ACloudForensicReadinessModelforServiceLevelAgreementsManagementLuciaDeMarco1,2,FilomenaFerrucci2,andM-TaharKechadi11SchoolofComputerScienceandInformatics,UniversityCollegeDublin,Ireland2DepartmentofManagementandInformationTechnologyDISTRAMITUniversityofSalerno,Fisciano,Italylucia.de-marco@ucdconnect.iefferrucci@unisa.ittahar.kechadi@ucd.ieAbstract:Cloudcomputing is increasinglybecominga targetof cyber-criminalattacks.Often thecommittedcrimes violate the Service Level Agreement (SLA) contracts, which must be respected by all the involvedparties. Cloud Forensics is a branch of Digital Forensic discipline dealingwith crimes involving the Cloud. AmannerforleveragingsomeoftheattacksistheprovisioningofaForensicReadinesscapability,byperformingsome activities before the crimes happen. In this paper we introduce a model aimed to represent themanagementofSLAsthroughacloudsystem.Keywords:CloudForensicsReadiness,ServiceLevelAgreements,CloudMonitoring,SLAModel,SLAManagement1.IntroductionCloudForensics(Ruanet.al2011)isthepartoftheDigitalForensicScience(Palmer2011)dealingwiththeuseof scientific approaches to investigate Cloud Computing platforms (Mell et. al 2011). Unfortunately, thecurrentforensictechniquesarenotsuitableforcloud-relatedcrimesduetothechallengesarisenbytheCloudphysicalstructureandcomputingmodel(Birketal.2011,Mishraetal.2012,NIST2014,Reillyet.al2011,Ruanetal.2013,Reillyetal.2010)(seeTable1).CloudservicesareregulatedbyServiceLevelAgreementscontracts(SLAs) (Mell et al. 2011), where some constraints among a cloud service provider and its customer(s) aredetailed;thecontractsareco-signedbythepartiesandtheyhavelegalvalidityincaseofcourtlitigation(Baset2012,Pateletal.2009).BecauseofcloudSLAsimportanceandcontents(CSA2013),theyhavebeencarefullymonitoredandverified:someattemptshavebeenpresentedinliterature(Czajkowskietal.2002,Skeneetal.2007, Paschke et al. 2008, Unger et al. 2008, Ishakian et al. 2011, Gosh et al. 2012, EU 2013), also in theforensic community (DeMarco et al. 2014), all devoted to bettermanage SLAs violations.We consider theimplementationofaDigitalForensicReadinesscapability(Tan2001,Rowlingson2004,DeMarcoetal.2013)for the cloud as one of the best solutions to render the cloud more reliable. Several case studies cancorroboratetheissueaboutSLAautomaticmanagement(Amanietal.2010,Brandicetal.2010,Maureretal.2012,Emeakarohaetal.2012a,Cedilloetal.2014),concerningsecurity,law,ethics.In this paper we present a formal model for SLAs management in cloud forensic readiness. Such modelincludesasetofrulesforinput,output,andintermediarycomputations.Thisisfollowedbythedesignmodelofcloudforensicreadinesssystemarchitecture.InthenextSectionwepresentsomerelatedworkaboutSLAsformalrepresentationandmonitoring.Table1:CloudForensicsMainChallenges

CFChallenges Elasticity MultipleLocations VM BroadNetworkAccess ThirdPartyService Cross–Providers SLAReduceddataaccess X X X Lackofphysicalcontrol X X X Lackofstandard X X X Multiplelogformats X X Notimestampssynchronization X X Noroutinginformation X X X Lackofinvestigationexpertise X X Inappropriatelegalmeasures X X X XMulti-tenancy X XMultiplejurisdictions X X

