Research Proposal - University of South Australia

Research Proposal
Investigating a private Ubuntu Enterprise Cloud system
Suntisak Thammavongsa
100093531
THASY022
Bachelor of Information Technology (Honours)
Supervisor: Dr Raymond Choo
Co-Supervisor: Matthew Simon
12th June 2011
School of Computer and Information Science
University of South Australia
Abstract
Recently, the term “cloud computing” has come to the attention of many people as major
technology companies such as Amazon, Google, Microsoft and Apple are now offering cloud
computing services. Many believe that cloud computing will become the next mainstream
architecture of corporate information systems in the near future for various beneficial reasons
including cost savings and improved business outcomes. Meanwhile, security in cloud computing is
also a hot topic as it is still a major concern for many organizations considering adopting the new
technology. For digital forensic investigators, keeping up with advances in technology is an essential
responsibility. As new technologies emerge, practical guidelines for new systems or software
applications will be useful sources of information. However, published practical guidelines for cloud
forensics are still rare. With many competing cloud computing platforms in the market, Ubuntu
Enterprise Cloud (UEC) is the focus of this research because it is a widely known open source cloud
computing platform that employs the most popular common standards such as Amazon Application
Programming Interfaces (APIs) (Canonical 2011a). The research will consist of desk-based research as
well as laboratory-based research. The desk-based research is about gathering the theoretical
knowledge needed for the investigation of the system and the laboratory-based research is for
developing practical skills by building a sample private cloud system, performing penetration testing
and examining the system for evidence. From this research, we hope to contribute a practical
guideline that shows how the system could be configured for forensic readiness, where to look for
evidence, and any challenges that may exist.
i
Table of Contents
Abstract .................................................................................................................................................... i
Introduction ............................................................................................................................................ 1
Research Question .............................................................................................................................. 1
Field of Thesis...................................................................................................................................... 1
Literature Review .................................................................................................................................... 2
Digital Forensics .................................................................................................................................. 2
Cloud Computing ................................................................................................................................ 2
Cloud Forensics and Related Works.................................................................................................... 3
Research Methodology ........................................................................................................................... 5
Desk-based Research .......................................................................................................................... 5
Laboratory-based Research ................................................................................................................ 5
Expected Outcome.............................................................................................................................. 6
Research Schedule .................................................................................................................................. 7
Trial Table of Contents ............................................................................................................................ 8
Appendix A – System Specifications ....................................................................................................... 9
Glossary ................................................................................................................................................. 10
References ............................................................................................................................................ 12
Bibliography .......................................................................................................................................... 13
ii
Introduction
Digital forensics is a multi-disciplinary science. A digital forensic professional requires a synergy of
skills including information technology security, forensic science, criminal justice and law. This
discipline has numerous sub-branches such as network forensics, mobile device forensics, and email
forensics. Recently, with the growing popularity of cloud computing, cloud forensics is becoming
another specialized area of digital forensics. This emerging specialty refers to the recovery of digital
evidence from cloud systems in a forensically sound manner. While cloud systems present new
challenges to forensic investigators, so far there appear to be few published guidelines that
specifically address the conduct of forensic investigation of cloud systems. Therefore, the aim of this
research project is to study and produce a practical investigation guideline for a specific cloud
computing platform. Ubuntu Enterprise Cloud (UEC) is an open source implementation of cloud
computing that enables organizations to build their own private cloud systems. It is the chosen
platform for this research because it supports the most popular common standards such as Amazon
Application Programming Interfaces (APIs). UEC also receives regular security updates and has strong
community support with active mailing lists and forums (DistroWatch 2011; Canonical 2011).
Therefore, its use could become widespread and in turns be one of the cloud systems that forensic
investigators will run into. The next section will present the main research question and its subresearch questions that we’re focusing on. Followed by a literature review, this section will
introduce the key concepts of the topic, and discuss various issues and related works in the area.
After that, we will explain the research method that we’re going to employ and also provide a
research schedule as well as a trial table of contents of the final thesis.
Research Question
How to investigate a private Ubuntu Enterprise Cloud system?



Sub-research question one (SRQ1): What are the artefacts that a forensic investigator may
examine for evidence?
Sub-research question two (SRQ2): What are the challenges of the investigation of such a
system?
