الفهرس | Only 14 pages are availabe for public view |
Abstract Digital forensics and information security have been developed rapidly in order to provide consistent and contented life services. The process of digital forensics can be broken down into three categories of activities: Acquisition, Analysis, and Presentation. Acquisition refers to the collection of digital media to be examined. Analysis refers to the actual media examination, identification, analysis, and interpretation. Presentation refers to the process by which the examiner shares results of the analysis phase with the interested party or parties. An important part of digital forensic process is evidence acquisition and chain of custody. It is the process of determining the authenticity of event that happened during the incident. Digital forensics in cloud computing brings new technical and legal challenges (e.g. the remote nature of the evidence, trust required in the integrity and authenticity, and lack of physical access.) Digital forensics difficulties in cloud computing comprise acquisition of remote data, chain of custody, distributed and elastic data, big data volumes, and ownership. Digital forensics experts are facing new challenges in collecting evidences in cloud computing environment. Evidences are often located in data centers that are geographically separated. Digital forensics experts cannot bear travelling burden to acquire evidences. Moreover, the volume of hosted data is so big and the data is so complex. For the evidence to be admitted in court, evidence collecting process must guarantee evidence integrity, authenticity, nonrepudiation, and sometimes confidentiality. To achieve a secure cloud forensics process, researchers have proposed many solutions in literature with major drawbacks in security, high communication, and computation overheads. Furthermore, received packets should be analyzed without assuming the availability of the entire original packet stream. In the literature, there are many schemes that deal with these issues. A research group led by Ragib Hasan proposed an idea to deal with the evidence collection in the cloud environment by introducing a forensics-enabled cloud architecture (FECloud) to preserve and provide required evidence while protecting the privacy and integrity of the evidence. In 2013, Hou et al. proposed a scheme to verify data authenticity and integrity in server-aided confidential forensic investigation. The authenticity and integrity are two essential requirements for the evidence admitted in court. The aim of this thesis is: • To introduce a new concept for digital artifacts acquisition in cloud computing as a consolidation between digital forensic and cloud computing. This concept guarantees safe investigation to trusted digital evidence. Moreover, review protocols that deal with data acquisition in cloud and focus on the security goals. • To analyze Hou et al.’s scheme with respect to its claimed integrity and authenticity properties. Our analysis shows that Hou et al.’ scheme does not satisfy the claimed integrity and authenticity in server-aided confidential forensics investigation. To achieve the authenticity, confidentiality and integrity of evidence in cloud, we illustrate how encryption and digital signature algorithms could be used within different designs to ensure confidentiality and chain of custody for the digital forensics process in the cloud. Sign-Encrypt-Sign and Encrypt-Sign-Encrypt techniques were used to provide evidence confidentiality, authenticity, non-repudiation, and integrity. Furthermore, illustrate a comparison between the proposed modification to Hou et al. (RSA and Elliptic Curve Cryptography ECC) in building the Encrypt-Sign-Encrypt design in terms of key size and computation. ECC shows low computation cost over RSA in Encrypt-Sign-Encrypt implementation. • Propose an identity-based signcryption protocol to reduce the computation, communication, and implementation overheads of collecting evidence in cloud forensics. Signcryption protocols have the advantage of achieving the basic goals of encryption and signature protocols in more efficient way than Sign-Encrypt-Sign and Encrypt-Sign-Encrypt techniques. Also, a validation of the proposed protocol using BAN logic is illustrated. The proposed scheme possesses the following features: - Deploy Signcryption concept to achieve both the authenticity and confidentiality goals in the evidence acquisition process. - Utilize the Identity-Based Cryptography to overcome the Public Key Infrastructure (PKI) problems. - The outcome of proposed scheme is given precise mathematical meaning in terms of the logical analysis. - Show low computation cost compared to the proposed Encrypt-Sign-Encrypt on ECC. - The usefulness of the proposed scheme is demonstrated by developing a generic evidence acquisition and chain of custody algorithm over public communication channels as a selected examples of digital forensic analysis. Different comparisons are held to evaluate our new protocol, as well as, our modification to Hou et al. scheme. The new protocol is faster and more secure than the proposed modification to Hou et al. (Encrypt-Sign-encrypt using ECC). Also, Encrypt-Sign-encrypt using ECC is faster than EncryptSign-encrypt using RSA and even faster than the non-secure protocol of Hou et al. This thesis studies the digital forensics and information security area focusing on the cloud computing environment. |