Challenges of Data Provenance for Cloud Forensic Investigations
The inability to effectively track data in cloud computing environments is becoming one of the top concerns for cloud stakeholders. This inability is due to two main reasons. Firstly, the lack of data tracking tools built for clouds. Secondly, current logging mechanisms are only designed from a system-centric perspective. There is a need for data-centric logging techniques which can trace data activities (e.g. file creation, edition, duplication, transfers, deletions, etc.) within and across all cloud servers. This will effectively enable full transparency and accountability for data movements in the cloud. In this paper, we introduce S2Logger, a data event logging mechanism which captures, analyses and visualizes data events in the cloud from the data point of view. By linking together atomic data events captured at both file and block level, the resulting sequence of data events depicts the cloud data provenance records throughout the data lifecycle. With this information, we can then detect critical data-related cloud security problems such as malicious actions, data leakages and data policy violations by analysing the data provenance. S2Logger also enables us to address the gaps and inadequacies of existing system-centric security tools.