Sub-research question three (SRQ3): How may a system administrator configure their
system for forensic readiness?
Field of Thesis
Cloud Forensics
1
Literature Review
Digital Forensics
When crimes involve the use of digital devices in some ways, these digital devices could become
repositories of information that may be used as evidence to convict persons of crimes. Digital
forensics has risen out of the need to use digital evidence and has since become an essential service
for law enforcement in the fight against modern crimes.
In order for the digital evidence to be used in the court of law, a number of rules have been
established for investigators to follow so that the evidence collected will satisfy the legal
requirements and not seen as something mistakenly understood or fraudulently planted to make
someone appear guilty. As explained by McKemmish (1999), the first rule is the minimal handling of
the original which is about minimizing changes made to the original as changes could affect the final
outcome. In order to do that, techniques like producing a duplication of evidence and hashing are
commonly used. The second rule is to account for any changes as sometimes changes are inevitable
during the examination process but these changes must be properly documented with sufficient
reasons and explanations of their causes and effects. The third rule is to comply with rules of
evidence, which is concerning the techniques and tools employed in the investigation as well as the
methods of presenting the evidence. The tools need to be analysed, tested and qualified by law, and
the way the evidence is presented must not alter the original meaning of the evidence. Finally, the
fourth rule is about not exceed one’s knowledge. The rule requires that the investigator possesses
sufficient knowledge and skills of the system under their investigation. This is to provide confidence
that there are no misinterpretations or unaware changes in the investigation process when
presenting the evidence in court.
Traditionally, digital forensics may be seen as a discipline that serves only law enforcement.
Nowadays, however, digital forensics services are becoming more common in corporate
environment as part of the organizations’ security strategies. According to Hilley (2004), digital
forensics in corporate environment is used in areas such as fraud, money laundering, the accessing
or distribution of pornography, or harassment. Non-serious cases can usually be resolved under the
organization’s policy and disciplinary procedure while serious cases such as money laundering and
child pornography are required by law for the company to report to the police. Nevertheless, the
forensic investigation process in corporate environment will still need to satisfy the same
requirements to preserve the integrity of the investigation so that the organization’s actions are
justified.
Cloud Computing
In the literature, cloud computing is often seen as a new paradigm of computing environment. A
cloud system may be briefly described as a distributed computer system that leverages virtualization
technology to deliver computing services to users over a network connection (Grossman 2009). The
fundamental idea behind this new computing architecture shift is that advances in virtualization and
various network communication technologies have enabled a better way to share scalable
computing resources. This has presented a new business opportunity of offering various innovative
computing services such as online applications, remote storage services and computer instances on
demand. Depending on the design and the type of cloud system, the most commonly discussed
benefits of cloud computing technology include scalable computing resources, quick setup, the
2
portability of online applications as well as some other more controversial advantages such as lower
initial investment capitals, lower running costs, and better security (Grossman 2009; Sultan 2010).
Cloud computing may deliver services to users in a number of ways. Cloud computing can provide
Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS).
SaaS provides users with finished software applications built on a particular cloud platform. Without
having to install the application on local computers, users access SaaS applications over the Internet
with client software like a web browser. Examples of SaaS applications include Google Docs and
Dropbox. PaaS enables users to build SaaS applications with the provision of basic operating
software and optional services. Google App Engine and Windows Azure are examples of PaaS
offerings. IaaS provides users with only the underlying infrastructure including server hardware,
storage and bandwidth and other fundamental computing resources. For example, users can rent a
machine instance with complete access to all features of the operating system from Amazon EC2
services. Cloud computing may also be categorized in different deployment models. Cloud systems
can be public or private. Public cloud, as the name suggests, is designed to offer services to the open
public whereas private cloud is used internally by a single organization.
Despite all the widely discussed benefits, cloud computing is not without criticism and concerns.
Security being one of the greatest challenges of all IT systems has also been a hot research topic of
cloud computing. Especially in the case of public cloud, this is because sensitive data are kept with
the provider and public clouds are usually high profile targets for hackers. On top of that, new
systems mean new vulnerabilities and other security challenges. Trusted Computing Group (2010)
identifies six areas of security challenges in cloud computing as virtualization isolation security issues,
authentication and authorization, security of data at REST, security of data in transit or execution,
incident response, and legal and regulatory issues. In recent years, various security vulnerabilities in
cloud computing have been pointed out by researchers. These security exploitations include
breaking out of the virtual environment, infecting hypervisor with malware, hosting botnet on the
cloud, and using the cloud to launch brute-force and other attacks (Choo 2010).
