Research Proposal Investigating a private Ubuntu Enterprise Cloud system Suntisak Thammavongsa 100093531 THASY022 Bachelor of Information Technology (Honours) Supervisor: Dr Raymond Choo Co-Supervisor: Matthew Simon 12th June 2011 School of Computer and Information Science University of South Australia Abstract Recently, the term “cloud computing” has come to the attention of many people as major technology companies such as Amazon, Google, Microsoft and Apple are now offering cloud computing services. Many believe that cloud computing will become the next mainstream architecture of corporate information systems in the near future for various beneficial reasons including cost savings and improved business outcomes. Meanwhile, security in cloud computing is also a hot topic as it is still a major concern for many organizations considering adopting the new technology. For digital forensic investigators, keeping up with advances in technology is an essential responsibility. As new technologies emerge, practical guidelines for new systems or software applications will be useful sources of information. However, published practical guidelines for cloud forensics are still rare. With many competing cloud computing platforms in the market, Ubuntu Enterprise Cloud (UEC) is the focus of this research because it is a widely known open source cloud computing platform that employs the most popular common standards such as Amazon Application Programming Interfaces (APIs) (Canonical 2011a). The research will consist of desk-based research as well as laboratory-based research. The desk-based research is about gathering the theoretical knowledge needed for the investigation of the system and the laboratory-based research is for developing practical skills by building a sample private cloud system, performing penetration testing and examining the system for evidence. From this research, we hope to contribute a practical guideline that shows how the system could be configured for forensic readiness, where to look for evidence, and any challenges that may exist. i Table of Contents Abstract .................................................................................................................................................... i Introduction ............................................................................................................................................ 1 Research Question .............................................................................................................................. 1 Field of Thesis...................................................................................................................................... 1 Literature Review .................................................................................................................................... 2 Digital Forensics .................................................................................................................................. 2 Cloud Computing ................................................................................................................................ 2 Cloud Forensics and Related Works.................................................................................................... 3 Research Methodology ........................................................................................................................... 5 Desk-based Research .......................................................................................................................... 5 Laboratory-based Research ................................................................................................................ 5 Expected Outcome.............................................................................................................................. 6 Research Schedule .................................................................................................................................. 7 Trial Table of Contents ............................................................................................................................ 8 Appendix A – System Specifications ....................................................................................................... 9 Glossary ................................................................................................................................................. 10 References ............................................................................................................................................ 12 Bibliography .......................................................................................................................................... 13 ii Introduction Digital forensics is a multi-disciplinary science. A digital forensic professional requires a synergy of skills including information technology security, forensic science, criminal justice and law. This discipline has numerous sub-branches such as network forensics, mobile device forensics, and email forensics. Recently, with the growing popularity of cloud computing, cloud forensics is becoming another specialized area of digital forensics. This emerging specialty refers to the recovery of digital evidence from cloud systems in a forensically sound manner. While cloud systems present new challenges to forensic investigators, so far there appear to be few published guidelines that specifically address the conduct of forensic investigation of cloud systems. Therefore, the aim of this research project is to study and produce a practical investigation guideline for a specific cloud computing platform. Ubuntu Enterprise Cloud (UEC) is an open source implementation of cloud computing that enables organizations to build