Models for the Forensic Monitoring of Cloud Virtual Machines

With the prevalence of cloud computing and the "as a Service" delivery paradigm, the need has arisen for the ability to conduct an effective digital forensic investigation on these systems. Linked to this is the concept of forensic readiness, which when implemented correctly, makes it possible to conduct a credible forensic investigation on such large scale systems. This paper proposes five models that will enable forensic monitoring, that with their application will facilitate forensic readiness. These models are designed in a manner that data from guest virtual machines can be captured and stored should the need for forensic investigations arise. The cloud hypervisor plays a pivotal role hosting of the guest virtual machines and thus its native abilities are expanded on to make it possible to capture, catalogue and store information of the guest virtual machines. With the research already done in the field of forensic readiness of cloud computing systems, these models can serve as a possible implementation solution for further research into the field. Five models were chosen as it is the number of places where a forensic monitor can be implemented by a cloud service provider on standard cloud architecture. The proposed models can be implemented on the guest virtual machine operating system, the cloud hypervisor, the communication layer between the cloud operating system and hypervisor, and as a single or multi-tenant forensic virtual machine. Because of the cost associated with implementing new hardware, the proposed models are all software based and can be implemented with existing cloud infrastructures without the need to change hardware configurations. For the purposes of this paper a forensic investigation is of a corporate nature where fraud or disaster recovery is the primary motivation. With the case of government security agency involvement a different motivation would apply which is not relevant to this paper.