An evolutionary algorithmic framework cloud based evidence collection architecture

Forensic in cloud computing is an advancement of evolutionary modern forensic science that protects against cyber criminals. Single centralize point compilation and storage of data, however, overcome the authenticity of digital evidence. In order to address this serious issue, this article suggests a evolutionary modern algorithm automated forensic platform leveraging infrastructure as a cloud service (IaaS) based on Blockchain concept. This proposed forensic structural design, evidence collection of evidence and stored on a blockchain which is circulated around several peer blocks. Secure Block Verification Mechanism (SBVM) is proposed to Safeguarding the device from unauthorised users. Using the Backtracking Search Optimization Algorithm search optimization algorithm for strengthening of the cloud environment, secret keys are optimally generated. On the bases of level of confidentiality, all data is stored and encrypted at cloud authentication server. Confidentiality-based Algebraically Homomorphic Cryptosystems learning is presented with a fast-forwarding algorithm for encryption. A block in the SDN controller is created for every data and information is stored in the cloud service provider and the history is recorded as metadata data about data. A hash based tree is constructed in each block by Secure Hash Algorithm version - 3 of 512 bits. By implementing graph theory-based graph neural networks in Smart Contracts, our framework enables users to track their data (GNNSC). Finally, the construction of a evidence graph using blockchain data enables evidence analysis. Experiments was carried out in a Python programming and blockchain integrated cloud environment with network simulator-3.30 (for Software Defined Network). As part of result our newly designed forensic architecture using blochchain (FAuB) good results in terms of evidence response time, insertion times of cloud evidence, verification time of evidence, computational overhead of evidence, hashes calculation time, keys generations times of evidence, evidence encryption time, evidence decryptions time, and total overall change rate of evidence, according to a comprehensive comparative study.


Introduction
Cloud computing is an emerging technological concept that, through virtualization technology, provides users with physical resources.The cloud computing industry is growing with the benefit of allowing network accessing to a scalable and elastic combination of shared physical or virtual resources [66] with self-owned service provisioning and on-demand available services.There is also an enhance in the number of cloud users using cloud computing because of these features.Security risks have begun to develop, however, with the rising cloud computing industry.Several security strategies for the cloud environment are being investigated with virtualization technologies, making it difficult to implement current digital forensic methods [30].Access to certain system layers is restricted in Software -as-a-a-Service (SaaS) and Platform -as-a-a-Service (PaaS) [53] environments when the cloud environment is categorized according to the service model access to that layer are regulated by Cloud Service Provider (CSP).It is therefore appropriate to supply the log data generated in the inaccessible layer to the CSP through agreement [3].Investigators have complete control over the evidence in conventional digital forensics.In a cloud environment, however, data centers are geographically distributed, cloud service customers (CSC) exchange physical infrastructure, unreliable data that disappears when the instance is shut down, virtual network, load balancing, and auto scaling to provide a smooth service environment [61].Therefore, prior to a security incident for investigation, it is important not only to record data for cloud [2] forensics, but also to guarantee the truthfulness of the log data, while it is impossible for the investigator to directly capture the data and collect the data from the remote server.Forensic architecture is suggested for softwaredefined networking (SDN) using IoT [44] and blockchain.Blockchain's algebraic homomorphic encryption scheme is adapted here.Evidence data collection performed using in the presence of the SDN policy [25].Digital evidence obtained or stored by Data Flow switches that adapt additional forensic techniques for forensic examination.A (PDMS) data management system of provenance aware has been invented and built on the existing provenance monitoring framework [54].Mchain [59] proposes an integrity management framework based on blockchain.Therefore, many analysis makes an attempt are distributed exploitation blockchain technology within the SDN cloud atmosphere [16].During this analysis, within the cloud atmosphere, we tend to use the blockchain concept for cloud digital computer forensics.Forensic in cloud computing is an advancement of modern forensic science that protects against cyber criminals.Single centralize point compilation and storage of data, however, overcome the authenticity of digital evidence.In order to address this serious issue, this article suggests a modern automated forensic platform leveraging infrastructure as a cloud service (IaaS) based on Blockchain concept.This proposed forensic structural design, evidence collection of evidence and stored on a blockchain which is circulated around several peer blocks.Secure Block Verification Mechanism (SBVM) is proposed to Safeguarding the device from unauthorised users.Using the Backtracking Search Optimization Algorithm search optimization algorithm for strengthening of the cloud environment, secret keys are optimally generated.On the bases of level of confidentiality, all data is stored and encrypted at cloud authentication server.Confidentiality-based Algebraically Homomorphic Cryptosystems learning is presented with a fast-forwarding algorithm for encryption.A block in the SDN controller is created for every data and information is stored in the cloud service provider and the history is recorded as metadata data about data.A hash based tree is constructed in each block by Secure Hash Algorithm version -3 of 512 bits.By implementing graph theory-based graph neural networks in Smart Contracts, our framework enables users to track their data (GNNSC).Finally, the construction of a Logical Graph of Evidence from blockchain data enables evidence analysis.Experiments was carried out in a Python for cloud and blockchain integrated environment with network simulator-3.30(for Software Defined Network).The proposed forensic architecture (FAuB) shows promising results in response time, evidence insertion time, evidence verification time, communication overhead, hash computation time, key generation time, encryption time, decryption time, and total change rate, according to a comprehensive comparative study.