their own private cloud systems. It is the chosen platform for this research because it supports the most popular common standards such as Amazon Application Programming Interfaces (APIs). UEC also receives regular security updates and has strong community support with active mailing lists and forums (DistroWatch 2011; Canonical 2011). Therefore, its use could become widespread and in turns be one of the cloud systems that forensic investigators will run into. The next section will present the main research question and its subresearch questions that we’re focusing on. Followed by a literature review, this section will introduce the key concepts of the topic, and discuss various issues and related works in the area. After that, we will explain the research method that we’re going to employ and also provide a research schedule as well as a trial table of contents of the final thesis. Research Question How to investigate a private Ubuntu Enterprise Cloud system? Sub-research question one (SRQ1): What are the artefacts that a forensic investigator may examine for evidence? Sub-research question two (SRQ2): What are the challenges of the investigation of such a system? Sub-research question three (SRQ3): How may a system administrator configure their system for forensic readiness? Field of Thesis Cloud Forensics 1 Literature Review Digital Forensics When crimes involve the use of digital devices in some ways, these digital devices could become repositories of information that may be used as evidence to convict persons of crimes. Digital forensics has risen out of the need to use digital evidence and has since become an essential service for law enforcement in the fight against modern crimes. In order for the digital evidence to be used in the court of law, a number of rules have been established for investigators to follow so that the evidence collected will satisfy the legal requirements and not seen as something mistakenly understood or fraudulently planted to make someone appear guilty. As explained by McKemmish (1999), the first rule is the minimal handling of the original which is about minimizing changes made to the original as changes could affect the final outcome. In order to do that, techniques like producing a duplication of evidence and hashing are commonly used. The second rule is to account for any changes as sometimes changes are inevitable during the examination process but these changes must be properly documented with sufficient reasons and explanations of their causes and effects. The third rule is to comply with rules of evidence, which is concerning the techniques and tools employed in the investigation as well as the methods of presenting the evidence. The tools need to be analysed, tested and qualified by law, and the way the evidence is presented must not alter the original meaning of the evidence. Finally, the fourth rule is about not exceed one’s knowledge. The rule requires that the investigator possesses sufficient knowledge and skills of the system under their investigation. This is to provide confidence that there are no misinterpretations or unaware changes in the investigation process when presenting the evidence in court. Traditionally, digital forensics may be seen as a discipline that serves only law enforcement. Nowadays, however, digital forensics services are becoming more common in corporate environment as part of the organizations’ security strategies. According to Hilley (2004), digital forensics in corporate environment is used in areas such as fraud, money laundering, the accessing or distribution of pornography, or harassment. Non-serious cases can usually be resolved under the organization’s policy and disciplinary procedure while serious cases such as money laundering and child pornography are required by law for the company to report to the police. Nevertheless, the forensic investigation process in corporate environment will still need to satisfy the same requirements to preserve the integrity of the investigation so that the organization’s actions are justified. Cloud Computing In the literature, cloud computing is often seen as a new paradigm of computing environment. A cloud system may be briefly described as a distributed computer system that leverages virtualization technology to deliver computing services to users over a network connection (Grossman 2009). The fundamental idea behind this new computing architecture shift is that advances in virtualization and various network communication technologies have enabled a better way to share scalable computing resources. This has presented a new business opportunity of offering various innovative computing services such as online applications, remote storage services and computer instances on demand. Depending on the design and the type of cloud system, the most commonly discussed benefits of cloud computing technology include scalable computing resources, quick setup, the 2 portability of online applications as well as some other more controversial advantages such as lower initial investment capitals, lower running costs, and better security (Grossman 2009; Sultan 2010). Cloud computing may deliver services to users in a number of ways. Cloud computing can provide Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). SaaS provides users with finished software applications built on a particular cloud platform. Without having to install the application on local computers, users access SaaS applications over the Internet with client software like a web browser. Examples of SaaS applications include Google Docs and Dropbox. PaaS enables users to build SaaS applications with the provision of basic operating software and optional services. Google App Engine and Windows Azure are examples of PaaS offerings. IaaS provides users with only the