Finding File Fragments in the Cloud
As the use – and abuse – of cloud computing increases, it becomes necessary to conduct forensic analyses of cloud computing systems. This paper evaluates the feasibility of performing a digital forensic investigation on a cloud computing system. Specifically, experiments were conducted on the Nimbula on-site cloud operating system to determine if meaningful information can be extracted from a cloud system. The experiments involved planting known, unique files in a cloud computing infrastructure, and subsequently performing forensic captures of the virtual machine image that executes in the cloud. The results demonstrate that it is possible to extract key information about a cloud system and, in certain cases, even re-start a virtual machine.
KeywordsCloud forensics evidence recovery file fragments
- 2.Amazon Web Services, Amazon Elastic Compute Cloud (Amazon EC2), Seattle, Washington (aws.amazon.com/ec2).
- 4.D. Barrett, Virtualization and Forensics: A Digital Forensic Investigator’s Guide to Virtual Environments, Syngress, Burlington, Massachusetts, 2010.Google Scholar
- 5.D. Barrett, R. Silverman and R. Byrnes, SSH, The Secure Shell: The Definitive Guide, O’Reilly, Sebastopol, California, 2005.Google Scholar
- 6.B. Carrier, Autopsy (www.sleuthkit.org/autopsy).
- 7.B. Carrier, The Sleuth Kit (www.sleuthkit.org/sleuthkit).
- 8.E. Casey (Ed.), Handbook of Digital Forensics and Investigations, Elsevier Academic Press, Burlington, Massachusetts, 2010.Google Scholar
- 10.D. Chappell, Introducing the Windows Azure Platform, Technical Report, David Chappel and Associates, San Francisco, California, 2008.Google Scholar
- 12.F. Cohen, Digital Forensic Evidence Examination, ASP Press, Livermore, California, 2010.Google Scholar
- 13.Google, Google Apps for Business, Mountain View, California (www.google.com/apps/intl/en/business).
- 14.S. Gopisetty, S. Agarwala, E. Butler, D. Jadav, S. Jaquet, M. Korupolu, R. Routray, P. Sarkar, A. Singh, M. Sivan-Zimet, C. Tan, S. Uttamchandani, D. Merbach, S. Padbidri, A. Dieberger, E. Haber, E. Kandogan, C. Kieliszewski, D. Agrawal, M. Devarakonda, K. Lee, K. Magoutis, D. Verma and N. Vogl, Evolution of storage management: Transforming raw data into information, IBM Journal of Research and Development, vol. 52(4), pp. 341–352, 2008.CrossRefGoogle Scholar
- 15.K. Hess and A. Newman, Practical Virtualization Solutions: Virtualization from the Trenches, Prentice-Hall, Boston, Massachusetts, 2009.Google Scholar
- 16.J. Hurwitz, R. Bloor, M. Kaufman and F. Halper, Cloud Computing for Dummies, Wiley, Hoboken, New Jersey, 2010.Google Scholar
- 17.W. Kruse and J. Heiser, Computer Forensics: Incident Response Essentials, Addison-Wesley, Indianapolis, Indiana, 2002.Google Scholar
- 18.KVM Admin, Kernel Based Virtual Machine (www.linux-kvm.org/page/Main_Page).
- 20.T. Lillard, Digital Forensics for Network, Internet and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data, Syngress, Burlington, Massachusetts, 2010.Google Scholar
- 21.E. Manoel, C. Carlane, L. Ferreira, S. Hill, D. Leitko and P. Zutenis, Linux Clustering with CSM and GPFS, IBM Redbooks, Armonk, New York, 2002.Google Scholar
- 22.P. Mell and T. Grance, The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-145, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.Google Scholar
- 26.Nimbula, Nimbula Director User Guide, Mountain View, California, 2010.Google Scholar
- 27.M. Noblett, F. Church, M. Pollitt and L. Presley, Recovering and examining computer forensic evidence, Forensic Science Communications, vol. 2(4), p. 1–13, 2000.Google Scholar
- 28.G. Pangalos, C. Ilioudis and I. Pagkalos, The importance of corporate forensic readiness in the information security framework, Proceedings of the Nineteenth IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises, pp. 12–16, 2010.Google Scholar
- 29.D. Reilly, C. Wren and T. Berry, Cloud computing: Forensic challenges for law enforcement enforcement, Proceedings of the International Conference on Internet Technology and Secured Transactions, pp. 1–7, 2010.Google Scholar
- 30.B. Siddhisena, L. Warusawithana and M. Mendis, Next generation multi-tenant virtualization cloud computing platform, Proceedings of the Thirteenth International Conference on Advanced Communication Technology, pp. 405–410, 2011.Google Scholar
- 31.Technical Working Group for Electronic Crime Scene Investigation, Electronic Crime Scene Investigation: A Guide for First Responders, NIJ Guide, NCJ 187736, U.S. Department of Justice, Washington, DC, 2001.Google Scholar