Forensic Investigation in Mobile Cloud
Environment
Nouha Samet1,2, Asma Ben Letaïfa1,2, Mohamed Hamdi2, Sami Tabbane1,2
1
MEDIATRON, University of Carthage
2
Higher School of Communications of Tunis, Sup’Com
Ariana, Tunisia
nouha.samet@supcom.tn, asma.benletaifa/mmh/sami.tabbane@supcom.rnu.tn
Abstract— Cloud computing is changing the way we use
mobile application by offering a powerful, scalable and on-
demand computational resources to mobile users. However, this
new paradigm is a challenging issue for forensic investigators
since it combines two different environments. The adoption of
Mobile Cloud computing solutions is increasing rapidly, so it is
necessary for digital investigation applications and procedure to
be adapted to this new environment. This paper provides an
overview of mobile cloud forensics including challenging issues
and some existing proposals in order to overcome these
challenges.
Keywords—Mobile Cloud computing, digital forensics, mobile
cloud forensics.
I. INTRODUCTION
Mobile Computing becomes a powerful trend in the
development of IT technology; latest generation of mobile
communication networks offers to the user a rich experience
of mobile Internet and applications. However, the variety of
mobile devices and their limited resources is hampering
some sophisticated applications that require large processing
and storage capabilities. The cloud extends the performance of
mobile terminals and enable applications previously not
feasible to find their way to mobile users. This is called
"Mobile Cloud Computing" which is increasing rapidly; cloud
computing based mobile software and application are expected
to rise by 88% per year between 2009 and 2014[1].
Mobile cloud computing is now offering to mobile phones
large connectivity options, storage and processing capabilities,
which can be a way to abuse digital crimes. The growth of
mobile device use is not only increasing and diversifying the
data to be analyzed, but also complicating investigations.
Regarding Clouds, the task is more difficult given the changes
in the way information is created, stored, accessed and
managed. Digital forensics is facing specificities of Mobile
Cloud environment such as, terminals proliferation, loss of
control over data, lack of access to physical infrastructure and
lack of tools for large distributed and virtualized systems.
Mobile cloud forensics is about a very rich research area.
This paper aims to present challenging issues for Mobile
Cloud forensics and give a look into some works that deal
with forensic problems within this environment. The rest of
the article is organized as follows: section II provides an
978-1-4799-5874-0/14/$31.00 ©2014 IEEE
overview of mobile cloud forensics. In section III, we present
challenges faced by investigator when dealing with mobile
cloud infrastructure. In section IV, we conduct a comparative
study among some proposals for mobile cloud forensics.
Finally, section V concludes this paper and explores the future
works.
II. MOBILE CLOUD FORENSICS
Mobile Cloud computing inherent from the Cloud
computing advantages and help mobile devices to overcome
problems faced by traditional mobile applications; especially
in term of data storage and processing capabilities. Cloud is
then considered to be a promising solution for mobile
computing by improving data storage capacity and processing
power, improving reliability, extending battery lifetime,
providing dynamic provisioning and scalability and ease of
integration [2]. As application execution is partitioned
between the terminal and the cloud server, mobile cloud
forensics should take on consideration these two different
environments. Consequently, investigations should be made in
two levels: mobile level and cloud level.
Mobile phone forensics is the science of recovering digital
evidence from a mobile phone under forensically sound
conditions using accepted methods [3]. Mobile data evidence
can be extracted from the user mobile device; Subscriber
Identity Module (SIM) card, internal memory, external
memory card. Data collected is related to call or SMS history,
Internet browsing history, Emails, multimedia files. Other
additional information provided by the Network Service
Provider may be useful like historical call records, messages
information, and user localization over the time. According to
Brother in [4], there are three main extraction methods used by
forensics investigators for mobile data acquisition. These
methods are classified in a layered pyramid; manual, logical
and physical extraction methods. Going up from the bottom
layer to the top layer, the extraction procedure produce a more
forensically sound memory images, require longer analysis
time and involve more technical expertise and training.
Cloud forensics has been defined as “the application of
digital forensics science in cloud computing environments.
Technically, it consists of a hybrid forensic approach towards
the generation of digital evidence. Organizationally, it
involves interactions among cloud actors for the purpose of
facilitating both internal and external investigations. Legally
it often implies multi-jurisdictional and multi-tenant
situations.” [5]. Cloud forensics is still a growing area of
