Cloud computing is an important step in our era, delivering many advantages in business and our daily life. However, as every new technology, various challenges are brought into light with one of them being the misuse of Cloud computing environments for criminal activities. As such, Cloud service providers have to establish adequate forensic capabilities in order to support forensics investigations in the event of illegal activities in the cloud. In order to help forensics investigations, this paper deals with log format unification in cloud platforms using Distributed Management Task Force's (DMTF) Cloud Auditing Data Federation (CADF) standard. CADF event logging is utilised in the widely used OpenStack, and we have modified the Apache CloudStack platform to become forensically sound. Furthermore, we investigated the existing CloudStack platform along with the proposed CADF event model implemented, with regards to the principles of the Association of Chief Police Officers (ACPO) on handling digital evidence. The results are provided in this paper as well as an automated parsing tool/CADF event consumer, named C.Lo.D, which is freely available and can be downloaded from Github.

云计算是我们时代的重要一步，在业务和日常生活中都具有许多优势。但是，随着每一项新技术的出现，各种挑战暴露无遗，其中之一就是滥用云计算环境进行犯罪活动。因此，云服务提供商必须建立足够的取证能力，以支持在云中发生非法活动时进行取证调查。为了帮助法医调查，本文使用分布式管理任务组（DMTF）的云审计数据联合会（CADF）标准处理云平台中的日志格式统一。CADF事件日志记录在广泛使用的OpenStack中得到了利用，并且我们对Apache CloudStack平台进行了修改，使其具有法医学意义。此外，我们根据首席警官协会（ACPO）处理数字证据的原则，调查了现有的CloudStack平台以及建议的CADF事件模型。本文提供了结果以及名为C.Lo.D的自动解析工具/ CADF事件使用者，该工具免费提供，可以从Github下载。