2.RelatedWorkSeveral researchersproposedboth formalmodels and somemonitoring tools for SLAs. InCzajkowski (et al.2002)aprotocolfornegotiatingSLAsamongseveralactorsisdesigned,whichincludesdifferenttypesofSLAs.InSkene(etal.2007)theSLAsareformalizedusingsettheory,wheretheconceptsofactors,events,parties,andactionsrequirementsaremodelledforthepurposeofdeterminingtheSLAs’degreeofmonitor-ability.InPaschke(etal.2008)aframeworkcalledContractLogispresented,whichconsistsofdifferenttypesofrules

abstractingthecontractualcontents;theyarederivation,reaction,integrity,anddeonticrules.Alltheserulesareincludedinahomogeneoussyntaxandknowledgebase.InUnger(etal.2008)theconceptsofParties,SLAparameters,andservicelevelobjectivesareusedtoformalizeSLAsforServicesOrientedArchitecture;theaimistoprovideamannerforaggregatingmoreSLAsinasinglebusinessprocess.ThesameconceptsareusedinGosh(etal.2012),butmodelledonlybytuples.Ishakian(etal.2011)alsousestuplestoaddresstheissueofverifying efficient workload co-location of real-time workloads; he applies some transformation rules tocompute the target SLA.Moreover, about thirty researchprojectswere grantedby theEU commission andtheir resultsarereported in (EU2013).All theseprojectsconcernwithautomatingdifferentaspectsofSLAslifecycle. Another formalmodel utilizing set theory, predicates, and tuples is presented inDeMarco (et al.2014)withthepurposeofcomparingactivitieschangingCloudresources-statuswithsomeSLAsconstraints.AframeworkcalledDESVI(Emeakarohaetal.2010)isdedicatedtomonitorlow-levelcloudresourcesmetrics,inorder to detect whether their values respect the constraints extracted from some SLAs clauses, with theprincipalgoalofdetectingQoSviolations.InMorshedlou(etal.2014)SLAviolationsareconsideredfromtheusersatisfactionpointofview;thus,themaingoalistoimplementproactiveresourcesallocationforreducingthe negative impact of SLAs' violations and improving the level of users' satisfaction. In order to preventclausesviolationsandtherelatedcyber-crimes,Amani(etal.2010)proposetoaddaphasededicatedtotheevaluationofthecontractitselftoanSLAlifecycle.Finally,someotherresearchesareaimedtomanagealltheSLAs life cycle phases, namely the services requirements definition, the negotiation between providers andcustomers, the resources brokering, to the matchmaking and the monitoring of the agreed terms andconditions(Comerioetal.2014,Wiederetal.2011).3.SLAManagementinCloudForensicReadinessA Cloud Forensic Readiness capability for SLAmanagement (SLACFR) is aimed to record some informationaboutthecloudbehaviourwithrespecttoSLAs.Suchinformationisstructuredasasetofevents,responsibleoftrackingtherelationshipbetweenanattributeofacloudentityanda(setof)constraint(s)onthatattributeattimet.TheinputofsuchcapabilityiscomposedofbothinformationaboutsomeCloudattributesandsomeSLAconstraints,allrepresentedwithformalrules,aswedescribeinSection4.Theactionflowofthecapabilitydepicted in Figure 1 begins on the availability of the contract(s) tomonitor. The text is properly parsed viainformation extraction techniques (Grisham 1999) and transformed into a set of formal rules withoutrepetitions. The cloud information is gathered from some services monitoring tools; they can representnetwork traffic information, resources statuses, file exchange operations tools, resources allocation, andmeasures facilities. The forensic readiness capability is responsible to record and output some eventsrepresentingthematchingbetweencloudattributesandtherelatedSLAclauses. Inparticular,thecapabilityrecognizes in a real timemanner whether some suspicious events happen: they represent a violation of acontractualconstraint,calledhypothesis.Sucheventsrecordingrepresentsomepre-investigativeactivities.

Figure1:SLAManagementinCloudForensicReadiness

4.FormalModelThe SLA Management Cloud Forensic Readiness (SLACFR) formal model is aimed to provide a theoreticalapproach to represent the management of SLAs contracts for cloud computing services in the context offorensicreadiness.ItisnecessarytomentionthatapreviousdraftofthesameformalismwasdiscussedinDeMarco(etal.2014),whereonlyaspecificscenariohasbeentakenintoaccount.Weextendtheformalmodelby structuring the entities in a different manner and by adding some missing information, such as cloudarchitecturecomponents.Theformalmodelutilizesmathematicalformalismsastuples,settheory,functions(Ben-Ari1993).Through these formalismsweprovidea setofdefinitionsabout theentitiesmanipulatedbythearchitectureillustratedinFigures1and3.4.1CloudComputingAcloudcomputingarchitecture (Mellet.al2011) isobjectofmonitoringactivitiesby the forensic readinesscapabilitydiscussedinSection3.LetCbethesetofcloudarchitectures.