research, so few works has defined forensic process in cloud
environment. In [6], cloud forensics is presented as a four step
process that applies the principles of digital forensics with the
challenge of combining different physical and logical
locations; client-side and Provider-side.
III. MOBILE CLOUD FORENSICS CHALLENGES
In this section, we present challenges faced by
investigators when dealing with mobile cloud infrastructure,
as discussed in current research literature. Regarding the
nature of mobile cloud architectures, forensic challenges are
associated to both mobile networking specificity and
distributed cloud environment.
The main problem faced by analyst in mobile phone
investigation is the lack of standard method for data extraction
and internal memory analysis for smart phones. This problem
is even accentuated with changes in technologies, multitude of
manufactures with different methods for storing and
processing data in the mobile equipment. As discussed
previously, physical extraction methods extract more
forensically sound data but require high technical expertise
and longer analysis time. However, logical extraction methods
cause problem with data integrity; data can be remotely
contaminated (destroyed or changed), via network connection,
since the mobile should be active and connected during
acquisition [8]. Moreover, most of the commercially available
forensic tools do not provide solutions to deal with physically
damaged mobile phones; so deleted data can only be
recovered using physical acquisition. The loss of data on
mobile device can be the result of the absence of the SIM card
or the use of another SIM card. Furthermore, identifying the
mobile user is an important action in mobile forensics
procedure; Mobile Service Provider (MSP) needs to be
consulted for proper identification of the subscriber. In fact, if
we consider the case of the Mobile Number Portability
(MNP), when a mobile subscriber retain his mobile number
when changing from one mobile operator to another, the
identification process will rely on the MSP. More important
aspect challenging the identification of the user is the
possibility of changing the International Mobile Equipment
Identity (IMEI) for few mobile handsets with the use of
flashing tools. This illegal activity will result on wrong
identification of the mobile user [4]. A standard and strong
identification scheme should be used through mobile networks
and cloud environment in order to be able to identify
malicious activities and users during forensic investigations.
In cloud environment, challenges are strongly related to
the virtualized and distributed architecture of clouds, mainly in
forensic data collection, lack of cloud-based forensic tools, log
analysis, maintaining a chain of custody. Ruan at [9], has
extended the definition of cloud forensics across three
dimensions: technical, organizational and legal. According to
this definition, dependency on CSP and multi-jurisdiction, are
not typically technical problems, but are related to the
multidimensional aspect of cloud forensics. In the following,
we discuss in details challenges forensic investigator are
experiencing within cloud environment.
Data acquisition is the most crucial step in investigation
process; any error that occurs during collection can cause
doubt about the data integrity and authenticity so it can’t be
admissible evidence in low court. Acquisition process
involves data identification, access, seizure and preservation.
Due to the dynamic nature of cloud computing systems,
knowing the exact location of data at a specific time is very
hard. Hence, physical inaccessibility makes collection harder
considering the fact that existing tools and procedures assume
that we can physically access to computers in order to perform
evidence acquisition. In general, in cloud environment,
investigators have less control over the evidence than in
traditional digital forensics, depending on the cloud service
model. This loss of control has an impact on crime scene
reconstruction and causes difficulties to sequence crime events
and establish timelines. Moreover, in such virtualized
environment, data can be easily lost if we turn off virtual
machine and we don’t dispose of instance’s image. Data
collection should be done in a specific order according to the
volatility of the data; highly volatile data, such as registry
entries and temporary files, should be collected first.
Furthermore, dependency on a Cloud Service Provider is an
important issue in investigation process. Investigators will rely
on a third party in order to collect data from clouds. That’s
why data collection process should follow a methodology to
preserve data integrity with clear duties segregation between
the client and the provider and without breaking law or
compromising confidentiality of other tenants sharing the
same resource. Further, performing forensic data collection in
clouds involves downloading VM instance’s image via
network. VM size will increase with data contained and used
by that VM, which requires large bandwidth to complete
evidence collection in a timely manner.
One of the most important characteristics of cloud is the