Research contribution
In this article, the following contributions have been made to provide additional digital forensics research: & In the case of cloud environment like infrastructure as a cloud service (IaaS), the digital forensics mechanism [5] design is constructed to collect, analyze, and release evidence.Blockchain technology is used to collect evidence.& Evidence and information is secured against malicious users by using the Secure Block Verification Mechanism (SBVM) authentication mechanism [21] driven by a cloud authentication server (CAS).The SBVM mechanism involves users that are completed successfully secure verification process by means of a globular logic and secret key (SK).& Encryption based on confidentiality CB-F or the generation of digital signature [20] and encryption, the EL GAMAL algorithm is proposed.Key generation is done by Backtracking Search Optimization Algorithm search optimization algorithm in CB-EL GAMAL to generate strong secret keys.The main contribution of the Algebraically Homographic Cryptosystem algorithm based on confidentiality is that the proposed algorithm is based on the data level of sensitivity and adaptive in nature.& Block was generated by control plane SDN and distributed across the blockchain network for all facts and statistics being deposited in the cloud-based server.For added security, a Secure Hashing-3 (SHA-3-512) algorithm has been proposed for blockchain accounts.By using neural network-based smart contracts (GNNSC) on graph to track data activities throughout its life cycle, the data source is preserved.

Background
Siva Rama Krishna Tummalapalli [12] develops and Bayesian fuzzy clustering and cluster search laid on support vector neural network based intrusion detection mechanism simulator for clustering and two-level classifier working on cloud environment [58].Saad Said Alkahtny develop a novel architecture to support forensic evidence collection and analysis of infrastructure as a service (IaaS) in cloud environment formally known as cloud forensic acquisition and analysis system without depends on cloud service provider and third party.This approach also provides the access of deleted data and overwritten data files which is not provided in existing forensic investigation techniques [61].Zareefa and Mustafa found information obtained from the (Zen Cloud Platform) utilizing usable resources in the inquiry.Essentially the work focused on the three fields, such as adapting current techniques in the cloud world, gathering objects and data from the cloud and assessing the interest of the information collected.In the near future we will integrate existing tools of platform as a service (PaaS) and software as a service (SaaS) (or all service type frameworks in one framework) as part of the future path.Finally, this work centered on and retrieved XCP with file system dependent storage repositories (SRS) dependent on LVM [42].Throughout their research, Philip and Clark applied mostly to exif metadata found in JPEG image files.In the near future, all research will be carried out in specific other file formats such as pdf, text, excel, ppt and others [39].Ramakrishnan Krishnan addresses the big emerging developments in cloud computing protection and privacy concerns, often categorizes security and privacy problems in security issues mainly, privacy issues mainly, and security issues intertwined [35].In their work, Mhlupheki George and Sibiya explain the specifications for a cloud forensics framework and what standard procedures followed during the cloud forensic phase, and how to build a cloud forensics system, as well as cloud forensics as a CFAAS architecture service [22].
Alex Elington and R. In case of denial of service (DDoS), Kishore creates a program that targets if the forensic management plane (FMP) gathers data regarding illegal forensic investigation activities.Throughout the immediate future we should be able to execute the whole attack scenario throughout cloud platform [19,63].In their work, Ameer Pichan, Mihai Lazarescu and Sie Teng Soh offer a systemic approach for examining cloud forensic problems, a potential answer for any process and a description of forensic as a business model [28].In their investigation, Vassil, Irfan, Andres and Shane applied analysis and acquisition on SaaS and tested the results in their case studies: Kumodd: tools used for the acquisition of cloud drives, Kumoocs: a tool for the acquisition and analysis of Google Docs and Kumofs: a tool for remote preview and cloud drive data screening [24].
Victor R Kebane built a cloud forensic preparation model as a test of the application software [25].Grobler et al. suggest a six-dimensional Virtual Forensic approach to include the theorybased modern forensics solution [54].Valjarevic and Ventor create a model consisting of three preparation phase assessments in the deployment and planning model.In ISO / IEC270 43:2015 [59], Valjarevic and Ventor build a model consisting of 3 preparation phase tests in the deployment and planning model [59].Saad Said Alkahtny Proposes a novel framework to assist IAAS cloud-based system (CFAAS) forensic discovery and analytics [16].Alex and Kishore present a forensic paradigm of denial of service (DDoS) assault for cloud storage and data processing utilizing forensic security plane (FMP) and FTK analyser [5].Emi Morioko, Mehdard S and Sharbaf present a method and algorithm for the procurement of Amazon Web Services (AWS) technical evidence [21].Zareefa and Mustafa propose a solution for accessing the recorded evidence value from the cloud and found an experimental result on xen cloud platform [20].Zachary, Katrina and Kenji use snapshot submit Google Rapid Response (GRR) to plan and build automated forensic data acquisition System for forensic evidence collection [12].In the cloud environment, Nhien An Le Khac, Michel Mollema, Robert Craig and Steven Ryder are developing an innovative solution to data acquisition.We explain the legal context and address how to find the data center and deal with the actual job scenario of AWS [58].Peng Xu, Yadong Zhang and Kai Shuang deployed a modern streamlined data collection approach with hybrid data management review across the cloud logging (LOC) web service [10].
"A cloud forensics tamperproof framework for cloud forensics is developed by the author that is available in a cloud environment that is untrusted and multi-tenancy.This framework relies on a forensic system based on the compressed multilayer counting filter [10], independent of daily cloud activity.No standard forensics preparedness model for cloud environments can be applied properly.A model for improving security [42], which can be used in a cloud environment.Forensic preparedness is a way of maximizing the potential of an organization to respond to violations [39].The below mentioned the Fig. 1 and Table 1 shows that the number of papers published in various digital libraries like ACM,IEEE, ScienceDirect, Springer (18, 24-36, 38-41, 44-47, 49-66), and Elsevier which indicates that the lots of work has beed done in the field of cloud forensics and it's a active research area for the current cloud market.
Cloud logs will include useful data and information for the computer forensic investigation [35,51], which is essential.Earlier designed logging systems have a few inconveniences to provide the cloud user with security.The existing system gives protection and security for user files that are either saved or uploaded by the user or authenticated [22] by the user.This paper secures logging by encrypting cloud logs using encryption techniques and identifying assaults on the cloud framework from DDoS (distributed denial of service) [65].occurs, the evidence is very hard to find [56].Proofs are obtained from different forensic origins such as switches, routers, servers, virtual machines, hosts, browsers, and from in-house storage content media such as hard disk drives, ram image files, physical memory, etc.The information is retrieved from multiple sources.Data collection from cloud servers, web browser objects [62], and physical memory analysis collects evidence.

