Research Proposal

Investigating a private Ubuntu Enterprise Cloud system

Suntisak Thammavongsa

100093531

THASY022

Bachelor of Information Technology (Honours)

Supervisor: Dr Raymond Choo

Co-Supervisor: Matthew Simon

12th June 2011

School of Computer and Information Science

University of South Australia

AbstractRecently, the term “cloud computing” has come to the attention of many people as major technology companies such as Amazon, Google, Microsoft and Apple are now offering cloud computing services. Many believe that cloud computing will become the next mainstream architecture of corporate information systems in the near future for various beneficial reasons including cost savings and improved business outcomes. Meanwhile, security in cloud computing is also a hot topic as it is still a major concern for many organizations considering adopting the new technology. For digital forensic investigators, keeping up with advances in technology is an essential responsibility. As new technologies emerge, practical guidelines for new systems or software applications will be useful sources of information. However, published practical guidelines for cloud forensics are still rare. With many competing cloud computing platforms in the market, Ubuntu Enterprise Cloud (UEC) is the focus of this research because it is a widely known open source cloud computing platform that employs the most popular common standards such as Amazon Application Programming Interfaces (APIs) (Canonical 2011a). The research will consist of desk-based research as well as laboratory-based research. The desk-based research is about gathering the theoretical knowledge needed for the investigation of the system and the laboratory-based research is for developing practical skills by building a sample private cloud system, performing penetration testing and examining the system for evidence. From this research, we hope to contribute a practical guideline that shows how the system could be configured for forensic readiness, where to look for evidence, and any challenges that may exist.

Table of Contents

Abstract.................................................................................................................................................. i

Introduction...........................................................................................................................................1

Research Question.............................................................................................................................1

Field of Thesis....................................................................................................................................1

Literature Review..................................................................................................................................2

Digital Forensics.................................................................................................................................2

Cloud Computing...............................................................................................................................2

Cloud Forensics and Related Works..................................................................................................3

Research Methodology..........................................................................................................................5

Desk-based Research.........................................................................................................................5

Laboratory-based Research...............................................................................................................5

Expected Outcome............................................................................................................................6

Research Schedule.................................................................................................................................7

Trial Table of Contents..........................................................................................................................8

Appendix A – System Specifications......................................................................................................9

Glossary...............................................................................................................................................10

References...........................................................................................................................................12

Bibliography.........................................................................................................................................13

IntroductionDigital forensics is a multi-disciplinary science. A digital forensic professional requires a synergy of skills including information technology security, forensic science, criminal justice and law. This discipline has numerous sub-branches such as network forensics, mobile device forensics, and email forensics. Recently, with the growing popularity of cloud computing, cloud forensics is becoming another specialized area of digital forensics. This emerging specialty refers to the recovery of digital evidence from cloud systems in a forensically sound manner. While cloud systems present new challenges to forensic investigators, so far there appear to be few published guidelines that specifically address the conduct of forensic investigation of cloud systems. Therefore, the aim of this research project is to study and produce a practical investigation guideline for a specific cloud computing platform. Ubuntu Enterprise Cloud (UEC) is an open source implementation of cloud computing that enables organizations to build their own private cloud systems. It is the chosen platform for this research because it supports the most popular common standards such as Amazon Application Programming Interfaces (APIs). UEC also receives regular security updates and has strong community support with active mailing lists and forums (DistroWatch 2011; Canonical 2011). Therefore, its use could become widespread and in turns be one of the cloud systems that forensic investigators will run into. The next section will present the main research question and its sub-research questions that we’re focusing on. Followed by a literature review, this section will introduce the key concepts of the topic, and discuss various issues and related works in the area. After that, we will explain the research method that we’re going to employ and also provide a research schedule as well as a trial table of contents of the final thesis.

Research QuestionHow to investigate a private Ubuntu Enterprise Cloud system?