rapid elasticity; cloud resources can be provisioned on
demand. Hence, cloud investigation tools should be elastic
too. Traditional static and live forensic tools are required in
most cases, providing that they should be adapted to large
scale systems. However there is an urgent need for new tools
and procedures, which deal with virtual infrastructure, to be
developed. These techniques should facilitate investigations in
Virtual environment, mainly virtual machines forensics data
collection facilities and hypervisor analysis.
Essential information for investigation is contained in log
files, such as process logs, network logs, and application logs.
However, gathering this crucial information in cloud
infrastructure is more complex than in traditional computer
systems. In fact, logs are decentralized among multiple
locations; multiple users’ logging may be co-located or spread
across multiple servers. Also, logs are volatile (due to
virtualization); all the logs will be unavailable if the user
power off the VM instance, so logs will not be constantly
available. Besides, cloud architecture relies on several layers
and tiers, each producing valuable logs for forensic
investigation. These logs need to accessible to different
stakeholders of the system, e.g., system administrator, forensic
investigator, and developer. Hence, there should be some
access control mechanism, so that everybody will get what
they need exactly in a secure way. In addition, dependence on
the CSP is complicating the task; the availability of the logs
varies depending on the service model and consequently on
the provider. Over and above that, there is no standard format
of logs. Logs are available in heterogeneous formats
depending on layers and service providers. This can lead to
lack of crucial information for investigation purpose in logs.
One of the most essential parts of the digital investigation
process is the chain of custody. It provides useful information
about the digital evidences studied using a certain forensic
process by answering these questions: When, Who, Where,
Why, What and How [10]. In traditional forensic procedure, it
starts with gaining the physical control of the evidence, such
as computer or hard disk, but this cannot be possible with
cloud forensics. In a cloud, investigator can acquire the
available data from any workstation connected with the
internet. Due to the multi jurisdictional laws, procedures, and
proprietary technology in cloud environment, maintaining
chain of custody will be a real challenge.
Beside technical challenges, investigators face the fact that
cloud involves different parties (consumer, provider,
eventually a third party). An organizational structure is needed
to carry out investigation efficiently. CSPs and most cloud
applications often has dependencies on other cloud providers,
therefore an investigation may depends on one of the links in
the chain. Essential communications and collaborations
through this chain need to be facilitated by organizational
policies and SLAs. The chain of cloud provider and consumer
also has to communicate and collaborate with law
enforcement, third parties, and academia in order to facilitate
effective and efficient forensic activities [9].
Multi-jurisdiction and multi-tenancy is identified as the
most important legal issue in digital forensics context, and are
accentuated in the cloud since data centers are spread all over
the world. There is an urgent need for regulation and
agreements to be developed. Cross border legislation should
facilitate investigator life; they will be confident that laws are
not violated during forensic process, from evidence collection
to presentation in law court. Moreover, rules should be set up
in order to make sure that privacy of other tenants sharing the
same resources will not be compromised during investigation.
IV. EXISTING PROPOSALS
Collecting data from mobile device or cloud server in
forensically sound manner is among the major challenge for
investigators in case of mobile cloud based crime. In this
section, we will discuss some researches related to forensic
investigation in Mobile Cloud environment.
In [15], Chen et al. aim to develop and implement digital
forensic software for smart phone. The developed tool
performs logical acquisition on mobile device that extract data
such as calls record, messages, photos, contacts, SIM
information, and uses mechanisms to recover old and deleted
data. This research was restraint to iPhones and provides a
quick access to the device. However the developed tool shows
some restrictions in collected data types and presents
difficulties in Multimedia images recovery. Moreover, the
developed solution faces some problems with locked phones.
In [16], Dezfouli et al. propose a new approach for
memory acquisition of mobile phones that provides an
appropriate method in order to preserve the volatile data inside
the memory of mobile devices from being contaminated and
preserves as much evidences as possible during acquisition
process. This solution is designed to include any types of
mobile phones such as windows mobile phones, android
mobile phones and iPhones. In fact, the solution consists of
