Experts reviews of a cloud forensic readiness framework for organizations

Cloud computing has drastically altered the ways in which it is possible to deliver information technologies (ITs) to consumers as a service. In addition, the concept has given rise to multiple benefits for consumers and organizations. However, such a fast surge in the adoption of cloud computing has led to the emergence of the cloud as a new cybercrime environment, thus giving rise to fresh legal, technical and organizational challenges. In addition to the vast number of attacks that have had an impact on cloud computing and the fact that cloud-based data processing is carried out in a decentralized manner, many other concerns have been noted. Among these concerns are how to conduct a thorough digital investigation in cloud environments and how to be prepared to gather data ahead of time before the occurrence of an incident; indeed, this kind of preparation would reduce the amount of money, time and effort that is expended. As a number of cloud forensics challenges have not received enough attention, this study is motivated by a particular gap in research on the technical, legal and organizational factors that facilitate forensic readiness in organizations that utilize an Infrastructure as a Service (IaaS) model. This paper presents a framework with which to investigate the factors that facilitate the forensic readiness of organizations. This framework was identified by critically reviewing previous studies in the literature and by performing an in-depth examination of the relevant industrial standards. The factors were comprehensively studied and extracted from the literature; then, the factors were analysed, duplicates were removed, and the factors were categorized and synthesized to produce the framework. To obtain reliable results, the research method involved two steps: a literature review, followed by expert reviews. These techniques help us paint a comprehensive picture of the research topic and validate and confirm the results.

The recent era has witnessed a cloud computing revolution; this revolution not only has led many to view the concept as a new IT paradigm but also has given cloud computing a reputation as one of the most rapidly growing and industry-changing technologies since the conception of computing itself [1]. In addition, this enormous surge has altered the way in which ITs can be used to access, manage, create and deliver services [2]. Many firmly believe that money is among the primary reasons cloud computing is thought of as a rapidly growing technology; indeed, adopting cloud computing in organizations can reduce the cost of IT [3].

However, the aforementioned lightning-fast growth in cloud computing adoption has led to a situation in which cloud environments are now viewed as a new environment for cybercrime. This situation has also given rise to fresh legal, organizational and technical challenges. At this point, it is appropriate to mention the substantial number of attacks that have an influence on cloud computing and the fact that cloud-based data processing is carried out in a decentralized manner; indeed, in addition to these factors, many have expressed concerns related to how a thorough digital investigation can be conducted in cloud environments [1]. In general, should any attack take place, it is essential to conduct investigations without the need to rely on a third party. However, the situation is different in cloud environments, where such a process is still complicated; these complications arise from the fact that cloud providers, which fully dictate what happens in the environment, remain in control of the sources of evidence. In addition, consumers, to some extent, are still unable to proactively gather data prior to the occurrence of an incident [4]. Therefore, ensuring that forensic readiness is achieved before digital investigations are conducted would reduce the expenditure of both money and time.

According to Market Research Media [5], the worldwide cloud computing market is forecast to grow by a compound annual growth rate (CAGR) of 30% through 2020; at this point, many feel that the market will be worth approximately $270 billion. Such an estimation clearly illustrates the growth of the cloud computing industry, as well as the surge in the number of cloud users across the globe. Nevertheless, this growth will also give rise to an increase in the frequency with which cyberattacks are carried out. Although cloud forensics faces numerous challenges, there are no specially designed guidelines, procedures or standards pertaining to cloud forensics [6]. The investigation of this paper seeks to understand and identify the factors that contribute to cloud forensic readiness in organizations that utilize an Infrastructure as a Service (IaaS) model.