C={c1,c2,c3,…,ci},i∈N

Acloudarchitectureciscomposedofatleast2datacentres,thenc=D,whereDisthesetofdatacentres.

D={d1,d2,d3,…,di},j∈N;|D|>1

A data centre d is an entity containing one or more physical and virtual machines; the data centres areconnectedeachother,composingnetworks.LetdbeadatacentrebelongingtothesetofdatacentresD,itisdescribedbythetuple

d=(P,V,vmm,Nd); Nd⊆CN

WherePisthesetofphysicalmachines,Vofvirtualmachines,vmmisaVirtualMachineMonitor,andNdisthesetofdatacentredisconnectedwith.NdissubsectofthesetofalltheconnectionsCN.EachelementofthesetNddescribesthepairsofdatacentresconnectedeachother.

CN={n1,n2,n3,…,nk},k∈N; n=(d1,d2)LemmaInacloudcomputingarchitecturethereexistatleast2datacentressuchthat|CN|≠0ProofBydefinition|D|>1,thenatleastD={d1,d2},whered1=(P,V,vmm,Nd

1)andd2=(P,V,vmm,Nd2)

Nd1={n1};n1=(d1,d2)

Nd2={n2};n2=(d2,d1)

Nd1⊆CNandN

d2⊆CN⇒CN=Nd

1∪Nd2⇒CN={n1,n2}⇒|CN|≠0

BothphysicalandvirtualmachinesarecomposedofasetofresourcesR,eithersoftwareorhardware.

P={Rp

|Rp⊆R};V={R

v|R

v⊆R};R={r1,r2,r3,…,ri},j∈N

AresourcerisdescribedbyasetofattributesAandtheirvalues,e.g.,filename,dateofcreation,size.Letabeanattribute,itbelongstothesetofattributesA.

A={a1,a2,a3,…,aj},j∈N r={Ar|Ar

⊆A}Duringtheexecutionofacloudservice,thevalueofaresourceattributeissubjecttochangesviaoperations.Anoperation isdescribedbyamathematical tuplecomposedofasenders triggering it,anoperationresultvalue(r, a), an operation resource r, an attribute a, and an operation time to. The operation value is amathematicalfunctionthatchangesthevalueofanattributeofaresourceatthetimet-1intoanothervalueatthetimet.Suchvalueisexpressedwithaunitmeasureu.Asendersisanentityperformingoperationsinthe cloud, either a human or a system process, e.g., an Internet session or a Dropbox process. Let s be asender,itbelongstothesetofsendersS.

S={s1,s2,s3,…,sh},h∈No=(s,ar,value(ar),u,to)value:art-1→value(ar)t

4.2ServiceLevelAgreementAs aforementioned, SLAs are contractual documents written in natural language composed of a set ofinformationstructuredasclauses.Inourformalrepresentation,anslalisanelementofthesetofslasL.AnslaisdescribedbyamathematicaltuplecomposedofasetofhypothesisH,thevaliditystartingtimetstartandthevalidityendingtimetend.

L={l1,l2,l3,…,li},i∈N l=(H,tstart,tend)

AhypothesishisanelementofthesetofthehypothesisH.Ahypothesisisdescribedbyamathematicaltuplecomposedof theconditionedvaluecku of theattributear, thehypothesis validity starting time ts and thehypothesisvalidityfinishingtimetf.AconditioncbelongstothesetofconditionsC;avaluekisrelatedtothearattribute;u is theunitmeasureusedtoexpressthevaluek,belongingtothesetofunitmeasuresU;theconditionedvalueckuhastobeverifiedduringthetimeintervaltf-ts.Incasenoconditionisexpressedthedefaultvalueissetas‘=’.