Cloud Forensics and Related Works
The principles of digital forensic investigation should be practiced in any computing environments.
Cloud forensics is no exception for this. Forensic investigators are facing additional challenges in
both technical and legal aspects in cloud computing environment. They need to update their
knowledge and skills, and adapt their traditional forensic practices, techniques and tools to suit
investigations of the new environment. Nevertheless, currently there do not seem to be many
published practical guidelines for cloud forensics to support forensic investigators.
This research will follow the model of the work by Barrett & Kipper (2010). The authors offer
practical guidelines on how to investigate dead and live virtual machines that run on a single
computer. They explain what changes are made to the system when various virtual machines are
installed, what artefacts may hold useful information, and what procedure to take when examining
the system. However, their work only covers commercial products that run on a Windows host, such
as VMware and Microsoft VirtualPC.
Some other work addresses cloud forensics in general without focusing on any particular platform.
Taylor et al (2011) look at challenges of forensic investigations of cloud systems. Depending on the
deployment model of the cloud system, whether it is a public or private cloud, the challenges will
3
vary. They explain that while evidence acquisition in a private cloud may be as straightforward as in
the traditional environment, the process could be much more complex and time consuming in a
large public cloud environment. This is because a large public cloud provider may have distributed
datacentres in different jurisdictions. Another challenge is that data may be stored across a large
number of devices. And then there is also an issue of impacts on other users as for a public cloud
system. These make it much more difficult to pin point the sources of potential evidence and the
physical devices that hold the data of interest. In order to overcome these challenges, the authors
suggest a legislation that requires cloud operators to keep audit trails of user activities and records
of events.
Another associated piece of work is about the application of network forensics in cloud environment
(Lillard et al 2010). The authors explain that cloud computing has changed the ways security controls
are implemented to protect digital assets and how forensic investigations are conducted. They
highlight the importance of understanding the design philosophies employed by different service
providers as these design philosophies will determine the limitations on forensic investigations.
Although there are commonalities among different designs, the unique characteristics of the chosen
system need to be well understood for forensic analysis to be most effective. The authors also
suggest that while the standard incident response process should still be followed, additional
consideration on how to manage and monitor the system for forensic purposes needs to be
incorporated in the plan.
Another paper related to digital forensics in general focuses on the increasingly common attacks
designed against forensic analysis (Casey 2008). The author points out that modern cybercrimes are
becoming more sophisticated than ever before, various anti-forensic techniques have been
employed by hackers to undermine the investigations. For a while, a forensic examination that
involves the recovery of lost data on hard drives, the analysis of data collected by firewalls and
intrusion detection systems and the implementation of reserve software engineering techniques
would have sufficiently helped reveal the activities carried out and damages caused by the intruders
and malware. However, today hackers have taken their attacks to new levels of sophistication. These
techniques and tools may no longer suffice. Anti-forensic measures such as overwriting files to
prevent the recovery of evidence, anti-debugging mechanisms to prevent reverse software
engineering, and encrypting network traffics to prevent detection and prolong the analysis have
made the traditional practices, techniques and tools less effective.
While there are many competing cloud computing platforms in the market, Ubuntu Enterprise Cloud
(UEC) supports the most popular common standards such as Amazon APIs. The platform receives
regular security updates and has strong community support with active mailing lists and forums
(DistroWatch 2011; Canonical 2011). This means that not only is there a good chance that forensic
investigators will encounter this system but the study of this platform will also provide a good
foundation for any further research in cloud forensics. So far, little practical forensic related how-to’s
for UEC have been found. Therefore, producing a practical forensic guideline for this particular cloud
platform could be a worthwhile research contribution.
4
Research Methodology
The research methodology for this project consists of two phases. The initial phase of the project is
desk-based research, gathering knowledge for the practical work in the second phase. In the second
phase, we will install and configure a small private cloud system in laboratory environment. This
phase will enable us to gain better understanding of how the system works and perform an
investigative analysis on an actual system to confirm the knowledge.