Motivation

As cloud environments have brought new challenges to the digital forensics field, the National Institute of Standards and Technology (NIST) [7] has identified 65 cloud forensics challenges. Aside from the vast number of attacks that have had an impact on cloud computing and the fact that cloud-based data processing is carried out in a decentralized manner, many other concerns have also been noted. Among these concerns are the issues of how to conduct a thorough digital investigation in cloud environments and how to prepare to gather data ahead of time prior to the occurrence of an incident; indeed, this kind of preparation would save money, effort and time. To the best of our knowledge, there are no standards or guidelines that focus on cloud environments at the time of writing/conducting this research. Consequently, we are motivated to investigate the influencing factors of cloud forensic readiness. The first essential is to understand the existing gaps and challenges faced by cloud consumers as they attempt to be forensically ready. Bearing this in mind, we propose the following research objectives:

• To fill the gaps in existing research regarding cloud forensic readiness.

• To identify the factors that contribute to forensic readiness in organizations that utilize an IaaS model.

• To verify the cloud forensic readiness framework.

To achieve the objectives of this study and contribute to the cloud forensics field, the following research question must be answered.

RQ1: What is the appropriate framework for cloud forensic readiness in organizations that utilize an IaaS model? This question is divided into three sub-questions:

• Q1.1: What are the technological factors that influence cloud forensic readiness in organizations?

• Q1.2: What are the legal factors that influence cloud forensic readiness in organizations?

• Q1.3: What are the organizational factors that influence cloud forensic readiness in organizations?

The paper is structured as follows: The second section provides a literature review that discusses the concept of digital forensics and cloud forensics as well as some related. The third section proposes the cloud forensic readiness framework of this study; this proposal involves identifying all factors and mapping them to the literature. The fourth section outlines the research approach implemented during this study. The fifth section presents the study results, and the sixth section discusses the findings from the expert reviews. The final section provides an overview of the research and presents conclusions drawn from the results and future research directions.

Since the technological revolution began in earnest in the late twentieth century, the number of crimes involving computers has grown dramatically. As a result, since that time, digital forensics has been employed to combat any attack or cybercrime and to improve and acquire legal evidence found in digital media. Digital forensics can be identified as the application of science to identify, acquire, examine and analyse data while maintaining data integrity and the chain of custody of the information [8, 9].

Many hold the belief that digital forensics, as a separate specialty, was pioneered during the late 1990s, just as the frequency of computer crimes began to rise due to the surge in the popularity of the Internet [10]. The recent era has seen an increase in the frequency of cyberattacks in cloud environments, and this increase is clear evidence of the ability that cybercriminals possess in regard to creating substantial and costly damage for both cloud providers and cloud customers [4]. The growing number of cybercriminals in cloud environments has resulted in more security breaches, which has prompted many organizations to embrace the need for cloud forensic readiness [11]. Moreover, the results of a cloud forensics survey by Ruan et al. [1] revealed that more than 80% of respondents who were familiar with digital forensics expressed that “a procedure and a set of toolkits to proactively collect forensic-relevant data in the cloud is important”. Consequently, it is essential that cloud consumers achieve forensic readiness prior to the occurrence of any incident.

Service models are provided in cloud computing at three different levels: Software as a Service (SaaS), Platform as a Service (PaaS) and IaaS. Consumers have less control over an SaaS model, and the control level increases as we progress towards the IaaS model, as shown in Fig. 1. For instance, collecting evidence logs in a SaaS model exclusively depends on the cloud service provider (CSP). In contrast, in an IaaS model, the virtual machine image can be collected from the customer side [13]. As the aim of this research is to enable organizations to be forensically ready, our research scope focuses on the IaaS model, which provides consumers with a higher level of control.

Consumers’ control over various models [12]

Full size image

This paper focuses on cloud forensic readiness from consumer perspectives, and for the purpose of this research, we can identify cloud forensic readiness as a mechanism that aims to reduce the cost of conducting an investigation in a cloud environment and to provide any relevant information needed before setting up an investigation. There is clear evidence showing that cloud forensic readiness can give rise to many benefits for cloud environments, including an enhanced security level. Marco et al. [4], Pangalos and Katos [14], and Alenezi et al. [15] agree that forensic readiness helps organizations improve their security strategies, be prepared for any attack, and reduce the number of security incidents.