Blockchain in cloud forensics
Blockchain is one of the overestimated breaking fields and has acquired significant consequences as an invention commonly used in numerous fields [19,31].The blockchain is known mostly as a billing book or digital distributed database [63].The way Blockchain interface, render device costs, monitor and document transactions began to emerge as a revolutionary advance since its introduction in 2008.Blockchain [28] can be inexpensive, removing the do with to supervise and normalize transactions and communications [24] between various members of the central authorities.Other miners who have a record of the entire transaction history in a blockchain mark each move cryptographically [36,46].This renders time records that cannot be altered one by one safe, synchronized, and collective.Moreover, blockchain technology is considered IT and can be used in applications, industry and industrial industries [47].Figure 2 displays the blockchain design.The concept of blockchain consist blocks like i to n numbers, current hash and previous hash of the block, if hash value of any block is changed in blockchain network it goes to invalid block and data tempring is detected.The proposed forensic architecture, called Blockchain-based forensics, is developed with the necessary algorithms in this section [26].The proposed forensic cloud uses software defined network and blockchain concept collection of evidence and investigation.

Entities of the architecture
The main objective of our experimental study is to acquire reliable proof or evidence in the cloud environment and to maintain the cloud provenance of data.The following entities comprise the overall forensic system [64]: 1) Cloud Users (CU): Cloud users (CU1, CU2,.......CUn) are included in our system 'n' number.It is permissible for cloud users to save and access evidence at the server cloud.
2) Cloud Authentication Server (CAS): At the start, registration of the cloud clients with CAS to deter unwanted access by users.Key generation and authentication are the major responsibilities of CAS.
3) Cloud Service Provider (CSP): Cloud users store up all data outer surface of their cloud on CSP hosted cloud servers.For every piece of data stored in CSP, a blockchain was developed.

4) Dataflow open switches (DFSs):
During this practice, a software defined network is used to gather CSP data.We have therefore used many DFSs to relay CSP data to consumers.For data the owned database flow regulations applied by the control plane to user DFSs may be mainly responsible.DFSs [R] only deploys and modifying flow rules in the software-defined network control plane.

5) Software defined networking Control plane (SDNC):
The Software defined networking Control plane is responsible for applying network status data flow rules and for gathering all CSP evidence [50].The Software defined networking Control plane manages blockchain for proof collection and a block is generated for any CSP data.The complete machine architecture as seen in Fig. 3.
Our forensic architecture's principal objective is to capture and conserve appropriate CSP data.We initially developed an efficient verification design to secure the device beginning unlicensed users.Data saved to the CSP is encrypted to ensure secrecy within the cloud setting [60].Decentralized data processing was planned based on blockchain technology.
Smart contracts can be used for the motto of recording and storing data history.For successful proof analyses, the graph-based research approach is recommended.

Cloud user authentication
CAS is first registered with all cloud customers.User ID and password are user credentials that are taken into account when logging (PW).CAS produces a secret key (SK) for each documented CU by means of the Backtracking Search Optimization Algorithm algorithm.Both users are valid at any where using the circular theorem's secret code (SC), SK, ID, and P.
1) Key Creation and Generation with the help of Backtracking Search Optimization Algorithm: BSOA is an adaptive search algorithm that uses three basis genetic operators including selection, mutation, and crossover to generate trial individuals [41].The principle of BSOA, which consists of six steps, More details of the steps are presented in following sections.
The mathematical formulation of a typical optimization can be written as: where f(x) is a fitness function, x = (×1, ×2,..., xN) is the vector of decision variables, N is the number of decision variables, and Di is the range of feasible values for the i-th decision variable, where li and ui are the lower and upper bounds of the i-th decision variable, respectively.Backtracking Search Optimization Algorithmis a newly invented meta-heuristic search optimization algorithm used to solve problems of optimization.This is a meta-heuristic nature inspired algorithm focused on the brood parasitism of certain Backtracking Search Optimization Algorithm birds, as well as spontaneous Levy flight walking.It has been carried out in a number of areas.The Backtracking Search Optimization Algorithmis used in this research meant for the main generation of cryptography process [13].
Alice sends the public key pk = (p,g,A)pk = (p,g,A) to Bob.
ElGamal is a public key cryptosystem dependent on the discrete logarithm issue for a gathering GG, for example each individual has a key pair (sk,pk)(sk,pk), where sksk is the mysterious key and pkpk is the public key, and given just the public key one needs to track down the discrete logarithm (take care of the discrete logarithm issue) to get the mysterious key.The cryptosystem is both an encryption plot (this part) which assists Alice and Bob with the issue of trading delicate data over an uncertain channel listened in by their enemy Eve and a computerized signature conspire (the following segment) which assists them with making advanced marks [23].The mark conspire is somewhat unique in relation to the encryption plot and different advanced mark plans, for example, the Schnorr signature plot and the Digital Signature Algorithm (DSA) depend on ElGamal's unmistakable plan however with more limited keys.Below is the public key created: We may be capable to making out here the random generation of the private key (Pr(SK)) that attackers can crack quickly.The Backtracking Search Optimization Algorithm algorithm is used to enhance the key generation process.Initialization In this phase, the setting of the algorithm was initialized and the values of algorithmic parameters were assigned.Population P was initialized as follows: for i = 1, 2, 3,..., D and j = 1, 2, 3,..., N, where N was the population size (PopSize), D was the dimension of the problem, W was the uniform distribution, and each Pj was a target individual in the population P.This stage was aimed to determine the previous population P 0, Based on 'if-then' rule, the option of redefining P 0 at the beginning of iteration could be expressed as follows: where ':=' was the update operation and a and b were random numbers.Next, P 0: = permuting(P 0); where the permuting function was a random shuffling function.2.4.

