collection and recovery no longer apply (Grobauer and Schreck, 2010). In other words, identification of evidence in the cloud can be problematic since data could be dispensed over an undisclosed amount of network applications, virtual instances and network devices (Taylor et al., 2011). Logs Format and Volume The use of disparate log formats already constitutes a challenge in traditional computer forensic investigation. The situation aggravates in a cloud environment as the volume of data logs can be incredibly large and CSPs introduce their own proprietary log formats (Ruan et al., 2011a).

4

Another problem may be the volatile nature of the log data, making them available only for a certain period of time. For instance, Amazon does not provide its load balancer logs to customers (Zafarullah et al., 2011). Packet Capturing System logs are a useful source of information and a sound basis for compliance reporting, showing what occurred in an incident. However, as they lack depth, in order to fully understand the incident and potentially be able to replay an attack, cloud customers should be allowed to capture network traffic (Rothman, 2011), which ordinary CSPs do not currently provide (Birk and Wegener, 2011). Time Synchronisation Constructing a timeline of events requires accurate time synchronisation. This is difficult to achieve since the data of interest resides on multiple physical machines in different geographical locations (Ruan et al., 2011a). Additionally, time settings may differ between the user side and the provider side (Zimmerman and Glavach, 2011). Data Volatility Depending on the CSP and the selected offer, virtual instances may not have any persistent storage. This means that in most cases all the user’s data is lost if the instance is rebooted or shut down. This is mostly the consequence of the “on-demand” characteristic of the cloud (Birk and Wegener, 2011). Unallocated Data Recovery Deleted data is a significant source of evidence in traditional digital forensics. However, if a user exits the cloud, virtualisation sanitises the resources and therefore the recovery of data can be severely limited (Taylor et al., 2011). Furthermore, even if the recovery of the deleted data was successful, ownership identification presents a further challenge (Ruan et al., 2011a). On the contrary, CSPs do not provide any verification process that the customer’s data stored in the cloud has been deleted exhaustively (Birk and Wegener, 2011). Encryption Many CSPs support customers’ storage encryption to ensure the data security. As with traditional computer forensics, any form of encryption increases the complexity of the investigation, potentially slows the process down and defeats widely-used analysis techniques, such as keyword searches (Taylor et al., 2011). Evidence Segregation Multi-tenant environments such as the cloud reduce IT costs via resource sharing. However, it is a challenge for CSPs and forensic investigators to segregate evidence without breaching the confidentiality of other tenants (Ruan et al., 2011a). Virtualised Environments Virtualisation is a key technology when it comes to implementing cloud services. However, hypervisor investigation procedures are almost non-existent. A hypervisor is a program which monitors and provides instances of servers run as virtual machines (Ruan et al., 2011a).

5

Loss of Evidence Besides the difficulty of accessing certain artefacts in the cloud, there is a risk of losing a file’s metadata if data is downloaded from a cloud. Metadata such as file creation, modification and access times may be crucial in constructing a timeline of events (Reilly et al., 2010).

3.1.2. Organisational Dimension The organisational dimension discusses the issue of communication and collaboration among various entities involved in forensic activities in cloud environment. Internal Staffing Cloud technologies are rapidly evolving and therefore CPSs must ensure that their employees are sufficiently trained to address the technical and legal challenges of cloud forensic investigations (Ruan et al., 2011a). External Dependency Chains As a great number of CSPs and cloud applications have dependencies on other CSPs (e.g. Dropbox uses Amazon’s S3 storage), cloud forensics requires investigations of each individual link in the dependency chain which can considerably delay the investigation. Additionally, correlation of the evidence across CSPs can be a major challenge (Ruan et al., 2001a). Service Level Agreements (SLAs) An SLA defines the terms of use between a CSP and the customers. Current SLAs skip significant terms regarding cloud forensics due to limited CSP transparency, lack of international regulation and low customer awareness, among others (Ruan et al., 2011a). External Assistance When a security incident occurs the organisation wants to perform an investigation, preferably without dependency on third parties. In the cloud, this is no longer possible as the CSPs have control over the resources which contain the evidence. In the best case scenario, a third party serves as a trustee to ensure the trustworthiness of the CSP (Birk and Wegener, 2011). Forensic Readiness Currently, there are no legal requirements on data retrieval, handling and storage (Birk and Wegener, 2011) and SLAs largely do not include the terms of use that would facilitate forensic readiness. Moreover, many CSPs do not provide means for customers to gather forensic data (Ruan et al., 2011a).