Review of related work

In this paper, we critically reviewed previous studies in the literature and performed an in-depth examination of the relevant industrial standards. To paint a comprehensive picture of the research topic, five database sources that are considered the most relevant to the fields of computer science were selected: SpringerLink, the Association for Computing Machinery (ACM) Digital Library, the Institute of Electrical and Electronics Engineers (IEEE), ScienceDirect and Google Scholar. All of the searches were limited in date from 2010 to 2019. The queries used in this paper were as follows: (Cloud OR Digital) AND (Forensic OR Crime) AND (Readiness OR Framework OR Model OR Process OR Examination OR Analysis).

Numerous important studies have made attempts to explore digital forensic readiness, and the main studies are highlighted below:

Grobler et al. [16] identified certain goals and aims that accompany proactive digital forensics, as well as six diverse dimensions of digital forensics. They presented a theory-based digital forensics framework that is capable of guiding organizations as they begin to employ proactive forensics. Alharbi et al. [17], identified and mapped the processes that currently exist in the digital forensics literature. Doing so resulted in the proposal of a proactive and reactive digital forensics process. Moreover, Elyas [18, 19] formulated a conceptual framework by pinpointing factors that can contribute to the process of reaching a state of digital forensic readiness within organizations. Furthermore, Valjarevic and Venter [20] proposed guidelines related to the implementation of the harmonized digital forensic investigation readiness process (DFIRP) model. This model consists of three readiness processes: assessment, implementation, and planning; the model was then added to ISO/IEC 27043: 2015. The guidelines that were presented can assist in the implementation of digital forensic readiness measures in a diverse range of organizations.

Moussa et al. [21] proposed a conceptual framework that aims to assist IaaS consumers in achieving forensic readiness. IaaS consumers can utilize the framework to establish how they should gather the necessary digital evidence without having to rely on cloud providers. However, the framework itself has yet to be verified or investigated empirically. A decision-making approach based on an algorithm was introduced by Simou, Troumpis and Kalloniatis [22] to calculate organizations’ forensic readiness and compliance level and to categorize the unimplemented tasks in the cloud. Their aim was to identify important unimplemented tasks, classify them and prioritize them accordingly to provide useful information for both software engineers and stakeholders to make the appropriate decision. Similarly, Park et al. [23] introduced a digital forensic readiness model in cloud computing-based smart work. This model consists of two categories, namely, policy readiness and technical readiness. The authors conducted a validity analysis by distributing a survey to a number of digital forensic experts. However, not all evaluation criteria achieved scores that confirmed validity, and future research is expected to conduct an in-depth analysis of the proposed model for greater validity.

Sibiya et al. [24] introduced a forensic readiness model that can be employed by cloud providers as a technique to facilitate digital forensic readiness. This model can aid cloud providers in administering data that are necessary for any pending investigations. Regardless, the scope of the model means that it is limited to assessing data in terms of their readiness for cloud environment-based forensic analysis. Along similar lines, Makutsoane and Leonard [25] proposed a conceptual framework that can be used by organizations that have a tendency to switch to cloud computing. The aim behind their proposed framework was to determine the state of readiness of CSPs and to allow companies to make correct decisions regarding the most suitable CSPs.

A model aimed at facilitating digital forensic readiness through the implementation of a botnet service in a cloud environment was proposed by Kebande and Venter [26]. The primary contribution made by this model was the fact that it altered botnets, thus allowing them to transition from illegal to legal applications capable of monitoring and information capturing. The authors drew attention to the requirements that a cloud environment must meet when a non-malicious botnet is being used to prepare for forensic investigations [27]. All of the requirements proposed by these authors pertain to the legal, operational and technical aspects that emerge from the ISO/IEC 27043:2015 standard. Moreover, Kebande and Venter [28] examined the design and implementation of a cloud forensic readiness system. To function as an agent-based solution (ABS) in the cloud, a non-malicious botnet was employed by the authors. This technique is also aligned with ISO/IEC 27043: 2015, which enables organizations to conduct digital investigations without disrupting cloud operations.

