Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Forensic Analysis of Advanced Persistent Threat Attacks in Cloud Environments



Changwei Liu, Anoop Singhal, Duminda Wijesekera


Due to the increasing cyber-activities and the use of diverse devices offered on cloud environments, post-attack cloud forensic investigations must deal with data in diverse formats and quantities from emerging attackable interfaces. The process of forensic investigation in a cloud environment involves filtering away noisy data and using expert knowledge to make up the missing attack steps because recoverable evidence, in particular the one from advanced persistent threats (APT) attacks that have a long time span, is often disorganized and incomplete. We show how MITRE's ATT&CK framework and Lockheed Martin's cyber kill chain can be used to identify forensically valuable data, aggregate and correlate them to construct attack steps. ATT&CK is a globally accessible knowledge base of adversary tactics and techniques that is based on real-world observations that emulate cyber-attacks, which makes it a good tool to perform the post-attack analysis to identify the evidence. Because most APT attacks on cloud systems consist of a successful reconnaissance, command and control communication, privilege escalation, lateral movement through the network, exfiltration of confidential information that are also the key phases of a cyber kill chain, we investigate using cyber kill chains to organize the evidence and construct the attack steps.
Proceedings Title
Advances in Digital Forensics XVI
Conference Dates
January 6-8, 2020
Conference Location
New Delhi, IN
Conference Title
Sixteenth IFIP 11.9 International Conference on Digital Forensics


Cloud forensics, advanced persistent threat, ATT&CK, Cyber Kill Chain


Liu, C. , Singhal, A. and Wijesekera, D. (2020), Forensic Analysis of Advanced Persistent Threat Attacks in Cloud Environments, Advances in Digital Forensics XVI, New Delhi, IN, [online],, (Accessed April 20, 2024)
Created January 5, 2020, Updated October 12, 2021