Advertisement

Hypervisor Event Logs as a Source of Consistent Virtual Machine Evidence for Forensic Cloud Investigations

  • Sean Thorpe
  • Indrajit Ray
  • Tyrone Grandison
  • Abbie Barbir
  • Robert France
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7964)

Abstract

Cloud Computing is an emerging model of computing where users can leverage the computing infrastructure as a service stack or commodity. The security and privacy concerns of this infrastructure arising from the large co-location of tenants are, however, significant and pose considerable challenges in its widespread deployment. The current work addresses one aspect of the security problem by facilitating forensic investigations to determine if these virtual tenant spaces were maliciously violated by other tenants. It presents the design, application and limitations of a software prototype called the Virtual Machine (VM) Log Auditor that helps in detecting inconsistencies within the activity timelines for a VM history. A discussion on modeling a consistent approach is also provided.

Keywords

Cloud Computing Virtual Machine User Session Prototype Software Digital Evidence 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Rodgers, M.: The role of criminal profiling in the computer forensics process. Computers & Security 22(4), 292–298 (2003)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Rodgers, M., Goubalt–Larrecq, J.: Log auditing through model checking. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia (June 2001)Google Scholar
  3. 3.
    Boyd, C., Forster, P.: Time and date issues in forensic computing a case study. Digital Investigation 1(1), 18–23 (2004)CrossRefGoogle Scholar
  4. 4.
    Buchholz, F., Tjaden, B.: A brief study of time. In: Proceedings of the 7th Digital Forensics Workshop, Pittsburg, Pennsylvania, USA (August 2007)Google Scholar
  5. 5.
    Fidge, C.: Logical time in distributed computing systems. Computer 24(1), 28–33 (1991)CrossRefGoogle Scholar
  6. 6.
    Gladyshev, P., Patel, A.: Formalizing event time bounding in digital investigations. International Journal of Digital Evidence 4(2), 1–14 (2005)Google Scholar
  7. 7.
    Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Communications of the ACM 21(1), 558–565 (1978)MathSciNetzbMATHCrossRefGoogle Scholar
  8. 8.
    Marrington, A., Mohay, G., Clark, A., Morarji, H.: Event-based computer profiling for the forensic reconstruction of computer activity. In: Proceedings of the AusCERT Asia Pacific Information Technology Security Conference, Gold Coast, Australia (May 2007)Google Scholar
  9. 9.
    Marrington, A., Mohay, G., Morarji, H., Clark, A.: A Model for Computer Profiling. In: Proceedings of the 5th International Workshop on Digital Forensics at the International Conference on Availability, Reliability and Security, Krakow, Poland (February 2010)Google Scholar
  10. 10.
    Nolan, R., O’Sullivan, C., Branson, J., Waits, C.: First responder’s guide to computer forensics. Software Engineering Institute, Carnegie Mellon University, Pittsburg, USA (May 2005)Google Scholar
  11. 11.
    Schatz, B., Mohay, G., Clark, A.: A correlation method for establishing provenance of timestamps in digital evidence. In: Proceedings of the 6th Annual Digital Forensic Research Workshop, West Lafayette, Indiana, USA (August 2006)Google Scholar
  12. 12.
    Willassen, S.Y.: Hypothesis-based investigation of digital timestamps. Advances in Digital Forensics IV 285(1), 75–86 (2008)CrossRefGoogle Scholar
  13. 13.
    Willassen, S.Y.: Timestamp evidence correlation by model based clock hypothesis testing. In: Proceedings of the 1st International Conference on Forensic Applications and Techniques in Telecommunications, Information, and Multimedia and Workshop, Adelaide, Australia (January 2008)Google Scholar
  14. 14.
    Willassen, S.Y.: A model based approach to timestamp evidence interpretation. International Journal of Digital Crime and Forensics 1(2), 1–12 (2009)CrossRefGoogle Scholar
  15. 15.
    Thorpe, S., Ray, I., Grandison, T.: A Formal Temporal Log Model for the synchronized Virtual Machine Environment. Journal of Information Assurance and Security 6(5), 398–406 (2011)Google Scholar
  16. 16.
    Thorpe, S., Ray, I., Barbir, A., Grandison, T.: Towards a Formal Parameterized Context for a Cloud Computing Forensic Database. In: Proceedings of the 3rd Digital Forensics and Cybercrime Conference, Dublin, Ireland (October 2011)Google Scholar
  17. 17.
    Thorpe, S., Ray, I., Grandison, T.: Associative Mapping Techniques for the synchronized virtual machine environment. In: Proceedings of the 4th Computational Intelligence in Security for Information Systems Conference, Torremolinos, Spain (June 2011)Google Scholar
  18. 18.
    Thorpe, S., Ray, I., Grandison, T.: Enforcing Data Quality Rules for the synchronized virtual machine environment. In: Proceedings of the 4th Computational Intelligence in Security for Information Systems Conference, Torremolinos, Spain (June 2011)Google Scholar
  19. 19.
    Thorpe, S.: PhD Thesis - The Theory of a Cloud Computing Digital Investigation using the Hypervisor kernel logs, University of Technology Jamaica (February 2013)Google Scholar
  20. 20.
    Thorpe, S.: A Virtual Machine History Model Framework for a Data Cloud Investigation. Journal of Convergence 3(4), 9–14 (2012)Google Scholar
  21. 21.
    Srinivas, K., Snow, K., Monrose, F.: Trail of Bytes: Efficient support for Forensic Analysis. In: Proceedings of the ACM Conference on Communication Security, Chicago, Illinois, USA (October 2010)Google Scholar
  22. 22.
    Gidwani, T., Argano, M., Yan, W., Issa, F.: A Comprehensive Survey of Event Analytics. International Journal of Digital Crime and Forensics 4(3), 33–46 (2012)CrossRefGoogle Scholar
  23. 23.
    Thorpe, S., Ray, I., Grandison, T., Barbir, A.: A Model for Compiling Truthful Forensic Evidence from the Log Cloud Hypervisor Databases. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Work in Progress Session, Orlando, USA (December 2012)Google Scholar
  24. 24.
    Thorpe, S., Ray, I., Grandison, T., Barbir, A.: Log Audit Explanation Templates with Private Data Clouds. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Work in Progress Session, Orlando, USA (December 2012)Google Scholar
  25. 25.
    Pauw, W., Heisig, S.: Visual and algorithmic tooling for system trace analysis: A case study. ACMSIGOPS Operating System Review 44(1), 97–102 (2010)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Sean Thorpe
    • 1
  • Indrajit Ray
    • 2
  • Tyrone Grandison
    • 3
  • Abbie Barbir
    • 4
  • Robert France
    • 2
  1. 1.Faculty of Engineering & ComputingUniversity of TechnologyKingstonJamaica
  2. 2.Department of Computer ScienceColorado State UniversityFort CollinsUSA
  3. 3.Proficiency Labs IntlAshlandUSA
  4. 4.Bank of AmericaCanada

Personalised recommendations