In addition, a forensic-by-design framework was proposed by Ab Rahman et al. [29] for cyber-physical cloud systems (CPCSs). The framework clearly demonstrated exactly how important forensic readiness is. Such a conceptual framework, which is composed of six factors, guarantees that the design of a CPCS is based on the goal of simplifying and increasing the efficiency of forensic investigations. The forensic-by-design approach is supposed to be capable of facilitating digital investigations. In order for a judge to decide whether the presented evidence is trustworthy, Dykstra et al. [30] emphasized the importance of trust in cloud services. Their study investigated trust challenges during the collection of digital evidence in an IaaS model. Their proposed model is divided into six layers, and in each layer, various types of forensics activities and trust are required. However, their experiments were specific to an IaaS model using Elastic Compute Cloud (EC2) services. The study did not extent to other cloud service models because EC2 is the only model in which forensic tools can be installed.

Also of note here is a model that was presented by Trenwith and Venter [31] that aims to help reach a state of digital forensic readiness within a cloud environment. This model proposed the concept of using a remote and central logging facility that accelerates data gathering. Similarly, Zawoad et al. introduced Secure Logging as a Service (SecLaaS), which allows investigators to acquire the logs of virtual machines and to ensure the confidentiality of cloud users [32]. SecLaaS is supposed to protect the integrity of logs from any manipulation by providing proofs of past logs.

While numerous studies have investigated digital forensic readiness, a few studies have investigated digital forensic readiness in cloud environments. Moreover, to the best of our knowledge, this study is the first to have collected all of these factors together and to have analysed the way in which they affect cloud forensic readiness. Therefore, the goal of the present research is to propose and verify a framework that can facilitate organizations that utilize an IaaS model in achieving forensic readiness.

As discussed above, the cloud environment is considered an issue in the field of digital forensics; for this reason, numerous challenges have emerged. The NIST [7] has identified 65 cloud forensics challenges. As a result, cloud computing is viewed by many experts as a new cybercrime environment. Among these concerns are the issues of how to conduct a thorough digital investigation in cloud environments and how to prepare to gather data ahead of time prior to the occurrence of an incident; this preparation would save money, effort and time. To the best of our knowledge, a few studies have investigated cloud forensic readiness in general. To date, however, no other studies have gathered all of the influencing factors and introduced a verified framework that helps organizations that utilize an IaaS model be forensically ready. The following framework is proposed based on the literature review; the proposed framework was further elaborated in a previous research paper [15]. The framework consists of three dimensions, as depicted in Fig. 2: The proposed cloud forensic readiness framework [15].:

The proposed cloud forensic readiness framework [15]

Full size image

Technological factors

The technological factors describe the technological aspects that influence cloud forensic readiness in organizations. The following technological factors are related to digital forensic readiness and were identified by the literature review.

• Cloud infrastructure: Preparing the underlying infrastructure makes it possible to support and facilitate digital forensic investigations. Preparing the infrastructure helps organizations appropriately determine, trace and preserve potential evidence. Infrastructure preparation pertains to servers, storage, networks, operating systems, and digital forensic laboratories.

• Cloud architecture: The cloud architecture must be designed to increase its forensic capabilities. The correct architecture that supports cloud forensics will facilitate forensic procedures and make it possible to obtain admissible digital evidence.

• Forensic technologies: These technologies include specialized forensic software or hardware that can allow organizations to conduct a complete indoor digital investigation. They are considered vital when collecting and examining digital evidence in cloud environments. It can be difficult to conduct a digital investigation without proper technology, and therefore, these technologies should be reliable and accurate to produce admissible evidence.

• Cloud security: Security in cloud computing can be utilized in the digital forensics field as a trigger alarm to generate alert notifications when specified criteria are met and to provide a secure environment to facilitate the process of finding digital evidence and sources of evidence. Thus, to conduct a digital investigation, incidents must first be detected by a monitor system in a timely manner. Doing so can be achieved using various technologies, such as intrusion detection systems (IDSs), as well as anti-virus and anti-spyware technology. Moreover, the collected evidence must be securely gathered, transported and stored in a secure location.