H={h1,h2,…,hj},j∈N

h=(cku,ar,ts,tf)tf≥ts

c∈CC={≤;≥;<;>;<>;=}

u∈UU={u1,u2,…,ul},l∈N

Natural language is source of ambiguity for automatic recognizers. A manner to address this challenge isrepresented by the usage of the algorithm depicted in Figure 2; it needs the utilization of informationextractiontechniques(Grisham1999),e.g.,patternrecognition.Thealgorithmcorrectlyidentifieswhatarethewordstoeitherconsiderordiscard.Thecomputationrecognizesasetofwordsrepresentingtheinformationneeded by the formalism to populate specific sets, such as resources, attributes and unit measure, asdiscussed before, which contain elements to be considered without being combined with anyone else.Conversely,thesetofhypothesesHincludesinformationderivedfromtheotherthreedomains.Theoutputisrepresentedbythepopulationofthesetsofresources,attributes,unitmeasures,andhypotheses.

Figure2:TexttoFormalRulesAlgorithm4.3ForensicReadinessAcloudforensicreadinesscapabilityfisanelementofthesetofforensicreadinesscapabilitiesF.AcapabilityisdescribedbyamathematicaltuplecomposedofasetofforensicreadinesseventsEandasetofSLAsL.

F={f1,f2,f3,…,fp},p∈N f=(E,L) E≠ØL≠ØAnevente belongs to the setofeventsE.Anevents isdescribedbyamathematical tuple composedofanoperationo,ahypothesistoverifyh,andthematchtimete.E={e1,e2,e3,…,eq},q∈N e=(o,h,te) te≥to

Givenanevente∈Eandahypothesish∈H,theeventisconsideredsuspiciousifthevalueoftheoperationoontheattributeaoftheresourceratthetimet isdifferentfromtheconditionedvalueckuoftherelatedhypothesishaboutthesameattributeaofthesameresourcer;thevalidityhastobedeterminedduringthecorrecttimeinterval,namelythetimeoftheoperationassigningthevaluetotheattributeaoftheresourcertohastobeincludedinthetimeintervaloftheaforementionedhypothesistf(h)-ts(h).

value(ar)t≠cku ts(h)≤to≤tf(h)4.4ExampleThe aim of this section is to illustrate with a conceptual example how an SLA violation is detected by theforensicreadinesscapability.TheSLAclausesuitabletohelpthereadertounderstandtheSLACFRbehaviourisderivedfromthepublicSLAforAmazonS3(Amazon2015):“AmazonWebServiceswillusecommerciallyreasonableeffortstomakeAmazonS3availablewithaMonthlyUptimePercentage[...]ofatleast99.9%duringanymonthlybillingcycle.”Weassumethatdedicatedinformationextractiontechniqueshavebeenproperlydesigned;theyarerequiredto populate the sets defined in Section 4.2 by correctly detecting the textual elements, and producing thefollowingresults.Resources.Thesetofresourcesispopulatedasitfollows:R={AmazonS3}.Attributes.Thesetofattributesispopulatedas:A={available}.UnitMeasures.Theunitmeasureuisnotexpressed,butwecancorrectlystorethesymbol‘%’becauseitwillbenecessaryduringthecomputationofthematchamongoperationsandhypothesis,namelytheevents.Thesetofunitmeasuresispopulatedas:U={%}.Hypotheses.Thepopulationofthissetisacombinationoftheinformationalreadyavailable,i.e.,theelementsstored in R and A. By scanning the text using as keywords the elements of R and A, we obtain that theconditioned value c k u of the correspondinghypothesis is ‘≥ 99%’. The condition c of thehypothesis is ‘≥’becauseinthetexttheconditionisexpressedas‘atleast’.Finally,thestartingandfinishingtimesarederivedbythetext;inparticular,boththestartingandfinishingtimearecalculatedthroughthedurationexpressedinthetext;becausenoparticularhourconstraintiswrittenbutthemonthisconsideredinabillingcontext,thentheprocedureassignsmidnightasdefault.

