Design and Implementation of a forensic framework for Cloud in OpenStack cloud platform

In this paper, a forensic framework has been developed to do cloud forensics in OpenStack for infrastructure as a service model using the existing forensic tools. For the instances which have been allotted to the user, the snapshots of volatile random access memory and image from the hard disk (cinder) in the specific path where it is mounted on should be acquired to do forensics. Adding to internal, external and floating ip address, for every task or modification a cloud end user does through the cloud api or dashboard (in OpenStack cloud platform), packets get transferred through ISP and then the changes get updated in the cloud setup. So network forensics is an integral part of cloud forensics. Our forensic framework obtains live snapshots, image evidences, packet captures and log evidences and does analysis on it. Simulation is carried out through Digital forensic framework on image files of block storage and live snapshots, Wireshark on raw network captures, XML and Java for structuring log files. Cloud forensic process for image acquisition and analysis has been defined by steps used in simulation. Two scenarios of integrity checking in object storage has been simulated through JSch are detailed. Discussion on finding various attacks happened from the evidences obtained is elaborated.