Design and Implementation of FROST - Digital Forensic Tools for the OpenStack Cloud Computing Platform

We describe the design, implementation, and evaluation of FROST-three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.

[1]  Carl Pomerance A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology , 1987 .

[2]  Elisa Bertino,et al.  Data in the cloud: authentication without leaking , 2010 .

[3]  Josiah Dykstra,et al.  Forensic Collection of Electronic Evidence from Infrastructure-As-a-Service Cloud Computing , 2012 .

[4]  John Paul Jones,et al.  Scientific Working Group on Digital Evidence (swgde) Subject: Rdt&e Iwg Letter to Swgde , 2012 .

[5]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[6]  Simson L. Garfinkel,et al.  Digital forensics XML and the DFXML toolset , 2012, Digit. Investig..

[7]  Yasuo Hatano,et al.  Efficient signature schemes supporting redaction, pseudonymization, and data deidentification , 2008, ASIACCS '08.

[8]  Alan T. Sherman,et al.  UNDERSTANDING ISSUES IN CLOUD FORENSICS: TWO HYPOTHETICAL CASE STUDIES , 2011 .

[9]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[10]  Kim-Kwang Raymond Choo,et al.  An integrated conceptual digital forensic framework for cloud computing , 2012, Digit. Investig..

[11]  Mark John Taylor,et al.  Forensic investigation of cloud computing systems , 2011, Netw. Secur..

[12]  Alan T. Sherman,et al.  Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques , 2012, Digit. Investig..

[13]  H. Marshall Jarrett,et al.  Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations , 1979 .

[14]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[15]  Raffael Marty,et al.  Cloud application logging for forensics , 2011, SAC.

[16]  Dwaine E. Clarke,et al.  Towards constant bandwidth overhead integrity checking of untrusted data , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[17]  Dan S. Wallach,et al.  Efficient tamper-evident data structures for untrusted servers , 2010 .