H={h1}

h1=(≥99%,availableAmazonS3,01/01/2015-00:00,01/02/2015-00:00)

Senders,Operations,Events.SLACFRhasaccesstonetworkchannelsandtheVirtualMachinesManageroftheunderlyingcloudplatform.Such information is fed to thededicatedparsers (asdepicted inFigure1),whichoutputs thesetof sendersS andoperationsO.Theelement IPa1of thesetS isa short formfor IPaddress1,whichweassumeistheIPaddressdetectedonthemonitoringtoolcommunicatingwithAmazonS3.Asetofoperationsisthentranslated,andsomeeventsaregeneratedbytheengineFREventsGenerator(seeFigure3).

S={IPa1}O={o1,o2,o3,o4}

o1=(IPa1,availableAmazonS3,99%,02/01/2015-15:00)

o2=(IPa1,availableAmazonS3,98%,05/01/2015-17:00)

o3=(IPa1,availableAmazonS3,99%,10/01/2015-09:00)

o4=(IPa1,availableAmazonS3,99%,05/02/2015-15:00)E={e1,e2,e3}

e1=(o1,h1,02/03/2012-15:00)e2=(o2,h1,05/01/2015-17:00)e3=(o3,h1,10/01/2015-09:00)e4=(o4,h1,05/02/2015-15:00)

TheFREventsGeneratorcomponentisalsocapableofproperlylabellingtheeventsassuspiciousornot,andtodiscardthemdependingonthetimetheyarerecordedat.Inthiscase,thesystemwillrecognizeevente2assuspiciousbecausetheconditionedvalueofthehypothesisisviolated,indeeditis98%whileitissupposedtobe‘≥99%’;similarly,evente4isdiscardedbecauserecordedonatimeoutsidethetimeintervalestablishedinh1,namelyafter01/02/2015-00:00.5.SLACFRArchitectureandRequirementsIn this sectionwedescribe an SLACFR capabilitymodel, byhighlightingwhat are the inputs, processes, andoutputsofthevariouscomponentsdescribed inFigure1.ThediagraminFigure3usestheBusinessProcessModel Notation (BPMN); it has been considered useful due to its capability of differentiating amongindependent functionalities, represented as business processes, each included in a swim-lane, i.e., thehorizontalrectangles;thesubtasksnecessarytoaccomplishasinglepurposearelocatedintheswimlanes.Inthe BPMN model for SLACFR we have three swim-lanes, where the topmost and the bottommost areresponsibletocomputetheinputnecessarytothemiddleone,i.e.,fromtheSLAsandthecloudinfrastructure,respectively.Sinceaspecifictime,inthebottommostswimlanethemonitoringtoolsoutputareacquiredfromacloudplatformandtranslatedtoobtaintheformalrulesaboutsendersandoperations,properlyencryptedinordertorespectsomeforensicbestpractices(CSA2013,Grobleretal.2013).Thetopmostswimlane,calledFormalismGeneration,isfedwiththeSLAdocuments.AninitialengineimplementsthealgorithmdescribedinFigure2andtransformsthecontractualnatural-languageconstraintstorulesaccordingtotheformalmodelproposed in Section4. Possible rules repetitionsare reducedby the rules reduction sub-task. In the centralswim lane,namedForensicReadiness, thedetectionof SLA-violation setof events is executed. Themodulecalled FR Events Generator is responsible of generating and storing the recorded events as soon as theyhappen,payingspecialattentiontothesuspiciousevents,responsibleofidentifyingacontractualviolation.ItisnotclearwhensuchCFRbusinessprocesshastoterminate,becausesuspiciouseventscanberecodedagainandagain.Forthemoment,weassumethatthecapabilitykeepsrunninguntilthecloudorganizationconsidersitnecessaryforassuringmorereliabilitytoitsservices.AsystemimplementingsuchFRcapability isdealingwithcomputersecurity issues,andvery likelymanagingprivateusers'data;themainconcernsareabouttheconfidentialityoftheinformationthemselves.Itisworthreminding that a CFRS will be deployed as an additional system, external to the Cloud infrastructure butcapable of communicating with the necessary components to acquire the information from the Cloud (DeMarco et. al 2013). Some dedicated, encrypted and secure communication channels are necessary at thispoint. Independently from the chosen technology, a reliable communication protocol must be adopted,allowing encrypting and decrypting the shared information. Moreover, the communication channels end-pointsmightbe securedby sophisticatedmechanisms.The systemmustbe reliable in termsofaccessibilityand data consistency; network connection falls cannot be admitted, as well as not updated or incompletepersistent storages. In terms of performance, the system has to be accessible 24h/7, due that crimepreventioncanhappenineverymomentoftheday,everyday;moreover,itshouldberequiredtomanagebigamountofdata,andconsequentlybescalablefromthispointofview.Nevertheless,thenetworkusagehastoavoid channel saturation; indeed a propermedium connection is necessary, for instance optical fibre. Thesystemhas tobedeliveredandpackaged inamulti-platformcompatiblemanner,because it isnotknownaprioriwhattheenvironmenttointerfacewithcanbe.Lastbutnotleast,ithastofacewithsomeinvestigativebestpractices.Forinstance,theinvestigationprinciplesrespectedbytheUSNationalInstituteofJustice(USJ2011),bytheUKACPO(2007),theonesaboutdataintegrity(SWDGE2006),andtheForensicStandardISOIEC27037 (CSA 2013) are widely adopted by the international community and considered necessary to berespectedincaseofdealingwithpotentialforensicevidence.