Desk-based Research
The goal of this phase is to build a fundamental understanding of how the system works. We will
need to learn how to install and configure the system, how to secure and configure the system for
forensic readiness as well as where we can look for evidence.
The official Ubuntu and Eucalyptus websites provide a good source of documentation on the
products. Online forums and other community hosted websites are also useful sources of knowledge,
where we can find answers to common problems relating to system installations and configurations.
A website like that of Cloud Security Alliance group offers a guideline on how to secure a cloud
system. Other published sources will also be consulted for general forensic practices, techniques and
tools as well as intrusion response process (see Bibliography). The latest knowledge in IT security
doesn’t always get peer-reviewed and officially published. Therefore, the validity of all information
obtained from these sources will be tested in the second phase of practical implementation.
In this desk-based research phase, we aim to address of the following areas:

Understand the architecture of Ubuntu Enterprise Cloud

Determine a system configuration plan for security and forensic readiness

Identify the artefacts to be examined for evidence

Identify any possible challenges of the investigation
Laboratory-based Research
In this phase, we will build a sample private cloud system so that we can put the theoretical
knowledge to the test. All software applications used in this project will be limited to those under
General Public Licenses (GPLs) and Berkeley Software Distribution (BSD) licenses. This study will
exclude the examination of any external security controls such as a separate firewall device or
intrusion detection system.
To simplify the environment, the system will be setup to run two typical corporate servers, a web
server and a file server, and provide IaaS-style desktop access to end users (see Appendix A for
system specifications). The web server is used to host the company’s website for public access. The
website is mainly informational and has a visitor book web application. The file server is for internal
use to provide remote file storage and sharing. Three groups of users representing three
departments named A, B and C will be given full access to their own storage area while they’re
restricted from accessing the other departments’ storage areas on this file server. We will then
create a scenario where an internal employee is trying to steal confidential corporate data from the
file server. A fellow student with some IT security background will be asked to perform this
penetration testing. The fellow student will play two roles as an employee of department B and
5
another employee of department C. His goal is to compromise the cloud system and steal data from
the storage area of department A. This setup aims to create an environment where an unscrupulous
employee has a number of different attack vectors to try. After two weeks of attacking attempts,
regardless of the result of the penetration testing, we will then examine the cloud system and try to
collect evidence for such malicious activities.
Expected Outcome
After carrying out both phases of the research, we are expecting to have enough information to
produce a practical investigation guideline for a private Ubuntu Enterprise Cloud system. The
guideline will include a discussion on how a system administrator may prepare the system for
forensic readiness, the identification of artefacts to be examined for evidence, and any challenges
that investigators may encounter.
6
Research Schedule
Period
Task
Early Mar 2011
Identify research interest and find supervisor
Mar 2011
Work on annotated bibliography
Early Apr 2011
Determine research topic
Late Apr 2011 – 26 May 2011
Review literature & prepare research proposal
27 May 2011 – 30 May 2011
Prepare presentation
31 May 2011
Give presentation
1 Jun 2011
Prepare research proposal continued
10 Jun 2011
Submit research proposal
11 Jun 2011 – 3 Jul 2011
Desk-based research
4 Jul 2011 – 20 Jul 2011
Away
Laboratory-based research: Install and configure system
18 Jul 2011 – 31 Jul 2011
Desk-based research continued
Perform penetration testing
1 Aug 2011 – 19 Aug 2011
Desk-based research continued
20 Aug 2011 – 16 Sep 2011
Examine system
17 Sep 2011 – 2 Oct 2011
Prepare thesis first draft
3 Oct 2011 – 23 Oct 2011
Prepare subsequent drafts
24 Oct 2011
Submit thesis for review
31 Oct 2011 – 6 Nov 2011
Review thesis based on feedback
7 Nov 2011
Submit final bound copy of thesis
7
Trial Table of Contents
i. Abstract
ii. Acknowledgement
iii. Table of Contents
Chapter 1. Overview
1.1 Introduction
1.2 Research Question
Chapter 2. Literature Review
2.1 Digital Forensics
2.2 Cloud Computing
2.3 Cloud Forensics and Related Works
Chapter 3. Research Methodology
3.1 Project Scope
3.2 Desk-based research
3.3 Laboratory-based research
3.4 Expected outcome
Chapter 4. Laboratory-based research outcome
4.1 UEC Architecture Overview
4.2 System Configurations
4.3 Investigation outcome
Chapter 5. Practical Guideline
5.1 For system administrators
5.2 For forensic investigators
Chapter 6. Conclusion
6.1 Summary of research activities
6.2 Concluding remarks
Appendix
Glossary
References
8
Appendix A – System Specifications
We will use a two physical system topology. This configuration puts all of the user facing
components (CLC/Walrus) and back-end control components (CC/SC) on a single system, and uses
the second for VM hosting (NC).