Sub-research question one (SRQ1): What are the artefacts that a forensic investigator may examine for evidence?

Sub-research question two (SRQ2): What are the challenges of the investigation of such a system?

Sub-research question three (SRQ3): How may a system administrator configure their system for forensic readiness?

Field of ThesisCloud Forensics

Literature Review

Digital ForensicsWhen crimes involve the use of digital devices in some ways, these digital devices could become repositories of information that may be used as evidence to convict persons of crimes. Digital forensics has risen out of the need to use digital evidence and has since become an essential service for law enforcement in the fight against modern crimes.

In order for the digital evidence to be used in the court of law, a number of rules have been established for investigators to follow so that the evidence collected will satisfy the legal requirements and not seen as something mistakenly understood or fraudulently planted to make someone appear guilty. As explained by McKemmish (1999), the first rule is the minimal handling of the original which is about minimizing changes made to the original as changes could affect the final outcome. In order to do that, techniques like producing a duplication of evidence and hashing are commonly used. The second rule is to account for any changes as sometimes changes are inevitable during the examination process but these changes must be properly documented with sufficient reasons and explanations of their causes and effects. The third rule is to comply with rules of evidence, which is concerning the techniques and tools employed in the investigation as well as the methods of presenting the evidence. The tools need to be analysed, tested and qualified by law, and the way the evidence is presented must not alter the original meaning of the evidence. Finally, the fourth rule is about not exceed one’s knowledge. The rule requires that the investigator possesses sufficient knowledge and skills of the system under their investigation. This is to provide confidence that there are no misinterpretations or unaware changes in the investigation process when presenting the evidence in court.

Traditionally, digital forensics may be seen as a discipline that serves only law enforcement. Nowadays, however, digital forensics services are becoming more common in corporate environment as part of the organizations’ security strategies. According to Hilley (2004), digital forensics in corporate environment is used in areas such as fraud, money laundering, the accessing or distribution of pornography, or harassment. Non-serious cases can usually be resolved under the organization’s policy and disciplinary procedure while serious cases such as money laundering and child pornography are required by law for the company to report to the police. Nevertheless, the forensic investigation process in corporate environment will still need to satisfy the same requirements to preserve the integrity of the investigation so that the organization’s actions are justified.

Cloud ComputingIn the literature, cloud computing is often seen as a new paradigm of computing environment. A cloud system may be briefly described as a distributed computer system that leverages virtualization technology to deliver computing services to users over a network connection (Grossman 2009). The fundamental idea behind this new computing architecture shift is that advances in virtualization and various network communication technologies have enabled a better way to share scalable computing resources. This has presented a new business opportunity of offering various innovative computing services such as online applications, remote storage services and computer instances on

demand. Depending on the design and the type of cloud system, the most commonly discussed benefits of cloud computing technology include scalable computing resources, quick setup, the portability of online applications as well as some other more controversial advantages such as lower initial investment capitals, lower running costs, and better security (Grossman 2009; Sultan 2010).

Cloud computing may deliver services to users in a number of ways. Cloud computing can provide Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). SaaS provides users with finished software applications built on a particular cloud platform. Without having to install the application on local computers, users access SaaS applications over the Internet with client software like a web browser. Examples of SaaS applications include Google Docs and Dropbox. PaaS enables users to build SaaS applications with the provision of basic operating software and optional services. Google App Engine and Windows Azure are examples of PaaS offerings. IaaS provides users with only the underlying infrastructure including server hardware, storage and bandwidth and other fundamental computing resources. For example, users can rent a machine instance with complete access to all features of the operating system from Amazon EC2 services. Cloud computing may also be categorized in different deployment models. Cloud systems can be public or private. Public cloud, as the name suggests, is designed to offer services to the open public whereas private cloud is used internally by a single organization.