underlying infrastructure including server hardware, storage and bandwidth and other fundamental computing resources. For example, users can rent a machine instance with complete access to all features of the operating system from Amazon EC2 services. Cloud computing may also be categorized in different deployment models. Cloud systems can be public or private. Public cloud, as the name suggests, is designed to offer services to the open public whereas private cloud is used internally by a single organization. Despite all the widely discussed benefits, cloud computing is not without criticism and concerns. Security being one of the greatest challenges of all IT systems has also been a hot research topic of cloud computing. Especially in the case of public cloud, this is because sensitive data are kept with the provider and public clouds are usually high profile targets for hackers. On top of that, new systems mean new vulnerabilities and other security challenges. Trusted Computing Group (2010) identifies six areas of security challenges in cloud computing as virtualization isolation security issues, authentication and authorization, security of data at REST, security of data in transit or execution, incident response, and legal and regulatory issues. In recent years, various security vulnerabilities in cloud computing have been pointed out by researchers. These security exploitations include breaking out of the virtual environment, infecting hypervisor with malware, hosting botnet on the cloud, and using the cloud to launch brute-force and other attacks (Choo 2010). Cloud Forensics and Related Works The principles of digital forensic investigation should be practiced in any computing environments. Cloud forensics is no exception for this. Forensic investigators are facing additional challenges in both technical and legal aspects in cloud computing environment. They need to update their knowledge and skills, and adapt their traditional forensic practices, techniques and tools to suit investigations of the new environment. Nevertheless, currently there do not seem to be many published practical guidelines for cloud forensics to support forensic investigators. This research will follow the model of the work by Barrett & Kipper (2010). The authors offer practical guidelines on how to investigate dead and live virtual machines that run on a single computer. They explain what changes are made to the system when various virtual machines are installed, what artefacts may hold useful information, and what procedure to take when examining the system. However, their work only covers commercial products that run on a Windows host, such as VMware and Microsoft VirtualPC. Some other work addresses cloud forensics in general without focusing on any particular platform. Taylor et al (2011) look at challenges of forensic investigations of cloud systems. Depending on the deployment model of the cloud system, whether it is a public or private cloud, the challenges will 3 vary. They explain that while evidence acquisition in a private cloud may be as straightforward as in the traditional environment, the process could be much more complex and time consuming in a large public cloud environment. This is because a large public cloud provider may have distributed datacentres in different jurisdictions. Another challenge is that data may be stored across a large number of devices. And then there is also an issue of impacts on other users as for a public cloud system. These make it much more difficult to pin point the sources of potential evidence and the physical devices that hold the data of interest. In order to overcome these challenges, the authors suggest a legislation that requires cloud operators to keep audit trails of user activities and records of events. Another associated piece of work is about the application of network forensics in cloud environment (Lillard et al 2010). The authors explain that cloud computing has changed the ways security controls are implemented to protect digital assets and how forensic investigations are conducted. They highlight the importance of understanding the design philosophies employed by different service providers as these design philosophies will determine the limitations on forensic investigations. Although there are commonalities among different designs, the unique characteristics of the chosen system need to be well understood for forensic analysis to be most effective. The authors also suggest that while the standard incident response process should still be followed, additional consideration on how to manage and monitor the system for forensic purposes needs to be incorporated in the plan. Another paper related to digital forensics in general focuses on the increasingly common attacks designed against forensic analysis (Casey 2008). The author points out that modern cybercrimes are becoming more sophisticated than ever before, various anti-forensic techniques have been employed by hackers to undermine the investigations. For a while, a forensic examination that involves the recovery of lost data on hard drives, the analysis of data collected by firewalls and intrusion detection systems and the implementation of reserve software engineering techniques would have sufficiently helped reveal the activities carried out and damages caused by the intruders and malware. However, today hackers have taken their attacks to new levels of sophistication. These techniques and tools may no longer suffice. Anti-forensic measures such as overwriting files to prevent the recovery of evidence, anti-debugging mechanisms to prevent reverse software engineering, and encrypting network traffics to prevent detection and prolong the analysis have made the traditional practices, techniques and tools less effective. While there are many competing cloud computing platforms in the market, Ubuntu Enterprise Cloud (UEC) supports the most popular common standards such as Amazon APIs. The platform receives regular security updates and has strong community support with active mailing lists and forums (DistroWatch 2011; Canonical 2011). This means that not only is there a good chance that forensic investigators will encounter this system but the study of this platform will also provide a good foundation for any further research in cloud forensics. So far, little practical forensic related how-to’s for UEC have been found. Therefore, producing a practical forensic guideline for this particular cloud platform could be a worthwhile research contribution. 