الفهرس 
MotivationOnly 14 pages are availabe for public view
 |  | from | 16 |  |  |
| | | from | 16 | | |
Abstract
Digital forensics and information security have been
developed rapidly in order to provide consistent and contented
life services. The process of digital forensics can be broken
down into three categories of activities: Acquisition, Analysis,
and Presentation. Acquisition refers to the collection of digital
media to be examined. Analysis refers to the actual media
examination, identification, analysis, and interpretation.
Presentation refers to the process by which the examiner shares
results of the analysis phase with the interested party or parties.
An important part of digital forensic process is evidence
acquisition and chain of custody. It is the process of
determining the authenticity of event that happened during the
incident.
Digital forensics in cloud computing brings new
technical and legal challenges (e.g. the remote nature of the
evidence, trust required in the integrity and authenticity, and
lack of physical access.) Digital forensics difficulties in cloud
computing comprise acquisition of remote data, chain of
custody, distributed and elastic data, big data volumes, and
ownership. Digital forensics experts are facing new challenges
in collecting evidences in cloud computing environment.
Evidences are often located in data centers that are
geographically separated. Digital forensics experts cannot bear
travelling burden to acquire evidences. Moreover, the volume
of hosted data is so big and the data is so complex. For the
evidence to be admitted in court, evidence collecting process
must guarantee evidence integrity, authenticity, nonrepudiation, and sometimes confidentiality. To achieve a
secure cloud forensics process, researchers have proposed
many solutions in literature with major drawbacks in security,
high communication, and computation overheads.
Furthermore, received packets should be analyzed without
assuming the availability of the entire original packet stream. In the literature, there are many schemes that deal with these
issues. A research group led by Ragib Hasan proposed an idea
to deal with the evidence collection in the cloud environment
by introducing a forensics-enabled cloud architecture
(FECloud) to preserve and provide required evidence while
protecting the privacy and integrity of the evidence. In 2013,
Hou et al. proposed a scheme to verify data authenticity and
integrity in server-aided confidential forensic investigation.
The authenticity and integrity are two essential requirements
for the evidence admitted in court. The aim of this thesis is:
• To introduce a new concept for digital artifacts acquisition in
cloud computing as a consolidation between digital forensic
and cloud computing. This concept guarantees safe
investigation to trusted digital evidence. Moreover, review
protocols that deal with data acquisition in cloud and focus on
the security goals.
• To analyze Hou et al.’s scheme with respect to its claimed
integrity and authenticity properties. Our analysis shows that
Hou et al.’ scheme does not satisfy the claimed integrity and
authenticity in server-aided confidential forensics
investigation. To achieve the authenticity, confidentiality and
integrity of evidence in cloud, we illustrate how encryption and
digital signature algorithms could be used within different
designs to ensure confidentiality and chain of custody for the
digital forensics process in the cloud. Sign-Encrypt-Sign and
Encrypt-Sign-Encrypt techniques were used to provide
evidence confidentiality, authenticity, non-repudiation, and
integrity. Furthermore, illustrate a comparison between the
proposed modification to Hou et al. (RSA and Elliptic Curve
Cryptography ECC) in building the Encrypt-Sign-Encrypt
design in terms of key size and computation. ECC shows low
computation cost over RSA in Encrypt-Sign-Encrypt
implementation.
• Propose an identity-based signcryption protocol to reduce the
computation, communication, and implementation overheads of collecting evidence in cloud forensics. Signcryption
protocols have the advantage of achieving the basic goals of
encryption and signature protocols in more efficient way than
Sign-Encrypt-Sign and Encrypt-Sign-Encrypt techniques.
Also, a validation of the proposed protocol using BAN logic is
illustrated. The proposed scheme possesses the following
features:
- Deploy Signcryption concept to achieve both the
authenticity and confidentiality goals in the evidence
acquisition process.
- Utilize the Identity-Based Cryptography to overcome the
Public Key Infrastructure (PKI) problems.
- The outcome of proposed scheme is given precise
mathematical meaning in terms of the logical analysis.
- Show low computation cost compared to the proposed
Encrypt-Sign-Encrypt on ECC.
- The usefulness of the proposed scheme is demonstrated by
developing a generic evidence acquisition and chain of
custody algorithm over public communication channels as
a selected examples of digital forensic analysis.
Different comparisons are held to evaluate our new protocol, as
well as, our modification to Hou et al. scheme. The new
protocol is faster and more secure than the proposed
modification to Hou et al. (Encrypt-Sign-encrypt using ECC).
Also, Encrypt-Sign-encrypt using ECC is faster than EncryptSign-encrypt using RSA and even faster than the non-secure
protocol of Hou et al. This thesis studies the digital forensics
and information security area focusing on the cloud computing
environment.