Machine 1 (CLC/Walrus/CC/SC)
Hardware
Minimum
Suggested
CPU
1GHz
2 x 2GHz
Memory
2GB
4GB
Disk
5400RPM
IDE
7200RPM
SATA
Disk Space
40GB
200GB
Networking
100Mbps
1000Mbps
Notes
For an all-in-one front end, it helps to have at least a dual
core processor
The Java web front end benefits from lots of available
memory
Slower disks will work, but will yield much longer instance
startup times
40GB is only enough space for only a single image, cache,
etc., Eucalyptus does not like to run out of disk space
Machine images are hundreds of MB, and need to be copied
over the network to nodes
Machine 2 (NC)
Hardware
Minimum
VT
extensions
1GB
5400RPM
IDE
Suggested
VT, 64-bit,
Multicore
4GB
7200RPM
SATA or SCSI
Disk Space
40GB
100GB
Networking
100Mbps
1000Mbps
CPU
Memory
Disk
Notes
64-bit can run both i386, and amd64 instances; by default,
Eucalyptus will only run 1 VM per CPU core on a Node
Additional memory means more, and larger guests
Eucalyptus nodes are disk-intensive; I/O wait will likely be the
performance bottleneck
Images will be cached locally, Eucalyptus does not like to run
out of disk space
Machine images are hundreds of MB, and need to be copied
over the network to nodes
9
Glossary
Anti-debugging
The implementation of one or more techniques within computer code
that hinders attempts at reverse engineering or debugging a target
process.
API (Application
Programming Interface
A set of functions that a programme or person can use to send
request and receive results from another programme.
AWS
(Amazon Web Services)
A collection of remote computing services (also called web services)
that together make up a cloud computing platform, offered over the
Internet by Amazon.com.
Brute-force attacks
A strategy used against encrypted data. It involves systematically
checking all possible keys until the correct key is found. In the worst
case, this would involve traversing the entire search space.
Digital Forensics
The process of identifying, preserving, analysing and presenting digital
evidence under forensically sound conditions
Dropbox
A Web-based file hosting service operated by Dropbox, Inc.
Electronic evidence
Evidence in digital or electronic form, such as e-mail, computer files,
and instant messages.
Email forensics
A sub-branch of digital forensics relating to recovery of digital
evidence or data from emails on the client and server systems,
including deleted emails, calendars and contacts.
Encrypting
The process of transforming information (referred to as plaintext)
using an algorithm (called cipher) to make it unreadable to anyone
except those possessing special knowledge, usually referred to as a
key.
Eucalyptus
A software platform for the implementation of private cloud
computing on computer clusters.
File server
A computer attached to a network that has the primary purpose of
providing a location for shared disk access, i.e. shared storage of
computer files that can be accessed by the workstations that are
attached to the computer network.
Firewall
A piece of software, a device or set of devices designed to permit or
deny network transmissions based upon a set of rules and is
frequently used to protect networks from unauthorized access while
permitting legitimate communications to pass.
Google Docs
Web-based word processor, spreadsheet, slide show, form, and data
10
storage service offered by Google.
Hackers
Persons who breaks into computers and computer networks for
profit, as protest, or sometimes by the motivation of the challenge.
Hypervisor
Also called virtual machine manager, it is one of many hardware
virtualization techniques that allow multiple operating systems,
termed guests, to run concurrently on a host computer. The
hypervisor presents to the guest operating systems a virtual operating
platform and manages the execution of the guest operating systems.