preserving the volatile data in a reserved part in mobile
device’s memory, called the backup. This backup is updated in
a certain period of time with the volatile data in order to store
all the processes that are running on the mobile phone. This
approach allows the mobile to manage the backup space and
collect the appropriate volatile data. Seeing the limited storage
space in mobile device, the backup space only stores data such
as logs and the data that are considered as evidence to forensic
investigators. The process of storing the volatile data inside
the backup folder and updating it, is totally invisible to the
user and is done automatically without user awareness.
In [11], Quick and Choo studied the case of data collection
from cloud storage services and explore whether the files
contents and the timestamps information could change during
data collection process. In fact, the study suggests that
examiner has legal access to a cloud storage account, and that
forensic software for data collection from cloud storage
accounts is not available. Research was undertaken exploring
a process of accessing and downloading data using a browser
and client software, and by examining three popular public
cloud storage providers, namely Dropbox, Google Drive, and
Microsoft SkyDrive. Results have shown that the file contents
were not altered during the process of uploading, storing, and
downloading files. The associated file timestamps were
different to those of the original file, and varied depending on
the process undertaken and the service used.
In [14], Marty addresses the challenges related to metadata
and log files in cloud environment. This work proposes a
logging framework and guidelines to ensure that the data
needed for forensic investigations has been generated, stored
and collected properly. In addition, these guidelines ensure
that investigator can easily analyze, process, and correlate the
emitted log records. The contribution is about providing
guidelines for developers to efficient implementation of
logging depending on the use case; it’s mandatory to know
when logs are to be generated, what information logs should
include and how log records should be organized.
Within the same aspect, Zawoad et al. at [18] introduce a
new method, called Secure-Logging-as-a-Service (SecLaaS),
which stores virtual machines’ logs and provides access for
forensic investigators. In fact, the solution propose a scheme
of revealing cloud users’ logs for forensics investigation while
preserving the confidentiality of users’ logs from dishonest
cloud provider and external entity. He introduce a tamper
evident scheme, called Proof of Past Log, to preserve the
integrity of logs by disabling manipulation after the incident;
any modification of the log by the CSP, the investigator or the
user can be detected during the verification process.
 In [17], Poore et al. dressed the challenge faced by
investigator in virtualized environment. This research
proposed the use of virtual machine introspection (VMI) with
traditional digital forensics in order to conduct investigation in
virtual environment. In fact, VMI is a virtualization technique
that is used to monitor a virtual machine through its
hypervisor or a privileged virtual machine. It allows extracting
information from a virtual machine without affecting its
functionality or memory state. The proposed solution takes
advantage from the VMI and combined it with common
forensic tools. Result has shown that this method can reduce
the impact of the limitations of traditional forensics tools
abilities during a live forensic process.
In [12], Chung et al. stand up that important artefact, in the
case of cloud storage service investigation, will remain on
device used to access the service. This research has provided a
process model for forensic investigation of cloud storage
services, and has shown that it is possible to use traces left in
smartphones, in addition to those left in PCs, to better conduct
digital forensics on one user’s cloud storage account. In the
same research direction, Grispos et al. at [13] has undertaken
experiments on Android and iPhone devices that have
accessed to cloud storage service, namely DropBox, Box and
SugarSync. The forensic investigation has been processed
using the Universal Forensic Extraction Device (UFED). This
work has shown the possibility to recover deleted data from
cloud storage service relying on traces left on mobile device.
The recovery was successful using Android mobile device but
was not possible with iPhone device.
V. DISCUSSION
Table I summarizes major technical issues faced by
forensic investigators in Mobile Cloud environment presented
in the aforementioned references. Proposals deal principally
with whether cloud service, such as investigating data storage
service or cloud applications, or on mobile device. Moreover,
we detect that most works deal with problem of data
acquisition and recovery from both cloud infrastructure and
mobile device, as it constitutes the first and most crucial step
in forensic process that can affect the final results. Some other
works emphasize on logging for forensic investigation; logs
from different sources, e.g., network, process, and database