Despite all the widely discussed benefits, cloud computing is not without criticism and concerns. Security being one of the greatest challenges of all IT systems has also been a hot research topic of cloud computing. Especially in the case of public cloud, this is because sensitive data are kept with the provider and public clouds are usually high profile targets for hackers. On top of that, new systems mean new vulnerabilities and other security challenges. Trusted Computing Group (2010) identifies six areas of security challenges in cloud computing as virtualization isolation security issues, authentication and authorization, security of data at REST, security of data in transit or execution, incident response, and legal and regulatory issues. In recent years, various security vulnerabilities in cloud computing have been pointed out by researchers. These security exploitations include breaking out of the virtual environment, infecting hypervisor with malware, hosting botnet on the cloud, and using the cloud to launch brute-force and other attacks (Choo 2010).

Cloud Forensics and Related WorksThe principles of digital forensic investigation should be practiced in any computing environments. Cloud forensics is no exception for this. Forensic investigators are facing additional challenges in both technical and legal aspects in cloud computing environment. They need to update their knowledge and skills, and adapt their traditional forensic practices, techniques and tools to suit investigations of the new environment. Nevertheless, currently there do not seem to be many published practical guidelines for cloud forensics to support forensic investigators.

This research will follow the model of the work by Barrett & Kipper (2010). The authors offer practical guidelines on how to investigate dead and live virtual machines that run on a single computer. They explain what changes are made to the system when various virtual machines are installed, what artefacts may hold useful information, and what procedure to take when examining the system. However, their work only covers commercial products that run on a Windows host, such as VMware and Microsoft VirtualPC.

Some other work addresses cloud forensics in general without focusing on any particular platform. Taylor et al (2011) look at challenges of forensic investigations of cloud systems. Depending on the deployment model of the cloud system, whether it is a public or private cloud, the challenges will vary. They explain that while evidence acquisition in a private cloud may be as straightforward as in the traditional environment, the process could be much more complex and time consuming in a large public cloud environment. This is because a large public cloud provider may have distributed datacentres in different jurisdictions. Another challenge is that data may be stored across a large number of devices. And then there is also an issue of impacts on other users as for a public cloud system. These make it much more difficult to pin point the sources of potential evidence and the physical devices that hold the data of interest. In order to overcome these challenges, the authors suggest a legislation that requires cloud operators to keep audit trails of user activities and records of events.

Another associated piece of work is about the application of network forensics in cloud environment (Lillard et al 2010). The authors explain that cloud computing has changed the ways security controls are implemented to protect digital assets and how forensic investigations are conducted. They highlight the importance of understanding the design philosophies employed by different service providers as these design philosophies will determine the limitations on forensic investigations. Although there are commonalities among different designs, the unique characteristics of the chosen system need to be well understood for forensic analysis to be most effective. The authors also suggest that while the standard incident response process should still be followed, additional consideration on how to manage and monitor the system for forensic purposes needs to be incorporated in the plan.

Another paper related to digital forensics in general focuses on the increasingly common attacks designed against forensic analysis (Casey 2008). The author points out that modern cybercrimes are becoming more sophisticated than ever before, various anti-forensic techniques have been employed by hackers to undermine the investigations. For a while, a forensic examination that involves the recovery of lost data on hard drives, the analysis of data collected by firewalls and intrusion detection systems and the implementation of reserve software engineering techniques would have sufficiently helped reveal the activities carried out and damages caused by the intruders and malware. However, today hackers have taken their attacks to new levels of sophistication. These techniques and tools may no longer suffice. Anti-forensic measures such as overwriting files to prevent the recovery of evidence, anti-debugging mechanisms to prevent reverse software engineering, and encrypting network traffics to prevent detection and prolong the analysis have made the traditional practices, techniques and tools less effective.