4 Research Methodology The research methodology for this project consists of two phases. The initial phase of the project is desk-based research, gathering knowledge for the practical work in the second phase. In the second phase, we will install and configure a small private cloud system in laboratory environment. This phase will enable us to gain better understanding of how the system works and perform an investigative analysis on an actual system to confirm the knowledge. Desk-based Research The goal of this phase is to build a fundamental understanding of how the system works. We will need to learn how to install and configure the system, how to secure and configure the system for forensic readiness as well as where we can look for evidence. The official Ubuntu and Eucalyptus websites provide a good source of documentation on the products. Online forums and other community hosted websites are also useful sources of knowledge, where we can find answers to common problems relating to system installations and configurations. A website like that of Cloud Security Alliance group offers a guideline on how to secure a cloud system. Other published sources will also be consulted for general forensic practices, techniques and tools as well as intrusion response process (see Bibliography). The latest knowledge in IT security doesn’t always get peer-reviewed and officially published. Therefore, the validity of all information obtained from these sources will be tested in the second phase of practical implementation. In this desk-based research phase, we aim to address of the following areas: Understand the architecture of Ubuntu Enterprise Cloud Determine a system configuration plan for security and forensic readiness Identify the artefacts to be examined for evidence Identify any possible challenges of the investigation Laboratory-based Research In this phase, we will build a sample private cloud system so that we can put the theoretical knowledge to the test. All software applications used in this project will be limited to those under General Public Licenses (GPLs) and Berkeley Software Distribution (BSD) licenses. This study will exclude the examination of any external security controls such as a separate firewall device or intrusion detection system. To simplify the environment, the system will be setup to run two typical corporate servers, a web server and a file server, and provide IaaS-style desktop access to end users (see Appendix A for system specifications). The web server is used to host the company’s website for public access. The website is mainly informational and has a visitor book web application. The file server is for internal use to provide remote file storage and sharing. Three groups of users representing three departments named A, B and C will be given full access to their own storage area while they’re restricted from accessing the other departments’ storage areas on this file server. We will then create a scenario where an internal employee is trying to steal confidential corporate data from the file server. A fellow student with some IT security background will be asked to perform this penetration testing. The fellow student will play two roles as an employee of department B and 5 another employee of department C. His goal is to compromise the cloud system and steal data from the storage area of department A. This setup aims to create an environment where an unscrupulous employee has a number of different attack vectors to try. After two weeks of attacking attempts, regardless of the result of the penetration testing, we will then examine the cloud system and try to collect evidence for such malicious activities. Expected Outcome After carrying out both phases of the research, we are expecting to have enough information to produce a practical investigation guideline for a private Ubuntu Enterprise Cloud system. The guideline will include a discussion on how a system administrator may prepare the system for forensic readiness, the identification of artefacts to be examined for evidence, and any challenges that investigators may encounter. 6 Research Schedule Period Task Early Mar 2011 Identify research interest and find supervisor Mar 2011 Work on annotated bibliography Early Apr 2011 Determine research topic Late Apr 2011 – 26 May 2011 Review literature & prepare research proposal 27 May 2011 – 30 May 2011 Prepare presentation 31 May 2011 Give presentation 1 Jun 2011 Prepare research proposal continued 10 Jun 2011 Submit research proposal 11 Jun 2011 – 3 Jul 2011 Desk-based research 4 Jul 2011 – 20 Jul 2011 Away Laboratory-based research: Install and configure system 18 Jul 2011 – 31 Jul 2011 Desk-based research continued Perform penetration testing 1 Aug 2011 – 19 Aug 2011 Desk-based research continued 20 Aug 2011 – 16 Sep 2011 Examine system 17 Sep 2011 – 2 Oct 2011 Prepare thesis first draft 3 Oct 2011 – 23 Oct 2011 Prepare subsequent drafts 24 Oct 2011 Submit thesis for review 31 Oct 2011 – 6 Nov 2011 Review thesis based on feedback 7 Nov 2011 Submit final bound copy of thesis 7 Trial Table