Mutation:
This process generated the initial form of the trial population, Mu, as follows: where F was the control parameter that controlled the amplitude of the search-direction matrix (P 0 − P).The value of this parameter was selected as per the following equation: where rn ∼ M(0, 1), M was the standard normal distribution, and F was the controlled parameter.
The crossover strategy of BSOA used the ceiling function to define rnd.∼ W(0, 1).Furthermore, the number of elements of individuals was controlled by a mix rate parameter (mixrate).These individuals were mutated in a trial by using the ceiling function dmixrate • rnd • In the method, the Backtracking Search Optimization Algorithm algorithm selects an enhanced vector f(x) and is allotted to Pr (SK).To determine the secret key generated is difficult for cyber criminals because the Backtracking Search Optimization Algorithm algorithm selects the random number more optimally [31].
2) Authentication using Secure Block Verification Mechanism (SBVM): For those logged-in users, CAS produces secret keys and beginning points.For each operator of a particular circle, the root points are (Ox, Oy) co-ordinates.For each user in CAS, the respective credentials (ID, PW, SC) are saved.In all stages of verification, all passwords are checked.The CAS key is a random code that makes it impossible for an attacker to invent the code for each user.By the following equation, a circle is defined by: Each user builds a SC consisting of origin points by using origin points (Ax, By).The user chooses a SC that follows the circle equation to effectively complete the authentication.While a client has to use the cloud, the client shall have each one ID and password along with the time stamp (TS).Algorithms illustrate the method of SBVM based authentication.A user who has legitimate passwords will complete the validation effectively.By making an allowance for SC next to TS, the protection level of the SBVM mechanism is increased.Although the SC differs over time, the attacker cannot split the SC.The attacker cannot use SC for the next authentication without being aware of the source points, despite the SC being cracked at a time by the attacker [49].

Confidential data encryption
Users that have successfully completed the authentication process will enter the cloud computing environment in the planned forensic system.Within the cloud network, users accumulation up their information in the structure of a ciphertext with a digital signature.Users at this point settle on the extent of confidentiality of results [17].For ex., data such as banking data, identity data and other information such as humorous videos, data are sometimes referred to as sensitive information, whereas movies are unconfidently data [27].When mentioned in the prior paragraph, secret keys are produced by means of the Backtracking Search Optimization Algorithm search algorithm.Data are translated into ciphertext by using the created strong secret key in the confidentiality encryption (CB-EL GAMAL) algorithm.
Alogorithm 1 SBVM authorization mechanism (Pseudocode) The EL GAMAL algorithm is paired through the CB-EL GAMAL algorithm probability and algebra.Algebraically homogenous crypto systems is a quick-release solution that is embedded in the decryption and encryption process [11] across many unseen layers.The input layer of the Homomorphic Cryptosystem algorithm is used to encrypt and Pu(SK) is initialized and encryption is done on the secret layer.CB-EL GAMAL, however, is confidential and carries out the following data encryption procedures.
Algorithm 2 demonstrates the overall technique with an efficient hidden key for CB-EL GAMAL algorithm [7].By implementing graph theory-based graph neural networks in Smart Contracts, our framework enables users to track their data (GNNSC) The CB-EL GAMAL algorithm being proposed is shown in Fig. 4. The nueral network is used for the increption process and calculate cipher text in hidden layer for secrate key generation [32], in which cryptosystems learning is a fast-forwarding method that is incorporated for the encryption and decryption process through multiple hidden layers [29].
Similarly, the input layer begins the ciphertext and the output layer gets the original text when the data are decrypted.The participation in encryption of the Homographic Cryptosystems Algebraically algorithm [62] strengthens data security.To retain the documentation of possession, the data will be signed by the customer sooner than out sourcing to the cloud computing surroundings [43].Digitally signed using the EL GAMAL algorithm generate the same as motioned, the hash value is first created to sign the data as The digital signature is then created, Where the random numbers are k1 and k2.The data have to be registered by the same data proprietor if data are updated or ownership transferred.