Intrusion detection system
A piece of software, a device or set of devices designed to monitor
network and/or system activities for malicious activities or policy
violations and produces reports to a Management Station
Malware
(malicious software)
Programming (code, scripts, active content, and other software)
designed to disrupt or deny operation, gather information that leads
to loss of privacy or exploitation, gain unauthorized access to system
resources, and other abusive behaviour.
Mobile device forensics
A sub-branch of digital forensics relating to recovery of digital
evidence or data from a mobile device under forensically sound
conditions.
Network forensics
A sub-branch of digital forensics relating to the monitoring and
analysis of computer network traffic for the purposes of information
gathering, legal evidence or intrusion detection.
Penetration testing
A method of evaluating the security of a computer system or network
by simulating an attack from a malicious source
REST (Representational
State Transfer)
A style of software architecture for distributed hypermedia systems
such as the World Wide Web.
UEC
(Ubuntu Enterprise Cloud)
An edition of Linux-based Ubuntu operating system for cloud
computing platforms.
Virtualization
The creation of a virtual (rather than actual) version of something,
such as a hardware platform, operating system, a storage device or
network resources.
VMware
A commercial virtualization software product.
Vulnerabilities
A weakness which allows an attacker to reduce a system's information
assurance.
Web Server
It can refer to either the hardware (the computer) or the software
(the computer application) that helps to deliver content that can be
accessed through the Internet.
11
References
Barrett, D & Kipper, G 2010, 'Investigating Dead Virtual Environments', Virtualization and Forensics,
Syngress, Boston, pp. 83-107.
Barrett, D & Kipper, G 2010, 'Investigating Live Virtual Environments', Virtualization and Forensics,
Syngress, Boston, pp. 109-128.
Casey, E 2008, 'Attacks against forensic analysis', Digital Investigation, vol. 4, no. 3-4, pp. 105-106.
Choo, K-KR 2010, 'Cloud computing: Challenges and future directions', Trends & issues in crime and
criminal justice, vol. 400.
Cononical 2011a, Ubuntu.com, United States of America, viewed 9 June 2011,
<http://www.ubuntu.com/business/cloud/deploy-anywhere>.
Cononical 2011b, Ubuntu.com, United States of America, viewed 9 June 2011,
<http://www.ubuntu.com/business/cloud/secure-and-robust>.
DistroWatch 2011, DistroWatch.com, United States of America, viewed 9 June 2011,
<http://distrowatch.com/dwres.php?resource=major>.
Grossman, RL 2009, 'The Case for Cloud Computing', IT Professional, vol. 11, no. 2, pp. 23-27.
Haggerty, J & Taylor, M 2006, 'Managing corporate computer forensics', Computer Fraud & Security,
vol. 2006, no. 6, pp. 14-16.
Hilley, S 2004, The corporation: the non-policed state, Infosecurity Today, Vol. 1, No. 6, pp 36-37.
Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010, 'What Is Network Forensics?', Digital Forensics
for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 3-20.
McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology, Canberra.
Taylor, M, Haggerty, J, Gresty, D & Hegarty, R 2010, 'Digital evidence in cloud computing systems',
Computer Law & Security Review, vol. 26, no. 3, pp. 304-308.
Taylor, M, Haggerty, J, Gresty, D & Lamb, D 2011, 'Forensic investigation of cloud computing
systems', Network Security, vol. 2011, no. 3, pp. 4-10.
Trusted Computing Group 2010, 'Cloud Computing and Security - A Natural Match', Trusted
Computing Group, viewed 24 March 2011,
<http://www.trustedcomputinggroup.org/files/resource_files/1F4DEE3D-1A4B-B294D0AD0742BA449E07/Cloud%20Computing%20and%20Security%20Whitepaper_July29.2010.pdf>.
12
Bibliography
Barrett, D & Kipper, G 2010a, 'Cloud Computing and the Forensic Challenges', Virtualization and
Forensics, Syngress, Boston, pp. 197-209.
Barrett, D & Kipper, G 2010b, 'Investigating Dead Virtual Environments', Virtualization and Forensics,
Syngress, Boston, pp. 83-107.
Barrett, D & Kipper, G 2010c, 'Investigating Live Virtual Environments', Virtualization and Forensics,
Syngress, Boston, pp. 109-128.