While there are many competing cloud computing platforms in the market, Ubuntu Enterprise Cloud (UEC) supports the most popular common standards such as Amazon APIs. The platform receives regular security updates and has strong community support with active mailing lists and forums (DistroWatch 2011; Canonical 2011). This means that not only is there a good chance that forensic investigators will encounter this system but the study of this platform will also provide a good foundation for any further research in cloud forensics. So far, little practical forensic related how-to’s for UEC have been found. Therefore, producing a practical forensic guideline for this particular cloud platform could be a worthwhile research contribution.

Research MethodologyThe research methodology for this project consists of two phases. The initial phase of the project is desk-based research, gathering knowledge for the practical work in the second phase. In the second phase, we will install and configure a small private cloud system in laboratory environment. This phase will enable us to gain better understanding of how the system works and perform an investigative analysis on an actual system to confirm the knowledge.

Desk-based ResearchThe goal of this phase is to build a fundamental understanding of how the system works. We will need to learn how to install and configure the system, how to secure and configure the system for forensic readiness as well as where we can look for evidence.

The official Ubuntu and Eucalyptus websites provide a good source of documentation on the products. Online forums and other community hosted websites are also useful sources of knowledge, where we can find answers to common problems relating to system installations and configurations. A website like that of Cloud Security Alliance group offers a guideline on how to secure a cloud system. Other published sources will also be consulted for general forensic practices, techniques and tools as well as intrusion response process (see Bibliography). The latest knowledge in IT security doesn’t always get peer-reviewed and officially published. Therefore, the validity of all information obtained from these sources will be tested in the second phase of practical implementation.

In this desk-based research phase, we aim to address of the following areas:

Understand the architecture of Ubuntu Enterprise Cloud

Determine a system configuration plan for security and forensic readiness

Identify the artefacts to be examined for evidence

Identify any possible challenges of the investigation

Laboratory-based ResearchIn this phase, we will build a sample private cloud system so that we can put the theoretical knowledge to the test. All software applications used in this project will be limited to those under General Public Licenses (GPLs) and Berkeley Software Distribution (BSD) licenses. This study will exclude the examination of any external security controls such as a separate firewall device or intrusion detection system.

To simplify the environment, the system will be setup to run two typical corporate servers, a web server and a file server, and provide IaaS-style desktop access to end users (see Appendix A for system specifications). The web server is used to host the company’s website for public access. The website is mainly informational and has a visitor book web application. The file server is for internal use to provide remote file storage and sharing. Three groups of users representing three departments named A, B and C will be given full access to their own storage area while they’re restricted from accessing the other departments’ storage areas on this file server. We will then create a scenario where an internal employee is trying to steal confidential corporate data from the file server. A fellow student with some IT security background will be asked to perform this

penetration testing. The fellow student will play two roles as an employee of department B and another employee of department C. His goal is to compromise the cloud system and steal data from the storage area of department A. This setup aims to create an environment where an unscrupulous employee has a number of different attack vectors to try. After two weeks of attacking attempts, regardless of the result of the penetration testing, we will then examine the cloud system and try to collect evidence for such malicious activities.

Expected OutcomeAfter carrying out both phases of the research, we are expecting to have enough information to produce a practical investigation guideline for a private Ubuntu Enterprise Cloud system. The guideline will include a discussion on how a system administrator may prepare the system for forensic readiness, the identification of artefacts to be examined for evidence, and any challenges that investigators may encounter.