Figure3:SLACFRBPMNModelling6.DiscussionSLACFR is devoted to implement a forensic readiness capability for SLA-related cloud crimes. The proposedapproachconcerns the representationof information fromboth theSLAsand the cloud ina specific formalmodel (see Section 4). The entities sender, operation, and attribute are necessary to reconstruct eventstimeline for forensic investigations. The resource attributes included in theoperation entity have tomatchwiththeresourceattributesexpressedinthehypothesistorecordforensicreadinessevents.Thevalueoftheoperationsontheattributesiscomparedwiththeconditionedvalueexpressedinhypothesesconcerningthesame attributes. This match has to be performed by the FR Events Generator module of the architecturedesigned in Figure 3. Very likely, the actual sourceof cloud information canbe representedby some cloudserviceslogs.Suchdatacanbegatheredfromdedicatedloggingtoolsincludedintheservicesfurnishedwithaforensicreadinesscapability.Ifnologgingtoolispresent,thenanalternativeinformationsourceneedstobeidentified.Isitworthtomentionthatloginformationisnotstructuredinthesamemannerasexpectedbytheformalmodel;thenloginformationwillbeconvertedbyadedicatedFRsystemcomponent,tobeaddedtothemodel in Figure 3. In order to calculate an operation resource attribute value, some metrics might benecessary. They compute themeasure, necessary to the comparisonsmodule, thus included in the systemsince its installation.Once themetrics fora resourceattribute isappliedand thevaluecalculated, then thematchwiththevaluetoberespectedinthecontractualconstraintcanbeperformed.Incasethemetricsareestablished by the contract itself, then such information has to be utilized, and the pre-existing metricsincluded in the system discarded. In this manner, the formal model demonstrates to be extensible ondependingonthenecessaryentitiestorepresent.Becauseitisatveryhighlevelabstraction,itcanbeenrichedwith additional information, such as some metrics or legal principles: specific rules can be added, anddedicatedsystemmodulesinterfacedwiththeexistingonespresentedinFigure3.7.ConclusionandFutureWorkThemanagementofSLAcontractsinthecontextofcloudforensicsisaverychallengingresearchtopic.Severalproposals have beenmade in literature to guaranteeQoS levelswith the purpose ofmonitoring platformsbehaviourforresourcesperformancesrespect.Insomecases,theissueismodelledandimplemented;inotherones,specific frameworksareproposedtodemonstratehowthemonitoring isperformed. Inthefuture,weintend to prototype the SLACFR system for verifying some specific SLA constraints. The main goal is todemonstratethatSLACFRcanreallydetecttheexacttimewhenasuspiciouseventishappeningandrecorded.Moreover,wewanttotestthenumberofSLAviolationsdetectedinaspecifictime.Weintendtosimulateanattack to an IaaS Cloud service; this choice is led by the necessity of interacting directly with the physicalresourceslevel;moreover,PaaSandSaaSarebuiltontopofIaaS.TheconcernoftheproposedFRcapabilitypreparespro-activelythecloudforforensic,hence,acrime-reactionmoduleisoutoftheSLACFRduties;neverthelessitcanbeconsideredasanextensionorintegration,capableof analysing a cloud crime scene with some information already available. We strongly believe that suchforensic readiness capability can enhance the security strategies of a cloud platform, such that beingconsideredasamustrequirementforit,andverylikelybecomeastandardinthefuture.

