CLASS: Cloud Log Assuring Soundness and Secrecy Scheme for Cloud Forensics
User activity logs can be a valuable source of information in cloud forensic investigations; hence, ensuring the reliability and integrity of such logs is crucial. Most existing solutions for secure logging are designed for conventional systems rather than the complexity of a cloud environment. In this paper, we propose the Cloud Log Assuring Soundness and Secrecy (CLASS) process as an alternative scheme for the securing of logs in a cloud environment. In CLASS , logs are encrypted using the individual user’s public key so that only the user is able to decrypt the content. In order to prevent unauthorized modification of the log, we generate proof of past log (PPL) using Rabin’s fingerprint and Bloom filter. Such an approach reduces verification time significantly. Findings from our experiments deploying CLASS in OpenStack demonstrate the utility of CLASS in a real-world context
Due to the inherent nature of cloud technologies, conventional digital forensic procedures and tools need to be updated to retain the same usefulness and applicability in acloud environment.Unlike a conventional client device, cloud virtual machines (VMs) can be supported by hardware that might be located remotely and thus would not be physically accessible (e.g. out of the jurisdictional territory) to an investigator. In addition, VMs can be distributed across multiple physical devices in a clustered environment or they can exist within a pool of VMs on the same physical components. Therefore, seizing the machine for forensic analysis is not viable in most investigations. Furthermore, data residing in a VM may be volatile and could be lost once the power is off or the VM terminates. Hence, the cloud service provider (CSP) plays a crucial role in the collection of evidential data (e.g. cloud user’s activity log from the log). For example, the CSP writes the activity log (cloud log) for each user. Thus, preventing modification of the logs, maintaining a proper chain of custody and ensuring data privacy is crucial.
• Seizing the machine for forensic analysis is not viable in most investigations.
• Data residing in a VM may be volatile and could be lost once the power is off or the VM terminates.
• Thus, preventing modification of the logs, maintaining a proper chain of custody and ensuring data privacy is crucial
By Extending SecLaaS, we propose a secure cloud logging scheme, Cloud Log Assuring Soundness and Secrecy (CLASS), designed to ensure CSP accountability (i.e.writing the correct information to the log) and preserve the user’s privacy–i.e. our contribution in this paper. Specifically, we include the capability for the user to verify the accuracy of their log. To do this, the log will be encrypted using the user’s public key(rather than the agency’s public key). To avoid introducing unnecessary delays to the forensic investigation, during user registration with the cloud service, both the CSPand the user will collectively choose a public/private key pair referred to as content concealing key (CC-key)for the user. The corresponding (content concealing) private key will be shared with other CSPs using Shamir’s or Blakley’ssecret sharing schemes. This would allow the private key to be regenerated whenever necessary. We also demonstrate how we can leverage Rabin’s fingerprintand bloom filter in PPL generation to establish log veracity. We then implement CLASS in OpenStack and evaluate its performance.
Thus, in this paper, we proposed a secure logging scheme (CLASS) for cloud computing with features that facilitate thepreservation of user privacyand that mitigate the damaging effects ofcollusion amongother parties. CLASS preserves the privacy of cloud usersby encryptingcloud logswith a public key of therespective user while also facilitating log retrieval in the event of an investigation. Moreover, it ensures accountability of the cloud server by allowing the user to identify any log modification. This has the additional effect of preventing a user fromrepudiating entries in his own log once the log has had its PPL established. Our implementation on OpenStack demonstrates the feasibility andpracticality oftheproposed scheme. The experimental results show an improvement in efficiency thanks to the features of theCLASSscheme, particularlyin verification phase.