Legal factors

The legal factors include aspects that are related to agreements between consumers and providers, multi-jurisdictions and regulatory issues. These factors are further elaborated below:

• Service Level Agreements (SLAs): An SLA is a contract between a CSP and consumers that documents what services will be offered by the provider, including forensic investigations. SLAs should clearly specify the responsibilities of CSPs and customers associated with forensic investigations. Cloud providers and consumers need to agree on SLAs to avoid missing terms or conditions and to support potential digital investigations.

• Regulatory: This factor involves adherence to laws and regulations. To achieve forensic readiness, organizations must be aware of and comply with relevant laws, policies, and regulations. Moreover, cloud providers must adhere to the regulations imposed on service providers.

• Jurisdiction: This factor refers to the judicial region. Since CSPs may provide cloud services from different regions or areas, it is necessary for organizations to determine the judicial regions, if any, or to consider all multi-jurisdictions. It can be problematic for organizations to conduct an investigation while some data are not in the same jurisdiction or if multi-jurisdiction has not been specified in the service agreements. Furthermore, organizations should have a clear understanding of the legal and regulatory requirements of relevant jurisdictions. Organizations should agree with service providers regarding which jurisdictions data reside in and the cooperation during digital investigations.

Organizational factors

The organizational factors illustrate the characteristics of an organization and its employees that can facilitate cloud forensic readiness. These factors, defined below, have been highlighted by some research studies in the literature:

• Management support: This factor involves the top management level of the organization, which helps the organization achieve forensic readiness, including authorization, decision-making, necessary resources, and funds. It is important that the top management in organizations is aware of the importance of being forensically ready and has an influence on the establishment and implementation of the readiness of digital investigations.

• Readiness strategy: This factor is an organization’s plan to achieve forensic readiness. In general, the strategy pertains to how the readiness would work. To achieve successful forensic readiness, organizations must clearly form dedicated strategic objectives that serve the organization’s needs. The organization’s readiness strategy must be flexible to adapt to potential changes.

• Governance: This factor refers to the management of the implementation of processes and structures in the organization that designate responsibilities and practices. This aspect includes the organization’s general policy on cloud forensic readiness, such as managing forensics procedures and responsibilities related to digital evidence that is found in the cloud or any other resources. Ensuring that all procedures and responsibilities are structured in a correct way leads to a successful forensic investigation. In addition, governance can ensure the quality of forensic readiness in an organization.

• Culture: This factor concerns the pattern of beliefs, values, assumptions and practices that have a direct impact on cloud forensic readiness. Successful forensic readiness can be achieved by making a cultural change in relation to the importance of forensic readiness and a culture of adherence to best practices in relation to forensic readiness. This cultural change can be achieved through the implementation of staff training and awareness as well as forensics policies.

• Training: This factor involves providing training programmes to technical staff and awareness programmes to non-technical staff on forensics best practices. To achieve forensic readiness, organizations should educate and certify their technical staff through forensics training programmes to ensure that their skills and knowledge are up to date. Moreover, awareness training programmes should be provided to non-technical staff so that they know how to respond in the case of suspicious activities; indeed, such knowledge will minimize the risk of evidence loss.

• Procedures: This factor involves the organization’s general policies on cloud forensics as well as security and privacy policies during digital investigations. Organizations should clearly state their forensics polices, as doing so will make it possible to collect admissible evidence. Such policies include various procedures, guidelines and standards that steer the digital investigation within an organization. The policies of the organization should be assessed periodically. Table 1 maps the identified factors to the literature [15].

  Full size table

When the nature of research is exploratory, a qualitative method is most suitable; such a methodology is employed to identify the perception of the audience under study in regard to certain issues [33]. The purpose of a qualitative approach is to clarify respondents’ thoughts, feelings, decisions and actions [34]. In this way, it is possible to understand a certain situation, as a qualitative approach provides insights into issues that could well be the focus of future studies. Scholars often employ qualitative methods when working with the results of a literature review [35]. Because a qualitative approach generates a great deal of data, coding is the most commonly used approach to analysing data [33]. To identify and report the themes running through the raw data, thematic analysis was employed. Thematic analysis is a technique that makes it possible to collate and summarize a corpus in a particular way, which, in turn, aids researchers in locating vital elements that will allow them to produce effective research questions [36, 37]. To complete the analysis of the qualitative data, NVivo 11 software was employed to examine the themes of the raw data.