Research Schedule

Period Task

Early Mar 2011 Identify research interest and find supervisor

Mar 2011 Work on annotated bibliography

Early Apr 2011 Determine research topic

Late Apr 2011 – 26 May 2011 Review literature & prepare research proposal

27 May 2011 – 30 May 2011 Prepare presentation

31 May 2011 Give presentation

1 Jun 2011 Prepare research proposal continued

10 Jun 2011 Submit research proposal

11 Jun 2011 – 3 Jul 2011 Desk-based research

4 Jul 2011 – 20 Jul 2011 Away

18 Jul 2011 – 31 Jul 2011Laboratory-based research: Install and configure system

Desk-based research continued

1 Aug 2011 – 19 Aug 2011Perform penetration testing

Desk-based research continued

20 Aug 2011 – 16 Sep 2011 Examine system

17 Sep 2011 – 2 Oct 2011 Prepare thesis first draft

3 Oct 2011 – 23 Oct 2011 Prepare subsequent drafts

24 Oct 2011 Submit thesis for review

31 Oct 2011 – 6 Nov 2011 Review thesis based on feedback

7 Nov 2011 Submit final bound copy of thesis

Trial Table of Contents

i. Abstractii. Acknowledgementiii. Table of ContentsChapter 1. Overview

1.1 Introduction1.2 Research Question

Chapter 2. Literature Review2.1 Digital Forensics2.2 Cloud Computing2.3 Cloud Forensics and Related Works

Chapter 3. Research Methodology3.1 Project Scope3.2 Desk-based research3.3 Laboratory-based research3.4 Expected outcome

Chapter 4. Laboratory-based research outcome4.1 UEC Architecture Overview4.2 System Configurations4.3 Investigation outcome

Chapter 5. Practical Guideline5.1 For system administrators5.2 For forensic investigators

Chapter 6. Conclusion 6.1 Summary of research activities 6.2 Concluding remarks

AppendixGlossaryReferences

Appendix A – System Specifications

We will use a two physical system topology. This configuration puts all of the user facing components (CLC/Walrus) and back-end control components (CC/SC) on a single system, and uses the second for VM hosting (NC).

Machine 1 (CLC/Walrus/CC/SC)

Hardware Minimum Suggested Notes

CPU 1GHz 2 x 2GHz For an all-in-one front end, it helps to have at least a dual core processor

Memory 2GB 4GB The Java web front end benefits from lots of available memory

Disk 5400RPM IDE

7200RPM SATA

Slower disks will work, but will yield much longer instance startup times

Disk Space 40GB 200GB 40GB is only enough space for only a single image, cache, etc., Eucalyptus does not like to run out of disk space

Networking 100Mbps 1000Mbps Machine images are hundreds of MB, and need to be copied over the network to nodes

Machine 2 (NC)

Hardware Minimum Suggested Notes

CPU VT extensions

VT, 64-bit, Multicore

64-bit can run both i386, and amd64 instances; by default, Eucalyptus will only run 1 VM per CPU core on a Node

Memory 1GB 4GB Additional memory means more, and larger guests

Disk 5400RPM IDE

7200RPM SATA or SCSI

Eucalyptus nodes are disk-intensive; I/O wait will likely be the performance bottleneck

Disk Space 40GB 100GB Images will be cached locally, Eucalyptus does not like to run out of disk space

Networking 100Mbps 1000Mbps Machine images are hundreds of MB, and need to be copied over the network to nodes

Glossary

Anti-debugging The implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process.

API (Application Programming Interface

A set of functions that a programme or person can use to send request and receive results from another programme.

AWS(Amazon Web Services)

A collection of remote computing services (also called web services) that together make up a cloud computing platform, offered over the Internet by Amazon.com.

Brute-force attacks A strategy used against encrypted data. It involves systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.

Digital Forensics The process of identifying, preserving, analysing and presenting digital evidence under forensically sound conditions

Dropbox A Web-based file hosting service operated by Dropbox, Inc.

Electronic evidence Evidence in digital or electronic form, such as e-mail, computer files, and instant messages.

Email forensics A sub-branch of digital forensics relating to recovery of digital evidence or data from emails on the client and server systems, including deleted emails, calendars and contacts.

Encrypting The process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

Eucalyptus A software platform for the implementation of private cloud computing on computer clusters.

File server A computer attached to a network that has the primary purpose of providing a location for shared disk access, i.e. shared storage of computer files that can be accessed by the workstations that are attached to the computer network.

Firewall A piece of software, a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.

Google Docs Web-based word processor, spreadsheet, slide show, form, and data storage service offered by Google.