Barrett, D & Kipper, G 2010d, 'Virtualization Challenges', Virtualization and Forensics, Syngress,
Boston, pp. 175-195.
Casey, E 2008, 'Attacks against forensic analysis', Digital Investigation, vol. 4, no. 3-4, pp. 105-106.
Casey, E, Daywalt, C & Johnston, A 2010, 'Intrusion Investigation', in Eoghan, C (ed), Handbook of
Digital Forensics and Investigation, Academic Press, San Diego, pp. 135-206.
Choo, K-KR 2010, 'Cloud computing: Challenges and future directions', Trends & issues in crime and
criminal justice, vol. 400.
Cononical 2011a, Ubuntu.com, United States of America, viewed 9 June 2011,
<http://www.ubuntu.com/business/cloud/deploy-anywhere>.
Cononical 2011b, Ubuntu.com, United States of America, viewed 9 June 2011,
<http://www.ubuntu.com/business/cloud/secure-and-robust>.
Cyber Security Operation Centre 2011, Cloud Computing Security Considerations, Department of
Defence Intelligence and Security, viewed 29 May 2011,
<http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf>
DistroWatch 2011, DistroWatch.com, United States of America, viewed 9 June 2011,
<http://distrowatch.com/dwres.php?resource=major>.
Grossman, RL 2009, 'The Case for Cloud Computing', IT Professional, vol. 11, no. 2, pp. 23-27.
Haggerty, J & Taylor, M 2006, 'Managing corporate computer forensics', Computer Fraud & Security,
vol. 2006, no. 6, pp. 14-16.
Hilley, S 2004, The corporation: the non-policed state, Infosecurity Today, Vol. 1, No. 6, pp 36-37.
Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010a, 'Incorporating Network Forensics into Incident
Response Plans', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp.
221-274.
Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010b, 'Other Network Evidence', Digital Forensics
for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 59-92.
Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010c, 'What Is Network Forensics?', Digital Forensics
for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 3-20.
McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology, Canberra.
Nick, JM, Cohen, D & Kaliski, BS 2010, 'Key Enabling Technologies for Virtual Private Clouds', in Furht,
13
B & Escalante, A (eds), Handbook of Cloud Computing, Springer US, pp. 47-63.
Reilly, D, Wren, C, Berry, T 2010, 'Cloud computing: Forensic challenges for law enforcement',
Internet Technology and Secured Transactions (ICITST), 2010 International Conference for, 8-11 Nov.
2010.
Taylor, M, Haggerty, J, Gresty, D & Hegarty, R 2010, 'Digital evidence in cloud computing systems',
Computer Law & Security Review, vol. 26, no. 3, pp. 304-308.
Taylor, M, Haggerty, J, Gresty, D & Lamb, D 2011, 'Forensic investigation of cloud computing
systems', Network Security, vol. 2011, no. 3, pp. 4-10.
Trost, R 2010, Practical Intrusion Analysis – Prevention and Detection for the Twenty-First Century,
Addison-Wesley, United States of America.
Trusted Computing Group 2010, 'Cloud Computing and Security - A Natural Match', Trusted
Computing Group, viewed 24 March 2011,
<http://www.trustedcomputinggroup.org/files/resource_files/1F4DEE3D-1A4B-B294D0AD0742BA449E07/Cloud%20Computing%20and%20Security%20Whitepaper_July29.2010.pdf>.
Volonino, L, Anzaldua, R & Godwin, J 2007, Computer Forensics: Principles and Practices, Pearson
Prentice Hall, United States of America.
Wang, Y, Cannady, J & Rosenbluth, J 2005, 'Foundations of computer forensics: A technology for the
fight against computer crime', Computer Law & Security Report, vol. 21, no. 2, pp. 119-127.
Wardley, S, Goyer, E & Barcet, N 2009, ‘Ubuntu Enterprise Cloud Architecture’, Canonical, viewed 24
March 2011, < http://www.canonical.com/sites/default/files/active/WhitepaperUbuntuEnterpriseCloudArchitecture-v1.pdf>.
Winkler, V 2011, 'Operating a Cloud', Securing the Cloud, Syngress, Boston, pp. 253-277.
14