Finding File Fragments in the Cloud

  • Dirk Ras
  • Martin Olivier
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 383)


As the use – and abuse – of cloud computing increases, it becomes necessary to conduct forensic analyses of cloud computing systems. This paper evaluates the feasibility of performing a digital forensic investigation on a cloud computing system. Specifically, experiments were conducted on the Nimbula on-site cloud operating system to determine if meaningful information can be extracted from a cloud system. The experiments involved planting known, unique files in a cloud computing infrastructure, and subsequently performing forensic captures of the virtual machine image that executes in the cloud. The results demonstrate that it is possible to extract key information about a cloud system and, in certain cases, even re-start a virtual machine.


Cloud forensics evidence recovery file fragments 


  1. 1.
    F. Adelstein, Live forensics: Diagnosing your system without killing it first, Communications of the ACM, vol. 49(2), pp. 63–66, 2006.CrossRefGoogle Scholar
  2. 2.
    Amazon Web Services, Amazon Elastic Compute Cloud (Amazon EC2), Seattle, Washington (
  3. 3.
    M. Andrew, Defining a process model for forensic analysis of digital devices and storage media, Proceedings of the Second IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 16–30, 2007.CrossRefGoogle Scholar
  4. 4.
    D. Barrett, Virtualization and Forensics: A Digital Forensic Investigator’s Guide to Virtual Environments, Syngress, Burlington, Massachusetts, 2010.Google Scholar
  5. 5.
    D. Barrett, R. Silverman and R. Byrnes, SSH, The Secure Shell: The Definitive Guide, O’Reilly, Sebastopol, California, 2005.Google Scholar
  6. 6.
    B. Carrier, Autopsy (
  7. 7.
    B. Carrier, The Sleuth Kit (
  8. 8.
    E. Casey (Ed.), Handbook of Digital Forensics and Investigations, Elsevier Academic Press, Burlington, Massachusetts, 2010.Google Scholar
  9. 9.
    H. Cervone, An overview of virtual and cloud computing, OCLC Systems and Services, vol. 26(3), pp. 162–165, 2010.CrossRefGoogle Scholar
  10. 10.
    D. Chappell, Introducing the Windows Azure Platform, Technical Report, David Chappel and Associates, San Francisco, California, 2008.Google Scholar
  11. 11.
    M. Christodorescu, R. Sailer, D. Schales, D. Sgandurra and D. Zamboni, Cloud security is not (just) virtualization security: A short paper, Proceedings of the ACM Workshop on Cloud Computing Security, pp. 97–102, 2009.CrossRefGoogle Scholar
  12. 12.
    F. Cohen, Digital Forensic Evidence Examination, ASP Press, Livermore, California, 2010.Google Scholar
  13. 13.
    Google, Google Apps for Business, Mountain View, California (
  14. 14.
    S. Gopisetty, S. Agarwala, E. Butler, D. Jadav, S. Jaquet, M. Korupolu, R. Routray, P. Sarkar, A. Singh, M. Sivan-Zimet, C. Tan, S. Uttamchandani, D. Merbach, S. Padbidri, A. Dieberger, E. Haber, E. Kandogan, C. Kieliszewski, D. Agrawal, M. Devarakonda, K. Lee, K. Magoutis, D. Verma and N. Vogl, Evolution of storage management: Transforming raw data into information, IBM Journal of Research and Development, vol. 52(4), pp. 341–352, 2008.CrossRefGoogle Scholar
  15. 15.
    K. Hess and A. Newman, Practical Virtualization Solutions: Virtualization from the Trenches, Prentice-Hall, Boston, Massachusetts, 2009.Google Scholar
  16. 16.
    J. Hurwitz, R. Bloor, M. Kaufman and F. Halper, Cloud Computing for Dummies, Wiley, Hoboken, New Jersey, 2010.Google Scholar
  17. 17.
    W. Kruse and J. Heiser, Computer Forensics: Incident Response Essentials, Addison-Wesley, Indianapolis, Indiana, 2002.Google Scholar
  18. 18.
    KVM Admin, Kernel Based Virtual Machine (
  19. 19.
    H. Lagar-Cavilla, J. Whitney, R. Bryant, P. Patchin, M. Brudno, E. de Lara, S. Rumble, M. Satyanarayanan and A. Scannell, SnowFlock: Virtual machine cloning as a first-class cloud primitive, ACM Transactions on Computer Systems, vol. 29(1), pp. 2:1–2:45, 2011.CrossRefGoogle Scholar
  20. 20.
    T. Lillard, Digital Forensics for Network, Internet and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data, Syngress, Burlington, Massachusetts, 2010.Google Scholar
  21. 21.
    E. Manoel, C. Carlane, L. Ferreira, S. Hill, D. Leitko and P. Zutenis, Linux Clustering with CSM and GPFS, IBM Redbooks, Armonk, New York, 2002.Google Scholar
  22. 22.
    P. Mell and T. Grance, The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-145, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.Google Scholar
  23. 23.
    R. Moreno-Vozmediano, R. Montero and I. Llorente, Elastic management of cluster-based services in the cloud, Proceedings of the First Workshop on Automated Control for Datacenters and Clouds, pp. 19–24, 2009.CrossRefGoogle Scholar
  24. 24.
    R. Morris and B. Truskowski, The evolution of storage systems, IBM Systems Journal, vol. 42(2), pp. 205–217, 2003.CrossRefGoogle Scholar
  25. 25.
    S. Naqvi, G. Dallons and C. Ponsard, Applying digital forensics in future Internet enterprise systems – European SME’s perspective, Proceedings of the Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 89–93, 2010.CrossRefGoogle Scholar
  26. 26.
    Nimbula, Nimbula Director User Guide, Mountain View, California, 2010.Google Scholar
  27. 27.
    M. Noblett, F. Church, M. Pollitt and L. Presley, Recovering and examining computer forensic evidence, Forensic Science Communications, vol. 2(4), p. 1–13, 2000.Google Scholar
  28. 28.
    G. Pangalos, C. Ilioudis and I. Pagkalos, The importance of corporate forensic readiness in the information security framework, Proceedings of the Nineteenth IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises, pp. 12–16, 2010.Google Scholar
  29. 29.
    D. Reilly, C. Wren and T. Berry, Cloud computing: Forensic challenges for law enforcement enforcement, Proceedings of the International Conference on Internet Technology and Secured Transactions, pp. 1–7, 2010.Google Scholar
  30. 30.
    B. Siddhisena, L. Warusawithana and M. Mendis, Next generation multi-tenant virtualization cloud computing platform, Proceedings of the Thirteenth International Conference on Advanced Communication Technology, pp. 405–410, 2011.Google Scholar
  31. 31.
    Technical Working Group for Electronic Crime Scene Investigation, Electronic Crime Scene Investigation: A Guide for First Responders, NIJ Guide, NCJ 187736, U.S. Department of Justice, Washington, DC, 2001.Google Scholar
  32. 32.
    M. Zhou, R. Zhang, D. Zeng and W. Qian, Services in the cloud computing era: A survey, Proceedings of the Fourth International Universal Communication Symposium, pp. 40–46, 2010. CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Dirk Ras
    • 1
  • Martin Olivier
    • 1
  1. 1.University of PretoriaPretoriaSouth Africa

Personalised recommendations