Towards the Forensic Identification and Investigation of Cloud Hosted Servers through Noninvasive Wiretaps

TL;DR

This paper introduces a novel, noninvasive wiretap device that enables rapid and reliable identification of specific cloud-hosted servers during cybercrime investigations without requiring provider cooperation.

Contribution

The paper presents a new handheld device and method for undetectable Ethernet communication interception to identify cloud servers efficiently.

Findings

Device successfully identifies target servers in tests.

Method is undetectable and noninvasive.

Potential to improve forensic investigations significantly.

Abstract

When conducting modern cybercrime investigations, evidence has often to be gathered from computer systems located at cloud-based data centres of hosting providers. In cases where the investigation cannot rely on the cooperation of the hosting provider, or where documentation is not available, investigators can often find the identification of which distinct server among many is of interest difficult and extremely time consuming. To address the problem of identifying these servers, in this paper a new approach to rapidly and reliably identify these cloud hosting computer systems is presented. In the outlined approach, a handheld device composed of an embedded computer combined with a method of undetectable interception of Ethernet based communications is presented. This device is tested and evaluated, and a discussion is provided on its usefulness in identifying of server of interest to an investigation.