For this study, interviews were considered the most suitable approach for qualitative data collection [38]. Not only does this technique help researchers paint a comprehensive picture of the research topic, but it also makes it possible to validate and confirm the results. This study involved interviews with experts in the relevant field to review and verify the proposed framework. The interviews also made it possible to examine other factors that had not previously been mentioned in the framework. When employing this method, it was essential to link and contrast the data that resulted from the literature review, as well as the expert reviews. The first phase involved gathering data by analysing the literature and the relevant industry standards to construct a framework. During the expert interviews (second phase), the respondents were asked both open- and closed-ended questions to verify the framework and to add new factors not found within the framework.

In qualitative studies, the sample usually consists of fewer participants than in quantitative studies [39]. It is vital for researchers to clarify the minimum sample needed; in this way, pinpoint, reliable results can be obtained [40]. Scholars have yet to produce an agreed-upon consensus regarding how many experts should be interviewed when conducting a confirmatory study. The majority of research has recommended that between 3 and 20 experts should be interviewed [41]. However, Guest et al. [42] suggested that the saturation point is generally reached when 12 respondents are interviewed. As a result, the present study conducted interviews with 12 experts in the fields of security and digital forensics and who had experience in a cloud environment. The interviewees were deemed to be expert only if they had been working in the field of digital forensics and/or security for a minimum of five years, had worked with the IaaS model and/or made a contribution to this field. This study was set in various countries, as clearly shown in Table 2: Summary of the interviewees.:

This section presents the findings from the expert reviews. Experts were interviewed to verify the proposed framework and to identify any factors that were not mentioned in the framework. The purpose of the interviews was to seek out and clarify any problems related to cloud forensics and to assess how important it is for organizations to be ready to conduct digital investigations in cloud environments. The experts’ opinions and comments are presented below:

Technological factors

The participants were asked to give their thoughts on the factors related to technological cloud forensic readiness. The interview results were clear: All experts were in agreement that the technological factors are very important or important in the context of cloud forensic readiness. Of the experts interviewed, most agreed that the infrastructure of the cloud is important in terms of achieving cloud forensic readiness. Additionally, every single expert stated that the architecture of the cloud is vital to achieving cloud forensic readiness. Moreover, all experts agreed that digital investigations cannot be conducted without forensics technologies that are able to produce reliable evidence. Similarly, all of the interviewed experts agreed that security during digital investigations is vital to achieving cloud forensic readiness. Table 3 presents some of the most notable findings in this regard.

Legal factors

Following the interviews, it was clear that the legal factors are important in relation to cloud forensic readiness. There was a clear agreement between the expert respondents regarding the importance of SLAs in cloud forensics. Additionally, most of the interviewees were in agreement regarding the importance of taking into account regulatory compliance with regard to achieving cloud forensic readiness. Six of the experts stated the opinion that the regulatory factor should to be changed to regulatory compliance. Moreover, many of the interviewees emphasized the importance of identifying the legal jurisdiction(s) before conducting digital investigations. Seven of the expert respondents opined that the jurisdiction factor should be changed to multi-jurisdictions. Table 4 presents a collection of some of the most notable statements made in this regard.