Hackers Persons who breaks into computers and computer networks for profit, as protest, or sometimes by the motivation of the challenge.

Hypervisor Also called virtual machine manager, it is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. The hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems.

Intrusion detection system A piece of software, a device or set of devices designed to monitor network and/or system activities for malicious activities or policy violations and produces reports to a Management Station

Malware(malicious software)

Programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour.

Mobile device forensics A sub-branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions.

Network forensics A sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence or intrusion detection.

Penetration testing A method of evaluating the security of a computer system or network by simulating an attack from a malicious source

REST (Representational State Transfer)

A style of software architecture for distributed hypermedia systems such as the World Wide Web.

UEC(Ubuntu Enterprise Cloud)

An edition of Linux-based Ubuntu operating system for cloud computing platforms.

Virtualization The creation of a virtual (rather than actual) version of something, such as a hardware platform, operating system, a storage device or network resources.

VMware A commercial virtualization software product.

Vulnerabilities A weakness which allows an attacker to reduce a system's information assurance.

Web Server It can refer to either the hardware (the computer) or the software (the computer application) that helps to deliver content that can be accessed through the Internet.

References

Barrett, D & Kipper, G 2010, 'Investigating Dead Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 83-107.

Barrett, D & Kipper, G 2010, 'Investigating Live Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 109-128.

Casey, E 2008, 'Attacks against forensic analysis', Digital Investigation, vol. 4, no. 3-4, pp. 105-106.

Choo, K-KR 2010, 'Cloud computing: Challenges and future directions', Trends & issues in crime and criminal justice, vol. 400.

Cononical 2011a, Ubuntu.com, United States of America, viewed 9 June 2011, <http://www.ubuntu.com/business/cloud/deploy-anywhere>.

Cononical 2011b, Ubuntu.com, United States of America, viewed 9 June 2011, <http://www.ubuntu.com/business/cloud/secure-and-robust>.

DistroWatch 2011, DistroWatch.com, United States of America, viewed 9 June 2011, <http://distrowatch.com/dwres.php?resource=major>.

Grossman, RL 2009, 'The Case for Cloud Computing', IT Professional, vol. 11, no. 2, pp. 23-27.

Haggerty, J & Taylor, M 2006, 'Managing corporate computer forensics', Computer Fraud & Security, vol. 2006, no. 6, pp. 14-16.

Hilley, S 2004, The corporation: the non-policed state, Infosecurity Today, Vol. 1, No. 6, pp 36-37.

Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010, 'What Is Network Forensics?', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 3-20.

McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology, Canberra.

Taylor, M, Haggerty, J, Gresty, D & Hegarty, R 2010, 'Digital evidence in cloud computing systems', Computer Law & Security Review, vol. 26, no. 3, pp. 304-308.

Taylor, M, Haggerty, J, Gresty, D & Lamb, D 2011, 'Forensic investigation of cloud computing systems', Network Security, vol. 2011, no. 3, pp. 4-10.

Trusted Computing Group 2010, 'Cloud Computing and Security - A Natural Match', Trusted Computing Group, viewed 24 March 2011, <http://www.trustedcomputinggroup.org/files/resource_files/1F4DEE3D-1A4B-B294-D0AD0742BA449E07/Cloud%20Computing%20and%20Security%20Whitepaper_July29.2010.pdf>.

Bibliography

Barrett, D & Kipper, G 2010a, 'Cloud Computing and the Forensic Challenges', Virtualization and Forensics, Syngress, Boston, pp. 197-209.

Barrett, D & Kipper, G 2010b, 'Investigating Dead Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 83-107.

Barrett, D & Kipper, G 2010c, 'Investigating Live Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 109-128.

Barrett, D & Kipper, G 2010d, 'Virtualization Challenges', Virtualization and Forensics, Syngress, Boston, pp. 175-195.