Efficient collection of evidence using Blockchain technology
In cybercrime, digital data is an important source for analysis.The offenders will conceal their details and erase the evidence in a variety of parts of the infrastructure as a service cloud system.The key issue with the infrastructure as a service cloud infrastructure can be with the intention of data collection being spread on a wide scale [14].In comparison, cloud consumers monitor more than scholars, making it a difficult challenge to gather and preserve data.SDN and blockchain technologies are utilized in the proposed digital forensic infrastructure to gather and maintain cloud forensic data to combat all this issue.The evidence will be stored within the blockchain ledger within the be in charge of the software defined network control plane.In cloud forensics, some relevant meanings are: Evidence integrity Integrity of the evidence guarantees that the certificate reflects correctly the information contained in the PC.Several areas of the cloud influence knowledge respectfulness, but preserving integrity is a core component of the cloud crime scene investigation.
Data origin It is a form of authentication that corroborates a party as the (original) source of specified data generated in the past at some (typically unspecified) time.
Data volatility Unpredictability, after the power is switched off, leads to memory or power failure of the material.This is an important problem from a measurable standpoint since both memory and CPU procedures would vanish if the server crashes.If virtual computers are involved, these difficulties increase (VM).For ec IaaS, VM does not have permanent storage in this way, if the VM crashes, the volatile data may be lost [29].

Custody in chain
The method of retaining and recording the chronological past of treating data as digital information can be represented.Data may be moved from the first responder, prosecutors (one or more), and judges to various layers of hierarchy of the automated forensics system.These provisional owners treat the proof during this lifetime.Because any evidencebased measure is held in the blockchain, our proposed work holds the custody chain.
Digital evidence ownership proof Digital evidence of ownership is defined here as the proof of existing digital proof of ownership.Multiple owners can manage the data during its lifespan [38].If the status of the data has shifted, the original owner must sign the data to retain the proof of cloud-based ownership.The patented evidence is retained in the framework as the transition in ownership is still preserved in the blockchain data history.
Graph neural network (GNN) based smart contracts It is a computer program that tracks data history automatically.When the necessary conditions are met, the smart contract is activated and executed.To optimize smart contracts, graph theory algorithm rules are deployed in this work [7].
Data lineage It documents the history of possession and paper process throughout its entire life cycle.In other words, the record sequence showing the behaviour taken from the data is known as a lineage or origin.With the aid of blockchain [45], we retain the data root, that is, in our work, any alteration made to the data is saved and traced by GNNSC in the blockchain.The evidence has the hash value of the public ledger in the blockchain.We give a SHA-3-512 algorithm better in terms of security for hash value generation.The hash value in SHA-3 is determined accordingly for each block: The hash unique value can be calculated here designed for input, that is, transaction (T) padding q, permutation g function, and output length L. The hash value is often created by the "sponge building" mechanism in SHA-3-512 as in EQATERY (10) rather than by the "sponge building" procedure.Accepting SHA-3-512 for hash calculations may bring various benefits over the current system with respect to time consumption and protection.Let us look at the U1 user's data d1 at time t1 in the cloud.After that, the block is formed by d1 and the hash value is created by SHA-3-512.Each transaction, i.e., the shift kept on d1, is based on the time the GNNSC block was installed in the system.Every update is processed and circulated as evidence in the blockchain network between the peers.The log contains the user name, IP address, time, and all other hardware information of the proof.The proof log, information history, is kept as the proof for each change found in detail in the blockchain.Past of data can involve lines that describe changes, ownership transition, and other behaviors on cloud-specific data [52].Algorithm 3 explains the method of collecting evidence.In favor of each single data residing within the cloud, the evidence can be gathered and preserved within the blockchain here.Furthermore, in the cloud environment, GNNSC tracks and wheels the ease of access of data stored by users.
Algorithm 3 Efficient Evidence Collection Method (Pseudocode) During our initiative, we use smart contracts to alerting cloud server when a graph theory law, which is often integrated as a proof record within the blockchain, is met.Many registered users will be able to the right of entry information contained in the cloud atmosphere.This paper draws intelligent contracts from the graphology that functions on a secret stage of data [51].The smart contract is executed by means of the graph theory principles used in the framework.Figure 5 demonstrates GNNSC's pictorial representation.FSC presence tracks all big activities conducted under the data contained in the cloud server machine [1, 4, 6-9, 15, 18, 34, 37, 48, 67].Thus, any accurate evidence of the cloud server machine evidence is gathered and the correctness of evidence is conserved using blockchain technologies in our proposed forensic architecture.
Table 2 displays the laws of graph theory in GNNSC [1].Because of these sets of laws, the statement is generated and saved like an evidence log.A modification of the data made after previous access is the previous danger [46].If the earlier hazard is restricted and information nonconfidential, the log right of entry evidence will be overlooked and the report will not be produced.The produced statement is well thought out otherwise noteworthy, and stored in the blockchain.

Cloud forensic investigation
If a cyber-crime has been detected, the designated investigator (police, lawyers) must examine the digital evidence.CAS also authenticates the investigator prior to the inquiry.If a criminal enters an election a voting room, his basic details, such as his Aadhar number and voter id, are kept in the election commission's database.If he tries to update or erase the evidence history by hacking the database, deleting, or modifying his entry into the voting space, he is attempting to upgrade or remove the evidence history [33].
Given that every one of the evidence record logs stored within a blockchain, we know that is a distributed ledger, our suggested forensic architecture will be useful in this situation.She must also pass the strong authentication before gaining access to the device [55].According to the investigator, the following steps should be taken when analyzing data.