Organizational factors

As clearly shown by the findings from the expert interviews, the organizational factors are viewed as being very important or important in regard to achieving forensic readiness. It was fairly clear that a consensus existed among the respondents regarding the importance of management support in regard to achieving cloud forensic readiness. Moreover, all the interviewees agreed that if forensic readiness is to be achieved by organizations, then a readiness plan should be in place. Additionally, many of the interviewees pointed to the importance of organizational culture in regard to an organization reaching its goal of forensic readiness. Of all the experts interviewed, six felt that the culture factor should be replaced by the term organizational culture. Furthermore, the firm belief among all interviewees was that training is vital in regard to reaching forensic readiness within organizations; however, five interviewees opined that the training factor should instead be named training and awareness. Notably, all interviewees agreed that an organization has a better chance of achieving forensic readiness if it has digital forensics policies in place. In total, five of the interviewees suggested that the procedure factor should be changed to policies because policies would be a broader term that covers the various forensics procedures, guidelines and standards that steer digital investigations within an organization. The most notable statements made in this regard are presented in Table 5.

Overall, the proposed framework has been verified by the experts. Some of the proposed factors were altered, and new factors were added by the experts to improve the framework. The next section provides a discussion of the study findings.

The interviews with the experts verify the proposed framework; the names of five of the factors were altered, while two more factors were added, as can be seen in Fig. 3. As a result, following the literature review, the expert review and the questionnaire, the framework was verified. The following section examines the results of the expert reviews.

The verified cloud forensic readiness framework

Full size image

As stated in the literature [1, 6, 7, 43,44,45] and by a number of the interviewed experts, cloud computing has given rise to numerous issues and problems in the field of digital forensics. Indeed, any organization that uses cloud services must have a plan in place and pay attention to cloud forensics before future attacks happen. All experts agreed that forensic readiness is affected by the three dimensions, namely, legal, technological, and organizational factors. In addition, most of the experts agreed with the factors and saw no convincing reason to exclude any of the proposed factors. The findings of the interviews made it clear that the experts viewed these factors as important and felt that they have a substantial influence on cloud forensic readiness.

Following the interviews, it was also clear that all of the technological factors are vital in regard to achieving cloud forensic readiness. Moreover, a number of the experts asked for the inclusion of forensics techniques within the technological factors. With regard to the legal factors, most of the experts concurred with the factors proposed but felt that certain factors should be renamed, e.g., regulatory compliance instead of regulatory and multi-jurisdictional instead of jurisdiction. In addition, numerous experts expressed the feeling that the privacy factor should be added to the legal factors. Moreover, the experts stated that all of the organizational factors are vital, with none of them recommending that new factors needed to be added. Nevertheless, certain experts suggested that a few factors should be renamed. The procedure factor has been renamed policies. Given the significant influence of cloud forensics on the standardization process and its need, the term policies would be a wider term that includes the forensics procedures, guidelines and standards that guide digital investigations within an organization. While cloud computing poses a number of digital forensics challenges, there are no specially designed guidelines, procedures or standards pertaining to cloud forensics [6]. Consequently, we would like to take this opportunity to argue that standard-setting bodies need to establish policies, guidelines and standards dedicated to the cloud computing environment.

Moreover, the culture factor has been changed to organizational culture to focus on the practices that have a direct impact on the forensic readiness in organizations. The training and awareness factor has replaced training. This process involves technical and non-technical staff by providing training programmes to technical staff and awareness programmes to non-technical staff on forensics best practices.

However, it was also important for the experts to improve the proposed framework by adding any essential factors that were not stated in the framework and that could potentially affect cloud forensic readiness within organizations. In reference to this point, the experts identified two new factors – namely, privacy and forensics techniques – which they thought should be taken into account by organizations that are preparing for forensic readiness. Both of these factors were viewed as important; indeed, five experts felt that they should be included in the framework. They also stated that it is vital to add the privacy factor to the legal factors of the proposed framework. The experts in digital forensics defined privacy as the retention of information and data that are accessed, gathered, logged, and wiped throughout and after investigations related to digital forensics. All the experts expressed the belief that organizations should have proper mechanisms to ensure privacy during a forensic investigation. No previous study has emphasized privacy during digital investigations in their proposed solutions. Subsequently, the decision was made to add the privacy factor to the legal factors category.

