Cloud Forensics ---Retrieving Virtual Disks for Forensic Investigation
1. Openstack Installation :
The Following are the various ways to install Openstack Cloud Orchestration System
1.Devstack Multi Node Installation :-
We need to have a fresh install of linux on all linux nodes at least on 3 systems so that we can run openstack service’s on different nodes.
Devstack Refers the following Website for Minimal Ubuntu 12.04 Download on all Nodes
2. Opscode Chef Server :-
Design and Implementation of FROST
Digital Forensic Tools for the OpenStack Cloud Computing Platform
Josiah Dykstra and Alan T.Sherman
The Objective of the paper is add forensic tools for the Openstack Cloud platform which operates at the management plane. These Forensic capabilities allows the customers,forensic examiners and law enforcement to acquire trustworthy forensic acquisition of virtual disks,API Logs and guest firewall logs.
FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machine, thereby requiring no trust in the guest virtual machines.It overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes.
The Following assumptions are taken into consideration
1. The User driven forensic capabilities are applicable in situations where a cooperative cloud customer is involved in the investigation. That is ,if a malicious customer uses the cloud to commit a crime, the cloud provider will still be required to assist law enforcement in the investigation.
2. The Frost tools assume trust in the cloud provider and cloud infrastructure. otherwise, there is a chance of modifying evidence at the provider side so we require trust in the host operating system, hardware and provider.
The paper has contributed following capabilities to FROST:-
1. Implementation of user driven forensic acquisition of virtual disks, API logs and firewall logs from the management plane of openstack.
2. An algorithm for storing and retrieving log data with integrity in a hash tree that logically segregates the data of each cloud user in his or her own subtree.
3. Evaluation results showing that the proposed solution satisfies technological and legal requirements for a acceptance in court .
Specifications and Capabilities :-
FROST has three primary components
1. A Cloud user can retrieve image of the virtual disks associated with any of the user’s virtual machines,and validate the integrity of those images with cryptographic checksums.
2.A cloud user can retrieve the logs of all API requests made to the cloud provider using his or her credentials and validate the integrity of those logs.
3.A cloud user can retrieve the Openstack firewall logs for any of the user’s virtual machines,
and validate the integrity of those logs.
A Scenario which shows the advantage of FROST :-
An arbitrary cloud customer alice who wants to investigate suspiciously high bandwidth usage from her cloud hosted web server. Aside from the logging of web requests that she does
inside of her own VM.Alice would have a more complete picture of activity if she could also get a record of management activity and meta data about her VMs . The FROST Collects and provides trustworthy API logs, guest firewall logs and virtual disks. These data can help construct a timeline activity and understand an incident.
I conclude that the FROST implements the acquisition phase of the forensic process and there are other phases need to be added according to the cloud computing platform .I wanted to re-implement this paper to my best so that I can get good exposure to Cloud platform and ability to add additional modules required to the FROST .
1. Amazon Web Services: Overview of Security Processes. Available at
http://awsmedia.s3.amazonaws.com/pdf/AWSSecurityWhitepaper.pdf;2011. [accessed 10.28.2012].
2.Clarke, D.E.. Towards Constant Bandwidth Overhead Integrity Checking of Untrusted Data. Ph.D. thesis; MIT; 2005.
3.Crosby, S.A.. Efficient Tamper-Evident Data Structures for Untrusted Servers. Ph.D. thesis; Rice University; 2009.
4.Dykstra,J.,Riehl, D.. Forensic Collection of Electronic Evidence from Infrastructure-As-A-Service Cloud Computing. Richmond Journal of Law and Technology 2012;19. Available at
5.Dykstra, J., Sherman, A.T.. Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies. In: Proceedings of the 2011 ADFSL Conference on Digital Forensics Security and Law. ASDFL; 2011a. p. 191–206.
6.Garfinkel,S..Digital forensics xml and the df xml toolset. Digital Investigation 2012;8(3–4):161–174.
7.Taylor, M., Haggerty, J., Gresty, D., Lamb, D.. Forensic investigation of cloud computing systems. Network Security 2011;(3):4–10.
8.Scientific Working Group on Digital Evidence (SWGDE),.Data Integrity Within Computer Forensics.
Available at :-https://www.swgde.org/documents/Current%20Documents/2006-
2006. [accessed 9.16.2012].
9.Ruan, K., Carthy, J., Kechadi, T., Crosbie, M.. Cloud forensics: An overview. In: Advances in Digital Forensics VII. 2011. .
10.National Institute of Standards and Technology,.Digital Data Acquisition Tool Specification.Available at http://www.cftt.nist.gov/Pub-Draft-1-DDA-Require.pdf; 2004. [accessed 9.16.2012].
11.Marty, R.. Cloud application logging for forensics. In: Proceedings of the 2011 ACM Symposium on Applied Computing. New York, NY, USA: ACM; SAC ’11; 2011. p. 178–184.
12.Liand, J., Krohn, M., Mazi`res, D., Shasha, D.. Secure Untrusted Data Repository (SUNDR). .
13.Kundu, A.. Data in the Cloud: Authentication without Leaking. Ph.D. thesis; Purdue University; 2010.