constitute a rich source of evidence, yet it is challenging to
collect logs from cloud since dependency of CSP is still
strong. Most importantly, we notice that works have not take
into account problems related to the combination of two
different fields: Mobile networking and cloud computing,
despite the fact that some proposals has introduced the use of
mobiles during their investigation process [12, 13]. Mobile
devices, that have accessed a cloud storage service, could
contain important traces, complementary au traces from PCs.
Indeed, throw the mobile cloud architecture we see the
importance of the application off-loader that enables
application partitioning between the mobile and the cloud
which complicate the forensic task. Moreover, tracking
identity among heterogeneous wireless networks and cloud
environment seems to be an important issue to underline while
carrying out investigation, seeing that it originally causes
problem in mobile networks and requires the support of MSP.
VI. CONCLUSION
This paper deals with forensic investigation in mobile
cloud environment where the combination of two different
architectures is a challenging issue for investigators, such as
virtualized environment, physical inaccessibility and mobile
volatile data. We have shown throw this paper that tracking
identity in forensic process is neglected by existing proposals.
As an extension to this work, we will focus on investigating
user identity in mobile cloud environment and defining an
identity management scheme that can facilitate malicious
users’ identification during forensic investigation process.
REFERENCES
[1] H. Qui, A. Gani, “Research on mobile cloud computing: review, trend
and perspective”, Second International Conference on Digital
Information and Communication Technology and its Applications
(DICTAP), 2012.
[2] H.T. Dinh, C. Lee, D. Niyato, P. Wang, A survey of mobile cloud
computing:architecture, applications, and approaches, Wireless
Communication andMobile Computing.
[3] NIST Special Publication 800-101, "Guidelines on Cell Phone
Forensics", May 2007
[4] S.Brothers, “Cell phone and GPS Forensic Tool Classification System”,
Presentation to Digital Forensics, May 2009
[5] K. Ruan, J. Carthy, T. Kechadi, I. Baggili, “Cloud forensics definitions
and critical criteria for cloud forensic capability: An overview of survey
results”, journal of Digital Investigation 10 pages 34-43, 2013
[6] Hong Guo; Bo Jing. “Forensic investigations in Cloud environments”.,
International Conference on Computer Science and Information
Processing (CSIP), pages: 248-251, 2012.
[7] A. Levinson, B. Stackpole, and D. Johnson, "Third party application
forensics on apple mobile devices", in System Sciences (HICSS), 2011
44th Hawaii International Conference on, 2011
[8] Zhu Meng, “Mobile Cloud Computing: Implications to Smartphone
Forensic Procedures and Methodologies”, Master Thesis, Auckland
University of Technology, 2011.
[9] Ruan K., Carthy J., Kechadi T., Crosbie M., “Cloud forensics: An
Overview”, Advances in Digital Forensics, 2011.
[10] W. Kurse and J. Heiser, “Computer Forensics: Incident Response
Essentials book” Addison Wesley, 2002.
[11] D. Quick, K. Choo, “Forensic collection of cloud storage data: Does the
act of collection result in changes to the data or its metadata?”, Journal
of Digital Investigation 10 pages 266-277, 2013
[12] H. Chung, J. Park, S. Lee, C. Kang, “Digital forensic investigation of
cloud storage services”, Journal of Digital Investigation, volume 9 pages
81-95, 2012
[13] G. Grispos, W B.Glisson, T. Storer, “Using Smartphones as a Proxy for
Forensic Evidence contained in Cloud Storage Services”, CoRR journal,
2013
[14] R. Marty, “Cloud application logging for forensics”, Proceedings of the
2011 ACM Symposium on Applied Computing, 2011
[15] C.Chen, R. Tso, C. Yang, “Design and implementation of digital
forensic software for iPhone”, 8th Asia Joint Conference on Information
Security, 2013.
[16] F. Dezfouli, A. Dehghantanha, R. Mahmoud, N. Sani, S. Shamsuddin, “
Volatile memory acquisition using backup for forensic investigation”,
International Conference on Cyber Security, Cyber Warfare and Digital
Forensic (CyberSec), 2012.
[17] J. Poore, J. Flores, T. Atkison, “Evolution of digital forensics in
Virtualization by Using Virtual machine Introspection”, Proceedings of
the 51st ACM Southeast Conference ACMSE, 2013
[18] S.Zawoad, A. Dutta, R. Hasan, “SecLaaS: Secure Logging-as-a-Service
for Cloud Forensics”, CoRR Journal, 2013.
 TABLE I. Overview of some technical issues considered mobile cloud forensics

Environment Technical issues

Reference
Mobile device Cloud Mobile cloud Virtualization Volatility Acquisition Recovery Logging Identity Forensic tool


[11] - - - -  -  - -
storage service

 
[12] - - - -  - - -
Storage service Expoit traces


Exploit traces in

[13]  - - -   mobile device that - -
Storage service
accessed the cloud
storage service



[14] - Cloud - - - - - - -
Logs management
application
 
 Not all type of Limited
[15] - - - - - - -
iPhone device data were Do not support
extracted locked phones

[16]  - - -   - - - -

 Traditional
[17] -  - Using VM -   - - forensic tool
Introspecton were used

[18] -  -  - - -  - -