In addition, seven of the experts suggested that a new factor, designated forensics techniques, should be added to the technological factors. Forensics techniques are employed when there is a need to respond to and to conduct investigations into cloud forensics within an organization. Such forensics techniques may include those used to provide answers to the “5 W” questions: What happened? When did it happen? Where did it happen? Why did it happen? Who did it? Following this, the focus switches to summarizing the investigation’s results (e.g., the first reaction, data acquisition, data assessment and evaluation, and conclusions). These techniques allow organizations to collect evidence such that means it can be used as admissible evidence in a court of law. These types of measures aid organizations in minimizing the possibility that their business will be interrupted. Accordingly, it was decided that the forensics techniques factor should be included in the technological factors category.

It should be noted at this point that numerous other factors were mentioned but ignored because they were already covered in the framework. These omitted factors included the handling of forensic evidence, which overlaps with forensics techniques, and qualifications, which overlap with training and awareness.

Although cloud environments are now an alluring environment for cybercrime, there remains precious little research that has addressed forensic readiness in cloud environments. This paper started by providing an overview of digital forensics and then discussed the related work. From the literature review, it was clear that it is essential to explore forensic readiness in cloud environments. Therefore, this study aimed to investigate the cloud forensic readiness factors that influence organizations to be prepared to conduct cloud forensic investigations. In this paper, the proposed framework was reviewed and verified by a number of experts in the fields of security and digital forensics. In terms of the results of the expert reviews, it was clear that all the proposed dimensions and factors are important. Five factors were renamed, and two new factors were added by the experts. In future work, a survey will be distributed to cloud forensics practitioners in different organizations to validate the cloud forensic readiness framework. Doing so will help us construct an instrument derived from the verified framework to measure organizations’ forensic readiness status.

Not applicable.

CAGR:

global compound annual growth

CPCS:

Cyber-Physical Cloud Systems

CSPs:

Cloud Service Providers

DFIRP:

Digital Forensic Investigation Readiness Process

IaaS:

Infrastructure as a Service

ISO/IEC:

International Organization for Standardization/International Electrotechnical Commission

IT:

Information Technology

NIST:

The National Institute of Standards and Technology

SLAs:

Service Level Agreements

We acknowledge Northern Borders University in Saudi Arabia and the Saudi Arabian Cultural Bureau in the UK for their scholarship to Ahmed Alenezi that allows the research to be funded and undertaken.

The research is funded by Northern Border University, Saudi Arabia.

Authors and Affiliations

1. Faculty of Computing and Information Technology, Northern Border University, Rafha, Saudi Arabia

   Ahmed Alenezi

2. School of Electronics and Computer Science, University of Southampton, Southampton, UK

   Ahmed Alenezi, Hany F. Atlam & Gary B. Wills

Contributions

AA designed and developed the proposed framework as well as confirmed the framework by interviewing number of experts. HA has been involved in drafting the manuscript, while GW contributed to the abstract part and supervised AA. All authors read and approved the final manuscript.

Authors information

Ahmed Alenezi a lecturer at Northern Border University, Saudi Arabia and a Ph.D. candidate at the University of Southampton, UK. Ahmed is interested in multidisciplinary research topics that related to computer science. His research interests include and not limited to: Parallel Computing, Digital forensics, Cloud Forensics, Cloud Security, Internet of Things Forensics and Internet of Things Security. Ahmed’s Ph.D. research project focuses on Cloud Forensics.

Hany F. Atlam has large experiences in networking as he holds international Cisco certifications, Cisco Instructor certifications, and database certifications. Hany’s research areas include IoT security and privacy, Cloud computing security, Blockchain, Big data, digital forensics, computer networking and image processing.

Gary Wills is an Associate Professor in Computer Science at the University of Southampton. He graduated from the University of Southampton with an Honours degree in Electromechanical Engineering, and then a PhD in Industrial Hypermedia systems. He is a Chartered Engineer, a member of the Institute of Engineering Technology and a Principal Fellow of the Higher Educational Academy. He is also a visiting associate professor at the University of Cape Town and a research professor at RLabs. Gary’s research projects focus on Secure System Engineering and applications for industry, medicine and education.

Corresponding author

Correspondence to Ahmed Alenezi.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and permissions