3.1.3. Legal Dimension The legal dimension encompasses the legal and administrative issues that hinder forensic investigations in the cloud. Jurisdiction Although numerous jurisdictional concerns may have existed since the advent of the Internet, cloud forensics involves more complex considerations. This can potentially slow down investigations and generate serious cross-border red tape (Taylor et al., 2011). Zafarullah et al. (2011) illustrate the problem taking the Data Protection Act as an example.

6

Chain of Custody Chain of Custody is a list of events where evidence is stored and who takes possession of it, which is crucial to be able to take a case to court (Birk and Wegener, 2011). However, it proves highly problematical to maintain a chain of custody relating to the acquisition of the evidence in the cloud (Reilly et al., 2010). ACPO Principles Cloud forensics mostly does not conform to the Association of Chief Police Officers guidelines (ACPO, 2007) about handling computer-based electronic evidence, which in turn casts doubt over the evidence’s integrity and authenticity, and may rule the evidence inadmissible in a UK court of law (Reilly et al., 2010). Jury in Court Computer forensics investigations require that the investigator explains, using technical language, what exactly the evidence means and how it was acquired. This can be extremely challenging in traditional forensics, let alone cloud forensics (Reilly et al., 2010).

3.2. Opportunities The main advantage of cloud computing is centralised data, as having evidence in a collective place can accelerate response to incidents. Forensic investigations could also take advantage of the services and resources provided by CSPs to assist the investigation, such as automatic MD5 checksums (Reilly et al., 2010). Other benefits to cloud forensics derive from the scalability and flexibility of the cloud. Firstly, elastic and unlimited storage increases efficiency of indexing and search the evidence. Secondly, the high compute intense resources can assist investigators in work such as cracking passwords. Eventually, disk and memory images can be easily acquired through the snapshot technology (Reilly et al., 2010).

4. Critical Criteria for Forensics Capability There are many technical and legal issues with performing cloud forensics that need to be thoroughly researched and addressed. The proposed solutions differ, ranging from new tools, procedures, policies and guidelines, to better trained staff and improved agreements. What follows are particular examples advocated by academia.

4.1. Technical 4.1.1 Data Provenance Secure provenance mechanisms for distributed environments could greatly improve the situation of cloud forensics but have not yet been practically implemented by CPSs (ClaWSLab, 2010).

4.1.2 Data Distribution Providing that right mechanisms to control access are in place and keep relevant logs, then the methodology for cloud forensics might be no different from traditional forensic investigations. The cloud-based issues mainly revolve around data preservation (Taylor et al., 2001).

7

4.1.3. Evidence Segregation Methods for generating customer-specific event logs that do not violate the privacy/confidentiality requirements of other customers in the cloud are required (Grobauer and Schreck, 2010).

4.1.4 Virtualised Environments Virtual-machine introspection (Hay and Nance, 2008) and the snapshot feature of virtualisation provide powerful techniques to investigators. In addition, research in memory forensics must be intensified (Birk and Wegener, 2011).

4.1.5 Proactive measures Being proactive can seriously assist forensic investigations. Examples include continually tracking authentication and preserving regular snapshots of storage and access control (Ruan et al., 2011a).

4.2. Legal 4.2.1 Jurisdiction The legal aspect of cloud forensics necessitates the development of regulations and agreements to guarantee that forensic activities do not breach laws and regulations in jurisdictions where the evidence resides.

4.2.2. Instruction Sheet At the moment there are no guidelines that specifically address the conduct of cloud forensic investigation. However, the use of a checklist might be useful to make live system analysis easier and ensure that all or most of the bases have been covered (Taylor et al., 2011).

5. Conclusion There is no doubt that cloud computing brings many benefits for businesses. However, the loss of control over data poses an enormous challenge for conducting forensics investigations. Cloud forensics also crosses boundaries of responsibility and access and therefore the field of digital forensics needs to be revised and adapted to the new environment. Besides new forensic tools and systems, a strong working relationship needs to be developed between CSPs and customers to fully address cloud investigations.