Casey, E 2008, 'Attacks against forensic analysis', Digital Investigation, vol. 4, no. 3-4, pp. 105-106.

Casey, E, Daywalt, C & Johnston, A 2010, 'Intrusion Investigation', in Eoghan, C (ed), Handbook of Digital Forensics and Investigation, Academic Press, San Diego, pp. 135-206.

Choo, K-KR 2010, 'Cloud computing: Challenges and future directions', Trends & issues in crime and criminal justice, vol. 400.

Cononical 2011a, Ubuntu.com, United States of America, viewed 9 June 2011, <http://www.ubuntu.com/business/cloud/deploy-anywhere>.

Cononical 2011b, Ubuntu.com, United States of America, viewed 9 June 2011, <http://www.ubuntu.com/business/cloud/secure-and-robust>.

Cyber Security Operation Centre 2011, Cloud Computing Security Considerations, Department of Defence Intelligence and Security, viewed 29 May 2011, <http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf>

DistroWatch 2011, DistroWatch.com, United States of America, viewed 9 June 2011, <http://distrowatch.com/dwres.php?resource=major>.

Grossman, RL 2009, 'The Case for Cloud Computing', IT Professional, vol. 11, no. 2, pp. 23-27.

Haggerty, J & Taylor, M 2006, 'Managing corporate computer forensics', Computer Fraud & Security, vol. 2006, no. 6, pp. 14-16.

Hilley, S 2004, The corporation: the non-policed state, Infosecurity Today, Vol. 1, No. 6, pp 36-37.

Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010a, 'Incorporating Network Forensics into Incident Response Plans', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 221-274.

Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010b, 'Other Network Evidence', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 59-92.

Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010c, 'What Is Network Forensics?', Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 3-20.

McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology, Canberra.

Nick, JM, Cohen, D & Kaliski, BS 2010, 'Key Enabling Technologies for Virtual Private Clouds', in Furht, B & Escalante, A (eds), Handbook of Cloud Computing, Springer US, pp. 47-63.

Reilly, D, Wren, C, Berry, T 2010, 'Cloud computing: Forensic challenges for law enforcement', Internet Technology and Secured Transactions (ICITST), 2010 International Conference for, 8-11 Nov. 2010.

Taylor, M, Haggerty, J, Gresty, D & Hegarty, R 2010, 'Digital evidence in cloud computing systems', Computer Law & Security Review, vol. 26, no. 3, pp. 304-308.

Taylor, M, Haggerty, J, Gresty, D & Lamb, D 2011, 'Forensic investigation of cloud computing systems', Network Security, vol. 2011, no. 3, pp. 4-10.

Trost, R 2010, Practical Intrusion Analysis – Prevention and Detection for the Twenty-First Century, Addison-Wesley, United States of America.

Trusted Computing Group 2010, 'Cloud Computing and Security - A Natural Match', Trusted Computing Group, viewed 24 March 2011, <http://www.trustedcomputinggroup.org/files/resource_files/1F4DEE3D-1A4B-B294-D0AD0742BA449E07/Cloud%20Computing%20and%20Security%20Whitepaper_July29.2010.pdf>.

Volonino, L, Anzaldua, R & Godwin, J 2007, Computer Forensics: Principles and Practices, Pearson Prentice Hall, United States of America.

Wang, Y, Cannady, J & Rosenbluth, J 2005, 'Foundations of computer forensics: A technology for the fight against computer crime', Computer Law & Security Report, vol. 21, no. 2, pp. 119-127.

Wardley, S, Goyer, E & Barcet, N 2009, ‘Ubuntu Enterprise Cloud Architecture’, Canonical, viewed 24 March 2011, < http://www.canonical.com/sites/default/files/active/Whitepaper-UbuntuEnterpriseCloudArchitecture-v1.pdf>.

Winkler, V 2011, 'Operating a Cloud', Securing the Cloud, Syngress, Boston, pp. 253-277.