Evidence identification
The first step in a digital forensic investigation is to locate a possible evidence source of reliable evidence.As a result, the investigator must obtain legal consent from the relevant authority as show in Table 3.

Evidences acquisition
The investigator possibly will gather round all evidence log records of the blockchain by way of the consent of officially authorized authorities.The evidence log recorded inside the study contains mutual credentials of the user evidence based on hardware [57].During this time, the investigatorswill have to adhere to court restrictions while also abiding by SLA agreements.

Evidence analysis
The investigator then goes through all data logs and compiles a report on digital evidence.Logical graph with evidence for better research, this paper proposes a graph of proof.The evidence is used to build a graph of data with matching log attributes [18].If the perpetrator checks in at a polling site, submit the history of persons visited in the voting center, i.e., original details, just before the cloud to the administration of the election commission, i.e., a registered person.The evidence is currently being developed on blockchain for each one log record attribute (source_IP, timestamp, actions made, transaction hash, server of virtual machine, DFS_ID, and the like).
Think about the case where the suspect's check-in history was changed at t 2 .Then, in a subsequent block of log attributes, the next log is modified.Similarly, as soon as the hacker tries to access the information or erase it from the cloud, this should be treated as evidence and recorded in the subsequent block.The investigator must complete the following steps to create a graph of evidence: & Sequentially arrange the evidence according to the timestamp & Established each one evidence through its attributes of log record & Build an evidence graph according the evidence order and log record attributes.
Table 2 shows properties of the survey evidence collection.A graph of evidence can be constructed using this data, as seen in Fig. 6.The investigator can see from the graph of evidence that the suspect has edited (modified) the evidence (User X).However, the authorized user's location and IP addresses are different.Consider the case where the suspect's check-in history was changed at t 2 .Then, in a subsequent block of log attributes, the next log is modified.Similarly, when the suspect tries to hack this data or erase it from the cloud, this is treated as evidence and recorded in the subsequent block.

Reporting of evidence
At the evidence review level, every one of the evidence within the graph of evidence is authenticated using a cryptographic digital signature that is kept together in the midst of the value of hash and data.Data should be signed earlier than being sent to the cloud, according to our proposal.As a result, at what time an intruder could modify the evidence data, he or she should generate a digital signed signature.
For all evidence, the current transaction's hash value at the blockchain storage repository.The hash significance of data stored in the cloud must match the Merkle tree root value of the block.The investigator compiles a report based on these findings and submits it to the court as a digital testimony.From acquisition to submission to juridictionary, algorithm, 4 illustrates the collection process of evidence.
As a result, our designed architecture of cloud forensic, which incorporates blockchain and SDN technologies, allows for secure collecting evidence from the cloud.A strong authentication protocol stops unauthorized users from gaining access to the cloud environment, while a sensitivity aware encryption process improves data protection.Evidence storage using blockchain and SDN an intellectual approach for distributed data protection.From evidence analysis to evidence reporting to the court, our designed architecture of cloud forensic facilitates the whole investigation.

Investigational result evaluation
Within this investigation result evolution, we compare the efficiency measurements of the designed architecture of cloud forensic with the earlier research contributions.We present our simulation environment in this section and at that time judge on our designed architecture of cloud forensic to the prior centralized log record process collection.

Configuration and simulation
In a combined simulation platform, we configure our designed architecture for cloud forensic.Using CloudSim, we introduced an IaaS cloud environment in Python.Blockchain is the built data storage mechanism of IaaS cloud in Python Programming, as described in Algorithm 1.Both tests were run on Ubuntu OS by means of an Core-i7 Intel CPU running next to 2.80 ghz, 16 GB of RAM, and a 1000 GB SSD.The simulator version network 3.30 simulator, that is committed to network simulation for the software defined networks, is also compatible with the cloud and blockchain environment.The Python platform's performance is merged by ns-3.30, in the direction to creating a simulation environment.
The Ubuntu operating system underpins the entire work; we use NetBeans-8.2 for PY-THON blockchain setup, Network Simulator-3 for software-based network simulator, and CloudSim for IaaS cloud deployment.
In Table 4 of our experiments explains the important parameters of simulation used in the direction of applying our designed architecture of cloud forensic.Prior to we get interested in the study, we well go through a real-world use of the proposed forensic scheme.
The Proof-of-Work principle is used by the miner to validate the blockchain.A corresponding block is generated for each piece of data that the user stores in the cloud environment and the stored hash values.
1) Usecase Diagram of our Designed architecture of cloud forensic using Blockchain (FAuB) IaaS will be a cloud environment to be extremely versatile and can be used by any rising business.Many real-world implementations will benefit from our designed architecture of cloud forensic IaaS platform.In this paper, we look at one application of the proposed work in crime detection.Consider several voting centers that store their data such as voter records, financial information, maintenance information, personnel information, and surveillance information into IaaS cloud.Each one data should be encrypted depending on top of the extent of data protection earlier than being out-sourced to the cloud, as per our job.Furthermore, each voting center's administrator must be CAS-registered.The SDN controller collects evidence designed for every one of the data stored within the cloud atmosphere and stores it on a blockchain.Additionally, each admin may use GNNSC to monitor their data.Figure 7 depicts an example of the anticipated use case.Consider the case of a suspect who voted for a few hours at the polling centre A. The suspect's information will then be found in the voting centre A's election record file.Furthermore, video of the perpetrator in the polling centre will be used in the data obtained from security cameras.This could aid detectives in locating the suspect as soon as possible.Any change made to the voter registration database and surveillance data is recorded within the blockchain as evidence.The perpetrator will erase or change the register of the voter registry and the data of surveillance contained inside the cloud if we do not have a good forensics mechanism architecture.Every evidence is preserved in the blockchain, that is, a distributed block ledger, in our proposed forensic architecture.We also store the VM logs in the blockchain as evidence.The investigator will obtain information from the blockchain even though the hacker changes and modifies the details on the cloud.Plotting an evidence graph with the collected data log will reveal whether there are any differences in the evidence.The investigator will pass the digital evidence from a CoC to the court based on the evidence obtained from blockchain.