of Contents i. Abstract ii. Acknowledgement iii. Table of Contents Chapter 1. Overview 1.1 Introduction 1.2 Research Question Chapter 2. Literature Review 2.1 Digital Forensics 2.2 Cloud Computing 2.3 Cloud Forensics and Related Works Chapter 3. Research Methodology 3.1 Project Scope 3.2 Desk-based research 3.3 Laboratory-based research 3.4 Expected outcome Chapter 4. Laboratory-based research outcome 4.1 UEC Architecture Overview 4.2 System Configurations 4.3 Investigation outcome Chapter 5. Practical Guideline 5.1 For system administrators 5.2 For forensic investigators Chapter 6. Conclusion 6.1 Summary of research activities 6.2 Concluding remarks Appendix Glossary References 8 Appendix A – System Specifications We will use a two physical system topology. This configuration puts all of the user facing components (CLC/Walrus) and back-end control components (CC/SC) on a single system, and uses the second for VM hosting (NC). Machine 1 (CLC/Walrus/CC/SC) Hardware Minimum Suggested CPU 1GHz 2 x 2GHz Memory 2GB 4GB Disk 5400RPM IDE 7200RPM SATA Disk Space 40GB 200GB Networking 100Mbps 1000Mbps Notes For an all-in-one front end, it helps to have at least a dual core processor The Java web front end benefits from lots of available memory Slower disks will work, but will yield much longer instance startup times 40GB is only enough space for only a single image, cache, etc., Eucalyptus does not like to run out of disk space Machine images are hundreds of MB, and need to be copied over the network to nodes Machine 2 (NC) Hardware Minimum VT extensions 1GB 5400RPM IDE Suggested VT, 64-bit, Multicore 4GB 7200RPM SATA or SCSI Disk Space 40GB 100GB Networking 100Mbps 1000Mbps CPU Memory Disk Notes 64-bit can run both i386, and amd64 instances; by default, Eucalyptus will only run 1 VM per CPU core on a Node Additional memory means more, and larger guests Eucalyptus nodes are disk-intensive; I/O wait will likely be the performance bottleneck Images will be cached locally, Eucalyptus does not like to run out of disk space Machine images are hundreds of MB, and need to be copied over the network to nodes 9 Glossary Anti-debugging The implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process. API (Application Programming Interface A set of functions that a programme or person can use to send request and receive results from another programme. AWS (Amazon Web Services) A collection of remote computing services (also called web services) that together make up a cloud computing platform, offered over the Internet by Amazon.com. Brute-force attacks A strategy used against encrypted data. It involves systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space. Digital Forensics The process of identifying, preserving, analysing and presenting digital evidence under forensically sound conditions Dropbox A Web-based file hosting service operated by Dropbox, Inc. Electronic evidence Evidence in digital or electronic form, such as e-mail, computer files, and instant messages. Email forensics A sub-branch of digital forensics relating to recovery of digital evidence or data from emails on the client and server systems, including deleted emails, calendars and contacts. Encrypting The process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. Eucalyptus A software platform for the implementation of private cloud computing on computer clusters. File server A computer attached to a network that has the primary purpose of providing a location for shared disk access, i.e. shared storage of computer files that can be accessed by the workstations that are attached to the computer network. Firewall A piece of software, a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. Google Docs Web-based word processor, spreadsheet, slide show, form, and data 10 storage service offered by Google. Hackers Persons who breaks into computers and computer networks for profit, as protest, or sometimes by the motivation of the challenge. Hypervisor Also called virtual machine manager, it is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. The hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems. Intrusion detection system A piece of software, a device or set of devices designed to monitor network and/or system activities for malicious activities or policy violations and produces reports to a Management Station Malware (malicious software) Programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour. Mobile device forensics A sub-branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. Network forensics A sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence or intrusion detection. Penetration testing A method of evaluating the security of a computer system or network by simulating an attack from a malicious source REST (Representational State Transfer) A style of software architecture for distributed hypermedia systems such as the World Wide Web. UEC (Ubuntu Enterprise Cloud) An edition of Linux-based Ubuntu operating system for cloud computing platforms. Virtualization The creation of a virtual (rather than actual) version of something, such as a hardware platform, operating system, a storage device or network resources. VMware A commercial virtualization software product. Vulnerabilities A weakness which allows an attacker to reduce a system's information assurance. Web Server It can refer to either the hardware (the computer) or the software (the computer application) that helps to deliver content that can be accessed through the Internet. 