BCFL logging: An approach to acquire and preserve admissible digital forensics evidence in cloud ecosystem

Log files are the primary source of recording users, applications and protocols, activities in the cloud ecosystem. Cloud forensic investigators can use log evidence to ascertain when, why and how a cyber adversary or an insider compromised a system by establishing the crime scene and reconstructing how the incident occurred. However, digital evidence acquisition in a cloud ecosystem is complicated and proven difficult, even with modern forensic acquisition toolkit. The multi-tenancy, Geo-location and Service-Level Agreement have added another layer of complexity in acquiring digital log evidence from a cloud ecosystem. In order to mitigate these complexities of evidence acquisition in the cloud ecosystem, we need a framework that can forensically maintain the trustworthiness and integrity of log evidence. In this paper, we design and implement a Blockchain Cloud Forensic Logging (BCFL) framework, using a Design Science Research Methodological (DSRM) approach. BCFL operates primarily in four stages: (1) Process transaction logs using Blockchain distributed ledger technology (DLT). (2) Use a Blockchain smart contract to maintain the integrity of logs and establish a clear chain of custody. (3) Validate all transaction logs. (4) Maintain transaction log immutability. BCFL will also enhance and strengthen compliance with the European Union (EU) General Data Protection Regulation (GDPR). The results from our single case study will demonstrate that BCFL will mitigate the challenges and complexities faced by digital forensics investigators in acquiring admissible digital evidence from the cloud ecosystem. Furthermore, an instantaneous performance monitoring of the proposed Blockchain cloud forensic logging framework was evaluated. BCFL will ensure trustworthiness, integrity, authenticity and non-repudiation of the log evidence in the cloud. (C) 2021 Elsevier B.V. All rights reserved.