ReferencesACPOAssociationofChiefPoliceOfficers.(2007)GoodPracticeGuideforComputerBasedElectronicEvidence,[online]http://www.acpo.police.uk/asp/policies/Data/ACPO\%20Guidelines\%20v18.pdf

AmazonSimpleStorageService(S3)(2015),[online]http://aws.amazon.com/s3/sla/accessedon22/02/2015

Amani,N., Hajipour, P., Seyedmostafaei, F. (2010) “AnAppropriate ViolationDetection Scenario for ServiceLevelAgreementsBasedonWS-AgreementProtocol”,JournalofConvergenceInformationTechnology,Vol5,No1,pp.40-47.

Baset,S.A.(2012)“CloudSLAs:presentandfuture”,ACMSIGOPSOperatingSystemsReview,Vol46,No2,pp.57-66.

Ben-Ari,M.(1993)MathematicalLogicforComputerScience,SPRINGER,firstedition.

Birk,D.Wegener,C.(2011)“TechnicalIssuesofForensicInvestigationsinCloudComputingEnvironments”,6thIEEEInternationalWorkshoponSystematicApproachestoDigitalForensicEngineering,pp.1-10.

BPMN-BusinessProcessModelandNotation,[online],http://www.bpmn.org/

Comerio, M., De Paoli, F., Palmonari, M., Panziera, L. (2014) “Web Service Contracts: Specification andMatchmaking”,AdvancedWeb Services, Springer, AthmanBouguettaya,Quan Z. Sheng, FlorianDaniel Eds.,pp.121-146.

CSA Cloud Security Alliance (2013) “Mapping the Forensic Standard ISO IEC 27037 to Cloud Computing”,[online] https://cloudsecurityalliance.org/download/mapping-the-forensic-standard-isoiec-27037-to-cloud-computing/

Czajkowski,K.,Foster,I.,Kesselman,C.,Sander,V.,Tuecke,S.(2002)“SNAP:AProtocolforNegotiatingServiceLevelAgreementsandCoordinatingResourceManagement inDistributedSystems”Jobschedulingstrategiesforparallelprocessing,SpringerBerlinHeidelberg,pp.153-183.

De Marco, L., Kechadi, M-T., Ferrucci, F. (2013) “Cloud Forensic Readiness: Foundations”, Proc. ICDF2CConference,SpringerInternationalPublishing,LNICSTseries,vol.132,pp.237-244.

De Marco, L., Abdalla, S., Ferrucci, F., Kechadi, M-T. (2014) “Formalization of SLAs for Cloud ForensicReadiness”,Proc.ICCSMConference,AcademicConferencesandPublishingInternationalLimited,Reading,UK,Dr.BarbaraEndicott-PopovskyUniversityofWashington,Seattle,USAEdition,pp.42-50.

Emeakaroha,V.C., Calheiros, R.N.,Netto,M.A., Brandic, I.,DeRose,C.A. (2010) “DeSVi:AnArchitecture forDetectingSLAViolationsinCloudComputingInfrastructures”ICSTCloudCompConference

European Commission (2013)Cloud Computing Service Level Agreements - Exploitation of Research Results,DirectorateGeneralCommunicationsNetworks,ContentandTechnology–UnitE2–SoftwareandServices,Cloud [online], Editor: Dimosthenis Kyriazis,http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=2496

Ghosh,N.,Ghosh,S.K.(2012)“AnApproachtoIdentifyandMonitorSLAParametersforStorage-as-a-ServiceCloudDeliveryModel”,GCWkshps,pp.724-729.

Grobler, C.P., Louwrens, C.P., von Solms, S.H. (2010) “AMulti-Component View of Digital Forensics”, Proc.ARESConference,pp.647-652.