11 References Barrett, D & Kipper, G 2010, 'Investigating Dead Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 83-107. Barrett, D & Kipper, G 2010, 'Investigating Live Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 109-128. Casey, E 2008, 'Attacks against forensic analysis', Digital Investigation, vol. 4, no. 3-4, pp. 105-106. Choo, K-KR 2010, 'Cloud computing: Challenges and future directions', Trends & issues in crime and criminal justice, vol. 400. Cononical 2011a, Ubuntu.com, United States of America, viewed 9 June 2011, <http://www.ubuntu.com/business/cloud/deploy-anywhere>. Cononical 2011b, Ubuntu.com, United States of America, viewed 9 June 2011, <http://www.ubuntu.com/business/cloud/secure-and-robust>. DistroWatch 2011, DistroWatch.com, United States of America, viewed 9 June 2011, <http://distrowatch.com/dwres.php?resource=major>. Grossman, RL 2009, 'The Case for Cloud Computing', IT Professional, vol. 11, no. 2, pp. 23-27. Haggerty, J & Taylor, M 2006, 'Managing corporate computer forensics', Computer Fraud & Security, vol. 2006, no. 6, pp. 14-16. Hilley, S 2004, The corporation: the non-policed state, Infosecurity Today, Vol. 1, No. 6, pp 36-37. Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010, 'What Is Network Forensics?', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 3-20. McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology, Canberra. Taylor, M, Haggerty, J, Gresty, D & Hegarty, R 2010, 'Digital evidence in cloud computing systems', Computer Law & Security Review, vol. 26, no. 3, pp. 304-308. Taylor, M, Haggerty, J, Gresty, D & Lamb, D 2011, 'Forensic investigation of cloud computing systems', Network Security, vol. 2011, no. 3, pp. 4-10. Trusted Computing Group 2010, 'Cloud Computing and Security - A Natural Match', Trusted Computing Group, viewed 24 March 2011, <http://www.trustedcomputinggroup.org/files/resource_files/1F4DEE3D-1A4B-B294D0AD0742BA449E07/Cloud%20Computing%20and%20Security%20Whitepaper_July29.2010.pdf>. 12 Bibliography Barrett, D & Kipper, G 2010a, 'Cloud Computing and the Forensic Challenges', Virtualization and Forensics, Syngress, Boston, pp. 197-209. Barrett, D & Kipper, G 2010b, 'Investigating Dead Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 83-107. Barrett, D & Kipper, G 2010c, 'Investigating Live Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 109-128. Barrett, D & Kipper, G 2010d, 'Virtualization Challenges', Virtualization and Forensics, Syngress, Boston, pp. 175-195. Casey, E 2008, 'Attacks against forensic analysis', Digital Investigation, vol. 4, no. 3-4, pp. 105-106. Casey, E, Daywalt, C & Johnston, A 2010, 'Intrusion Investigation', in Eoghan, C (ed), Handbook of Digital Forensics and Investigation, Academic Press, San Diego, pp. 135-206. Choo, K-KR 2010, 'Cloud computing: Challenges and future directions', Trends & issues in crime and criminal justice, vol. 400. Cononical 2011a, Ubuntu.com, United States of America, viewed 9 June 2011, <http://www.ubuntu.com/business/cloud/deploy-anywhere>. Cononical 2011b, Ubuntu.com, United States of America, viewed 9 June 2011, <http://www.ubuntu.com/business/cloud/secure-and-robust>. Cyber Security Operation Centre 2011, Cloud Computing Security Considerations, Department of Defence Intelligence and Security, viewed 29 May 2011, <http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf> DistroWatch 2011, DistroWatch.com, United States of America, viewed 9 June 2011, <http://distrowatch.com/dwres.php?resource=major>. Grossman, RL 2009, 'The Case for Cloud Computing', IT Professional, vol. 11, no. 2, pp. 23-27. Haggerty, J & Taylor, M 2006, 'Managing corporate computer forensics', Computer Fraud & Security, vol. 2006, no. 6, pp. 14-16. Hilley, S 2004, The corporation: the non-policed state, Infosecurity Today, Vol. 1, No. 6, pp 36-37. Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010a, 'Incorporating Network Forensics into Incident Response Plans', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 221-274. Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010b, 'Other Network Evidence', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 59-92. Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010c, 'What Is Network Forensics?', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 3-20. McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology, Canberra. Nick, JM, Cohen, D & Kaliski, BS 2010, 'Key Enabling Technologies for Virtual Private Clouds', in Furht, 13 B & Escalante, A (eds), Handbook of Cloud Computing, Springer US, pp. 47-63. Reilly, D, Wren, C, Berry, T 2010, 'Cloud computing: Forensic challenges for law enforcement', Internet Technology and Secured Transactions (ICITST), 2010 International Conference for, 8-11 Nov. 2010. Taylor, M, Haggerty, J, Gresty, D & Hegarty, R 2010, 'Digital evidence in cloud computing systems', Computer Law & Security Review, vol. 26, no. 3, pp. 304-308. Taylor, M, Haggerty, J, Gresty, D & Lamb, D 2011, 'Forensic investigation of cloud computing systems', Network Security, vol. 2011, no. 3, pp. 4-10. Trost, R 2010, Practical Intrusion Analysis – Prevention and Detection for the Twenty-First Century, Addison-Wesley, United States of America. Trusted Computing Group 2010, 'Cloud Computing and Security - A Natural Match', Trusted Computing Group, viewed 24 March 2011, <http://www.trustedcomputinggroup.org/files/resource_files/1F4DEE3D-1A4B-B294D0AD0742BA449E07/Cloud%20Computing%20and%20Security%20Whitepaper_July29.2010.pdf>. Volonino, L, Anzaldua, R & Godwin, J 2007, Computer Forensics: Principles and Practices, Pearson Prentice Hall, United States of America. Wang, Y, Cannady, J & Rosenbluth, J 2005, 'Foundations of computer forensics: A technology for the fight against computer crime', Computer Law & Security Report, vol. 21, no. 2, pp. 119-127. Wardley, S, Goyer, E & Barcet, N 2009, ‘Ubuntu Enterprise Cloud Architecture’, Canonical, viewed 24 March 2011, < http://www.canonical.com/sites/default/files/active/WhitepaperUbuntuEnterpriseCloudArchitecture-v1.pdf>. Winkler, V 2011, 'Operating a Cloud', Securing the Cloud, Syngress, Boston, pp. 253-277. 14