8

6. References ACPO (2007) Good Practice Guide for Computer-Based Electronic Evidence: Official release version, 7Safe [Online]. Available at: http://www.7safe.com/electronic_evidence/ ACPO_guidelines_computer_evidence.pdf (Accessed: 8 March 2012). Azab, A. M., Ning, P. and Zhang, X. (2011) SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms, Proceedings of the 18th ACM conference on Computer and communications security (CCS '11), pp. 375-388 ACM [Online]. Available at: http://dl.acm.org/citation.cfm?id=2046752 (Accessed: 6 March 2012). Azab, A. M., Ning, P., Wang, Z., Jiang X., Zhang, X. and Skalsky, N. C. (2010) HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity, Proceedings of the 17th ACM conference on Computer and communications security (CCS '10), pp. 38-49 ACM [Online]. Available at: http://discovery.csc.ncsu.edu/pubs/ccs10.pdf (Accessed: 6 March 2012). Barret, D. and Kipper, G. (2010) Virtualization and Forensics: a Digital Forensic Investigator's Guide to Virtual Environments. Burlington (US-MA): Elsevier. Birk, D. and Wegener, C. (2011) Technical Issues of Forensic Investigations in Cloud Computing Environments, 6th International Workshop on Systematic Approaches to Digital Forensic Engineering (in conjunction with IEEE Security and Privacy Symposium) [Online]. Available at: http://code-foundation.de/stuff/2011-birk-cloud-forensics.pdf (Accessed: 23 February 2012). Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J. and Brandic, I. (2008) Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility, Future Generation Computer Systems, 25(6), pp. 599–616, 2009. Available at: http://www.cloudbus.org/reports/CloudITPlatforms2008.pdf (Accessed: 6 March 2012). Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R. and Molina, J. (2009) Controlling data in the cloud: outsourcing computation without outsourcing control, Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW '09), pp. 85-90 ACM [Online]. Available at: http://dl.acm.org/citation.cfm?id=1655020 (Accessed: 6 March 2012). ClaWSLab (2010) Cloud Forensics, Cloud and Web Service Security Lab [Online]. Available at: http://www.clawslab.org/about_Cloud_Forensic.html (Accessed: 28 February 2012). CSA (2009) Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, Cloud Security Alliance [Online]. Available at: https://cloudsecurityalliance.org/csaguide.pdf (Accessed: 6 March 2012). Farber, D. (2008) Oracle's Ellison nails cloud computing, CNET News [Online]. Available at: http://news.cnet.com/8301-13953_3-10052188-80.html (Accessed: 6 March 2012). Gartner (2009) Gartner Highlights Five Attributes Of Cloud Computing, Gartner’s 2009 Press Releases [Online]. Available at: http://www.gartner.com/it/page.jsp?id=1035013 (Accessed: 6 March 2012).

9

Gartner (2010a) Gartner Says Worldwide Cloud Services Market to Surpass $68 Billion in 2010, Gartner’s 2010 Press Releases [Online]. Available at: http://www.gartner.com/it/ page.jsp?id=1389313 (Accessed: 6 March 2012). Gartner (2010b) Gartner Reveals Top Predictions for IT Organizations and Users for 2011 and Beyond, Gartner’s 2010 Press Releases [Online]. Available at: http://www.gartner.com/it/ page.jsp?id=1862714 (Accessed: 6 March 2012). Grobauer, B. and Schreck, T. (2010) Towards incident handling in the cloud: challenges and approaches, Proceedings of the 2010 ACM workshop on Cloud computing security workshop (CCSW '10), pp. 77-86 ACM [Online]. Available at: http://dl.acm.org/ citation.cfm?id=1866850 (Accessed: 7 March 2012). Haeberlen, A. (2010) A Case for the Accountable Cloud, ACM SIGOPS Operating Systems Review, 44 (2), pp. 52-57 ACM [Online]. Available at: http://www.cis.upenn.edu/~ahae/papers/ accountable-cloud-ladis09.pdf (Accessed: 7 March 2012). Hay, B. and Nance, K. (2008) Forensics Examination of Volatile System Data using Virtual Introspection, ACM SIGOPS Operating Systems Review, 42 (3), pp. 74-82 ACM [Online]. Available at: http://assert.uaf.edu/papers/forensicsVMI_SIGOPS08.pdf (Accessed: 8 March 2012). Hussain, M. and Abdulsalam, H. (2011) SECaaS: Security as a Service for Cloud-based Applications, Proceedings of the Second Kuwait Conference on e-Services and e-Systems, 8, ACM [Online]. Available at: http://dl.acm.org/citation.cfm?id=2107556.2107564 (Accessed: 27 February 2012). Johnson, R. C. (2011) Cloud Security Guaranteed by SICE, Smarter Technology [Online]. Available at: http://www.smartertechnology.com/c/a/Cloud-Computing/Cloud-Security-Guaranteed-bySICE/ (Accessed: 6 March 2012). Li, X. and Seberry, J. (2003) Forensic Computing, Faculty of Informatics – Papers, University of Wollongong: Research Online [Online]. Available at: http://ro.uow.edu.au/cgi/ viewcontent.cgi?article=1290&context=infopapers (Accessed: 6 March 2012). Mell, P. and Grance, T. (2011) The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology [Online]. Available at: http://csrc.nist.gov/publications/nistpubs/800145/SP800-145.pdf (Accessed: 6 March 2012). Morrill, D. (2008) Cloud Computing Making Forensics Easier, CloudAve [Online]. Available at: http://www.cloudave.com/2887/cloud-computing-making-forensics-easier/ (Accessed: 6 March 2012). Reilly, D., Wren, C. and Berry, T. (2010) Cloud Computing: Forensic Challenges for Law Enforcement, 2010 International Conference for Internet Technology and Secured Transactions (ICITST), pp. 1-7 IEEE [Online]. Available at: http://ieeexplore.ieee.org/xpl/ freeabs_all.jsp?arnumber=5678033 (Accessed: 2 March 2012). 10