Grishman, R. (1997) “Information extraction: Techniques and challenges” Information extraction amultidisciplinaryapproachtoanemerginginformationtechnology.SpringerBerlinHeidelberg,10-27.

Ishakian, V., Lapets, A., Bestavros, A., Kfoury, A. (2011) “Formal Verification of SLA Transformations” IEEEWorldCongressonServices,pp.540-547.

Mell, P., Grance, T. (2011) Final Version of NIST Cloud Computing Definition [online],http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Mishra, A.K., Matta, P., Pilli, E.S., Joshi, R.C. (2012) “Cloud Forensics: State-of-the-Art and ResearchChallenges”,InternationalSymposiumonCloudandServicesComputing,pp.164-170.

Morshedlou,H.,Meybodi,M.R.(2014)“DecreasingImpactofSLAViolations:AProactiveResourceAllocationApproach forCloudComputingEnvironments”, IEEETransactionsonCloudComputing,Vol2,No2,pp.156-167.

NIST National Institute of Satandards (2014) “Cloud Computing Forensic Science Challenges” NIST CloudComputing Forensic Science Working Group Information Technology Laboratory, [online],http://csrc.nist.gov/publications/drafts/nistir-8006/draft_nistir_8006.pdf

Palmer,G.(2001)“ARoadMapforDigitalForensicResearchTechnicalReport”,TechnicalReportfromDFRWWorkshop,Utica,NewYork.

Paschke, A., Bichler, M. (2008) “Knowledge Representation Concepts for Automated SLA Management”,DecisionSupportSystems,Vol46,Issue1,pp.187-205.

Patel, P., Ranabahu, A.H., Sheth, A.P. (2009) “Service Level Agreement in Cloud Computing” [online]http://corescholar.libraries.wright.edu/knoesis/78

Reilly,D.,Wren,C.,Berry,T.(2010)“CloudComputing:ForensicChallengesforLawEnforcement”,Proc.ICITSTConference,pp.1-7.

Reilly,D.,Wren,C.,Berry,T.(2011)“CloudComputing:ProsandConsforComputerForensicInvestigations”,InternationalJournalMultimediaandImageProcessing,Vol1,No1,pp.26-34.

Rowlingson,R. (2004)“ATenStepProcess forForensicReadiness”, International JournalofDigitalEvidence,Vol2,No.3,pp.1–28.

Ruan,K.,Carthy, J.,Kechadi,M-T.,Crosbie,M. (2011)“CloudForensics:anOverview”,Proc. IFIPConference,Vol7.

Ruan,K.,Carthy,J.,Kechadi,M-T.,Baggili,I.(2013)“CloudForensicsDefinitionsandCriticalCriteriaforCloudForensicCapability:AnOverviewofSurveyResults”,DigitalInvestigation,Vol10,No1,pp.34-43.

SWDGEScientificWorkingGrouponDigitalEvidence(2006)DataIntegrityWithinComputerForensics,[online]https://www.swgde.org/documents/Current\%20Documents/2006-04-12\%20SWGDE\%20Data\%20Integrity\%20Within\%20Computer\%20Forensics\%20v1.0

Skene, J., Skene,A.,Crampton, J.,Emmerich,W. (2007)“TheMonitorabilityofService-LevelAgreements forApplication-ServiceProvision”Proc.InternationalWorkshoponSoftwareandPerformance,pp.3-14.

Tan, J. (2001) “Forensic Readiness, Technical Report”,@Stake Organization, Cambridge, MA, USA, [online]http://isis.poly.edu/kulesh/forensics/forensicguide\_readiness.pdf

Unger, T., Leymann, F.,Mauchart, S., Scheibler, T. (2008) “Aggregation of Service Level Agreements in theContextofBusinessProcesses”,Proc.ICEDOCConference,pp.43-52.

USJU.S.NationalInstituteofJustice(2011)ElectronicCrimeSceneInvestigation:AGuideforFirstResponders[online]http://www.ncjrs.org/pdffiles1/nij/187736.pdf

Wieder, P., Butler, J. M., Theilmann, W., & Yahyapour, R. (2011) “Service level agreements for cloudcomputing”,Springer.