Comparative analysis
This section compares our designed architecture of cloud forensic to the current CFLOG [61] framework for safely collecting digital evidence.In CFLOG, collect and store the evidence in a centralized fashion, which is a major contrast between current forensic infrastructure and CFLOG.As mentioned in Section 3, this causes several problems.We designed an architecture of cloud forensic that collects in addition to storing digital information safely using SDN and blockchain technologies to overcome these challenges.

1) Response Time Comparison
The time in use for users on the way to get a response to a data request is known as response time.The number of users interested in the forensic method validates this metric.In supplementary terminology, response time refers to the time it takes the forensic method to provide the necessary information or documentation to the users.In Fig. 8, the designed architecture of cloud forensic SDN-blockchain based forensic framework is compared to the current CFLOG framework, which has a centralised framework.The numeral of requests of users increases by means of the increase inside the number of users in both works, so the response time steadily increases with the increasing user numbers.Still, for more user number, our designed architecture of cloud forensic responds to the requested users easily.That use of software defined network technologies improves the ability of scalling, or the ability to accommodate a large number of users at the same time.As a result, any cloud user can link to the server of the cloud instantly as well as download the data requested by users.Similarly, the prosecutor should be able to obtain information from the blockchain without having to wait for the SDN controller to respond.
As a result, the proposed forensic architecture reduces the time of response.CSP performs together data managing as well as evidence collection in a consolidated fashion in CFLOG, which increases the response time when there are a large number of users.The CFLOG system takes 100 ms to answer in the presence of 120 users, while the designed architecture of cloud forensic system takes 72 ms intended for the identical amount of user numbers.As a result, the designed architecture of cloud forensic outperforms the CFLOG system by 31%.

2) Evidence Insertion Time Comparison
The point in the time it takes to (or create) insert digital data of evidence collected on a server of the cloud is known as evidence insertion time.It can know how to exist and describe at the same time as the time it takes SDN plane controller to generate a proof meant for the CSP's stored data inside our analysis.
As shows in Fig. 9, the insertion of evidence period as a function of the different user numbers.When the user number grows, so does the volume of data that must be alive store and the number of pieces digital evidence that must be generated.As a result, the amount of time it takes to insert evidence increases as the number of users increases in all works.Every one of the evidence should be unruffled and stockpiled in a consolidated way beneath the supervision of CSP in the CFLOG process.
As a result, the centralized evidence collection procedure lengthens the time it takes to insert evidence.In addition, we protect the history of data in our work, which means that each change to data is treated as evidence and incorporated into the blockchain.The SDN controller, on the other hand, is in charge of creating and preserving documentation without the intervention of CSP.As a result, relative to previous work, evidence insertion in blockchain takes less time.

3) Evidence Verification Time Comparison
The time it takes an investigator in the direction of collection and validating the evidences commencing a blockchain is known as evidence verification time.
The time taken for verification of evidence within the CFLOG process and the proposed forensic system is compared in Fig. 10.The proposed automated forensic technology achieves the shortest possible time for evidence verification.The investigator would use CSP to collect evidence in the CFLOG process, and the verification is done in the conventional method.Instead of CSP, the investigator in the suggested work aggregates all evidence from the controller.In addition, for the improved studies, evidence testing is carried out by creating a graph of evidence.Furthermore, we suggested SHA-3-based hash computation to maintain evidence consistency while reducing time consumption.As a result, we gain evidence integrity with the least amount of time spent on evidence verification.
In the presence of ten users, CFLOG takes 52.1 milliseconds to collect and validate digital evidence, while the planned digital forensics FAuB takes just 37 milliseconds, reducing the verification time by nearly half.The bandwidth amount used in the direction of executing a particular activity (transfer data, reading, update, generation of evidence, and verification of evidence) within the system of forensic is known as computational overhead .
Figure 11 depicts a comparison of computational overhead based on different user numbers.Because the amount of data on the way to be interpreted grows in tandem with the number of users, the computational overhead increases.The computational overhead is raised in the absence of blockchain technologies owing to centralised device administration.Both data and evidence collection in CFLOG occurs in CSP, which raises the overhead.
The suggested forensic method, on the other hand, keeps indication processing like collection, hash reckoning, and conservancy on the SDN controller, reducing the total computational overhead.Furthermore, incorporating SDN technology increases scalability without adding overhead.Thus, the proposed digital forensic infrastructure adds 9.1 KB of overhead for ten cloud customers, while the CFLOG framework adds 10 KB of overhead.

