Finding File Fragments in the Cloud

As the use – and abuse – of cloud computing increases, it becomes necessary to conduct forensic analyses of cloud computing systems. This paper evaluates the feasibility of performing a digital forensic investigation on a cloud computing system. Specifically, experiments were conducted on the Nimbula on-site cloud operating system to determine if meaningful information can be extracted from a cloud system. The experiments involved planting known, unique files in a cloud computing infrastructure, and subsequently performing forensic captures of the virtual machine image that executes in the cloud. The results demonstrate that it is possible to extract key information about a cloud system and, in certain cases, even re-start a virtual machine.

[1]  H. Frank Cervone,et al.  An overview of virtual and cloud computing , 2010, OCLC Syst. Serv..

[2]  Daniel J. Barrett,et al.  SSH, The Secure Shell: The Definitive Guide , 2001 .

[3]  Chris Wren,et al.  Cloud computing: Forensic challenges for law enforcement , 2010, 2010 International Conference for Internet Technology and Secured Transactions.

[4]  Judith Hurwitz,et al.  Cloud Computing for Dummies , 2009 .

[5]  Christophe Ponsard,et al.  Applying Digital Forensics in the Future Internet Enterprise Systems - European SME's Perspective , 2010, 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[6]  Daniele Sgandurra,et al.  Cloud security is not (just) virtualization security: a short paper , 2009, CCSW '09.

[7]  Eoghan Casey,et al.  Handbook of Digital Forensics and Investigation , 2009 .

[8]  Amy Newman,et al.  Practical Virtualization Solutions: Virtualization from the Trenches , 2009 .

[9]  Terrence V. Lillard Digital Forensics for Network, Internet, and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data , 2010 .

[10]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[11]  Daniel J. Barrett,et al.  Ssh, the secure shell: the definitive guide, second edition , 2005 .

[12]  Robert J. T. Morris,et al.  The evolution of storage systems , 2003, IBM Syst. J..

[13]  Next generation multi-tenant virtualization cloud computing platform , 2011, 13th International Conference on Advanced Communication Technology (ICACT2011).

[14]  F. Cohen Digital Forensic Evidence Examination , 2009 .

[15]  Michael W. Andrew Defining a Process Model for Forensic Analysis of Digital Devices and Storage Media , 2007, Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'07).

[16]  Christos Ilioudis,et al.  The Importance of Corporate Forensic Readiness in the Information Security Framework , 2010, 2010 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises.

[17]  Diane Barrett,et al.  Virtualization and Forensics: A Digital Forensic Investigator’s Guide to Virtual Environments , 2010 .

[18]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[19]  Jennifer Rexford,et al.  SEATTLE: A Scalable Ethernet Architecture for Large Enterprises , 2011 .

[20]  Eser Kandogan,et al.  Evolution of storage management: Transforming raw data into information , 2008, IBM J. Res. Dev..

[21]  Rafael Moreno-Vozmediano,et al.  Elastic management of cluster-based services in the cloud , 2009, ACDC '09.

[22]  Rong Zhang,et al.  Services in the Cloud Computing era: A survey , 2010, 2010 4th International Universal Communication Symposium.

[23]  Frank Adelstein,et al.  Live forensics: diagnosing your system without killing it first , 2006, CACM.

[24]  Lawrence A. Presley,et al.  Recovering and Examining Computer Forensic Evidence , 2000 .

[25]  Eyal de Lara,et al.  SnowFlock: Virtual Machine Cloning as a First-Class Cloud Primitive , 2011, TOCS.