Ristenpart, T., Tromer, E., Shacham, H. and Savage, S. (2009) Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Proceedings of the 16th ACM conference on Computer and communications security (CCS '09), pp. 199-212 ACM [Online]. Available at: http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf (Accessed: 6 March 2012). Rothman, M. (2011) Applied Network Security Analysis: Introduction, The Securosis Blog [Online]. Available at: https://securosis.com/blog/applied-network-security-analysis-introduction (Accessed: 20 February 2012). Ruan, K., Baggili, I. Carthy, J. and Kechadi, T. (2011b) Survey on cloud forensics and critical criteria for cloud forensic capability: A Preliminary analysis, Proceedings of the 2011 ADFSL Conference on Digital Forensics, Security and Law [Online]. Available at: http://www.cloudforensicsresearch.org/publication/Survey_on_Cloud_Forensics_and_Critic al_Criteria_for_Cloud_Forensic_Capability_6th_ADFSL.pdf (Accessed: 1 March 2012). Ruan, K., Carthy, J., Kechadi, T. and Crosbie, M. (2011a) Cloud Forensics. In: Peterson, G. and Shenoi, S. (eds.) Advances in Digital Forensics VII. Orlando (US-FL): Springer, pp. 35-46. Sawyer, J.H. (2009) Hazy Forecast For Cloud Computing Forensics, DarkReading Blog [Online]. Available at: http://www.darkreading.com/blog/227700743/hazy-forecast-for-cloudcomputing-forensics.html (Accessed: 6 March 2012). Taylor, M., Haggerty, J. Gresty, D. and Lamb, D. (2011) Forensic investigation of cloud computing systems, Network Security 2011(3), pp. 4-10 [Online]. Available at: http://www.whieb.com/download.jsp?address=/upload%2Fdoc%2F20110415%2Fforensic+i nvestigation+of+cloud+computing+systems.pdf (Accessed: 5 March 2012). Wolthusen, S.D. (2009) Overcast: Forensic Discovery in Cloud Environments, Fifth International Conference on IT Security Incident Management and IT Forensics (IMF ’09), pp. 3-9 IEEE [Online]. Available at: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5277835 (Accessed: 7 March 2012). Zafarullah, Z., Anwar, F. and Anwar, Z. (2011) Digital Forensics for Eucalyptus, 2011 Frontiers of Information Technology (FIT), pp. 110-116 IEEE [Online]. Available at: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=6137129 (Accessed: 6 March 2012). Zimmerman, S. and Glavach, D. (2011) Cyber Forensics in the Cloud, IAnewsletter, 14 (1), pp. 4-7 IATAC [Online]. Available at: http://iac.dtic.mil/iatac/download/Vol14_No1.pdf (Accessed: 28 February 2012).

11