5) Total Change Rate Comparison
The rate of total change is calculated by dividing the amount of evidence modification by total evidences existing within the forensic framework facing problems with the old CFLOG system as show in Fig. 12.When a hacker person changes data to organize on the way to destroy evidence, the net modification rate rises.The collected data must be accurate, and the evidence's accuracy must be maintained for an effective forensic method.Since only registered users are included in the proposed forensics scheme, any information along with data of unauthorised users is refused.Furthermore, we use blockchain technology based on top of the SHA3 algorithm to maintain the credibility of evidence.
According to our findings, the proposed forensic method modifies 10.1% of the evidence.However, since we guarantee credibility, CoC, and PoO for evidence, this alteration is also registered as evidence in the blockchain.Because of (i) centralised infrastructure ever since CSP can be able to be malicious, (ii) node single vulnerability (an attacker just wants to break CSP's), (iii) no credibility is protected, as well as (iv) interference to unauthorised user's accessing, approximately 61% of evidence is changed in the CFLOG process.We overcome all issues by means of the help of blockchain and SDN technologies, that reduces the system's overall change total rate.Table 5 compares the cumulative outcomes of the CFLOG process and the proposed forensic system in terms of performance measurements.We will see that each metric has improved with the proposed digital forensic FAuB architecture.

6) Efficiency of CB-EL GAMAL with Backtracking Search Optimization Algorithm
The elliptic curve cryptography (ECC) algorithm is regularly used designed for digital signature concept in blockchain technology.On the other hand, there are several issues with key generation, encryption, and decryption.We suggested the CB-EL GAMAL algorithm with the Backtracking Search Optimization Algorithm Search Optimization algorithm for key generation to improve the conventional ECC algorithm.As a result, we compare our proposed CB-EL GAMAL algorithm with the Paillier encryption algorithm proposed for blockchain technology using the Backtracking Search Optimization Algorithm Search Optimization algorithm.
The suggested CB-EL GAMAL algorithm is examined in detail from Figs. 13, 14, 15 and 16.For a stable blockchain architecture, the Paillier encryption algorithm is proposed in.The  On the other hand, data encryption is necessary in the environment of cloud, and here the determination by several users.The algorithm of Paillier takes an average of 500 milliseconds to generate a key.Encryption and decryption, on the other hand, necessitate a significant amount of time, which is incompatible with the cloud environment.
The proposed CB-EL GAMAL algorithm, on the other hand, reduces the key generation time by using the backtracking search optimization algorithm, which has a quick convergence time.Similarly, the CB-EL GAMAL algorithm's deep architecture reduces the time taken for encryption and decryption.As a result, the suggested SA-ECC algorithm outperforms the traditional algorithm in terms of increasing protection without increasing time consumption.

7) SHA-3 Algorithm Efficiency
The most widely used algorithm hashing used in blockchain technology is (SHA-256 bit)v2 is the.Hash computation in our proposed forensic scheme to increase the hash computation time and security standard is calculated by SHA-3 algorithm .
Graph 10 compares the hash computation time of the proposed SHA-3 algorithm with that of the previous (SHA-256)2 algorithm.In this review SHA-3 reduces the calculation time of hash for 100 users to 16 miliseconds lacking sacrificing security.Inside general, SHA-3 outperforms SHA-256 against a variety of security threats, including length extension attacks.As a result, Merkle tree SHA-3 algorithm can construct a tree and increases protection without adding time to the process.
Overall, the proposed digital forensic FAuB architecture outperforms the current CFLOG scheme, according to the report.The use of blockchain and SDN technologies increases the efficiency and scalability of the system.

Conclusion
In this research work, with blockchain technology, a valuable architecture of digital forensic is proposed to gather and safeguard unfailing evidence from the substructure as a service cloud environment.Cloud authentication server CAS, with a secure verification mechanism known as the SBVM mechanism, authenticates all cloud users.The CB-EL GAMAL algorithm was proposed for data security.The Backtracking Search Optimization Algorithm algorithm to generate optimal keys prior to this.A block in the controller is formed for every evidence stowed in the cloud.The integrity of evidence is ensured in every block by SHA-3-512 based hash tree building.All evidence is collected and blockchain technology maintains evidence integrity, data origin, data link, digital evidence, ownership evidence, and custody chain.GNNSC is deployed in the system to trace data activities.The CB-EL GAMAL algorithm is proposed for data protection.The Backtracking Search Optimization Algorithm algorithm generates optimum keys before that.At the controller, a block is spawned for each piece of cloud data.Merkle tree structure based on SHA-3 guarantees the consistency of evidence in each block.All documentation is collected, and the chain of custody and proof of ownership (CoC, PoO) are maintained using blockchain technology.GNNSC is installed in the system to monitor data events.Finally, the use of a graph for evidence analysis simplifies the evidence analysis.Overall, the forensic device is investigated using a Python and ns-3.30simulation environment.Experimental findings suggest that the proposed forensic architecture outperforms the current unified forensic system.To improve the digital forensic infrastructure, we want to integrate network forensics in software-based networks as well as cloud forensics in the future.

Fig. 1
Fig. 1 Year-wise analysis of research papers were published in digital libraries

Fig. 8
Fig. 7 Digital Forensic Crime Investigation Case Diagram

Fig. 9
Fig. 9 Evidence Insertion Time Comparison Analysis

Fig. 12
Fig. 13 Key Generation Comparison Analysis Fig. 14 Encryption Time Comparison Analysis

Table 1
Records of Article Types in Various Libraries on this topic

Table 2
Attribute rules for GNNSC

Table 4
Simulation configuration setting

Table 5
Analysis and comparison