TamForen: A tamper-proof cloud forensic framework

Cloud forensics has become increasingly critical in cloud computing security in recent years. A fundamental problem in cloud forensics is how to safely and effectively obtain, preserve, and analyze evidence. With massive cloud forensic systems and tools having been proposed over the years, we identify one challenge that is not adequately addressed in the current literature. The problem is “credibility of cloud evidence”; this is where the evidence collected in the cloud is unreliable due to its multitenancy and the multiple participants in the forensic process. In this paper, we develop a new Cloud Forensics Tamper-Proof Framework (TamForen) for cloud forensics, which can be used in an untrusted and multitenancy cloud environment. This framework relies on the cloud forensics system independent of the daily cloud activities and is implemented based on the Multilayer Compressed Counting Bloom Filter. Unlike existing cloud forensics methods that depend on the support and trust of cloud service providers, TamForen takes into account the untrustworthiness of participants in the forensics process and conducts tamper-proof protection of data in a decentralized way without violating users' privacy. We simulate a cloud forensics environment to evaluate TamForen, and the results show that TamForen is feasible.