Professional Documents
Culture Documents
Abstract
Cloud Computing (CC) is on the rise. CC differs in a number of ways from the traditional computing models. CC presents numerous challenges to digital forensics community whose researches and practices largely fall in the realm of traditional computing. We will name a few of them in this paper together with some approaches the community has taken to overcome those challenges. On the other hand, CC is also full of economic and computational advantages. We will visit several approaches that employ CC to improve the quality of digital forensics work.
1. Introduction
Cloud Computing is defined by NIST as model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. In this definitions, CC has 5 essential characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service), 3 service models (Software as a service, Platform as a service, Infrastructure as a service) and 4 deployment models (Private cloud, Community cloud, Public cloud, Hybrid cloud). [8] On the other hand, according to Armbrust et al., CC is either Software as a Service (SaaS) or Utility Computing, but excludes Private Cloud deployment model [2]. Although their definition is narrower than that of NISTs, their claims and arguments at the least are valid for a Public cloud deployment model, which is currently the most popular. Examples of public CC nowadays are Amazon EC2, Google AppEngine and Microsoft Azure. Although not required by CCs definition, virtualization is considered essential to achieve elasticity and the illusion of infinite capacity [2]. Armbrust, et al. also noted that the construction and operation of extremely large-scale data center is necessary for economic and efficient use of CC. High automation is expected in such large-scale cloud infrastructure. While private or smaller scale CCs are possible [5], the scale of many popular CC deployments nowadays is (extremely) large. As a result of that large scale infrastructure, access to the internal construction and operation of the cloud are (severely) limited to outsider (e.g. cloud user, digital forensics investigator). Private cloud, however, may offer more relaxed access to its internal. Another commonly found characteristic in CC is distributed environment. Broad network access and rapid elasticity characteristics of CC help the distributed environment scale even easier.
be right. For instance, with only 1 forensic task ever implemented in that new framework, it is possible that the framework is not suitable for, or does not scale well in the development of other forensics software. Later in 2009, Roussev and other researchers presented a cloud-based implementation of several elementary digital forensics software. Their implementation was reported achieving linear and sublinear speedup compared to traditional implementation. Their work (called MMR) was an implementation of Googles MapReduce framework using Message Passing Interface (MPI). In particular, MMR consisted of 3 abstraction layers: MPI providing distributed communication; middleware platform providing synchronization and MapReduce abstraction; and finally software code containing application logic. A comprehensive evaluation of using MMR in developing elementary forensics software or alike (such as wordcount, grep, bloom filter or pi estimator representing CPU-bound image processing algorithms) confirmed the feasibility of achieving scalable and robust performance runs with MMR. MMR was also reported to have better performance over Hadoop, the Java implementation of MapReduce. [9] This work by Roussev et al. was another attempt to apply distributed computing to solve the performance issues of digital forensics tools. Compared to previous work, this works implementation and evaluation were more robust and comprehensive. Much of the robustness, we believe, was the result of using MPI and Googles MapReduce instead of developing a new specialized distributed framework. The evaluation also included a comparison between the performance of MMR and Hadoop. Because of the limitations in Hadoops Java implementation [9], the result, as mentioned earlier, was expected. However, it would be very interesting if there were a comparison between the above 2 in term of ease of design and implementation. As forensics software become more sophisticated, ease of development will become more important. Java is well known for its object-oriented-ness and automatic memory management. The implementation language of MMR was unfortunately not mentioned. Taking advantage of CC in a different way, Buchanan et al. used CC to methodologically evaluate the quality of digital forensics tools [5]. Inspire them was the fact that credibility of digital forensics finding is impacted by the lack of standardization in procedures, toolkits and data sets. Built from their success of using virtualization in teaching computer security and digital forensics, Buchanan et al. presented an infrastructure based on virtualization within CC deployment. In brief, they created a set of evaluation criteria and a CC-based testing system. This system was capable of script-automating different modes of testing and of creating and preparing portable and reproducible test environment. Each test environment was a virtual instance stored in a shared library. Result from evaluation of their systems showed reliable and robust and scalable execution. In addition, the systems demonstrated better energy consumption and CPU utilization compared to traditional stand-alone test system. Buchanan et al.s work showed great promise in improving the quality and credibility of digital forensics researches and practices. Their work can also promote and facilitate collaboration among members of the digital forensics community because it would be easier to create, collect and transfer testing and
training data sets. However, copyright issues may still constraint the creating and sharing certain types of digital forensics data. Binary scrambling techniques may be used in some cases, but it was reported to create new issue for forensics techniques which rely on known binary signature [5]. In addition, the current implementation based on VMware technologies cannot accommodate nondesktop (e.g. mobile phones, handheld devices) digital forensics data and tools. For instance, two most popular mobile platforms, Apples iOS and Android, have not been supported as guest OS by VMware [11]. Given the current trend of mobile computing, we expect demand for digital forensics researches and practices on those mobile platforms to increase rapidly. Therefore, it is highly desirable that future version of Buchanan et al.s test system can support such guest OSs.
technique called RECIF for the analysis of logs from the application level. Probably inspired by the success of researches in the mature business informatics, their technique offered a pioneering approach to digital forensics investigation. In brief: a data flow is a transition between 2 events whose output of one is used as input of the other. A policy is a set of constraint-exception relations expressed in a special simple language. From data collected in application logs, a propagation graph of data flows is reconstructed and the resulted graph is matched with a set of predefined business process policies to detect information leak [1]. An interesting fact was the use of MXML, the standardized log format for business process. It was mentioned that tools for transforming logs from major business process systems such as SAP, Oracle and Sage to MXML were available. An example run was reported with the technique correctly detected information leak from a set of generated data flows and a separation-ofduty policy. Further works were ongoing to demonstrate the correctness of the technique in more complex scenarios. Overall, the technique looks very promising. It works on a standardized log formats which can be transformed from multiple other common formats. It can readily support a many common business policies such as Separation of Duties, Conflict of interests. It is also complimentary to other digital forensics techniques. And it doesnt require any special tools or skills (besides the ability to write business process policy in a pre-defined syntax, which looks simple). This technique is probably most useful in information leak scenarios where the so-called crime does not involve much technical details. Those scenarios are often the result of flaws in security policy specifications or software designs. However, the expressiveness of the language can still be enhanced. Obviously, the language cannot express policy of type deny all, allow a few because it was intrinsically allow all, deny a few.
6. References
[1]. Accorsi, R., Wonnemann, C., & Stocker, T. (2011). Towards forensics data flow analysis of business process logs. IT Security Incident Management & IT Forensics.
[2]. Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., et al. (2009). Above the Clouds: A Berkeley View of Cloud Computing. University of California at Berkeley. [3]. Beebe, N. (2009). Digital Forensic Research: The good, the Bad and the Unaddressed. Advances in Digital Forensics V, IFIP AICT 306 , pp. 17-36. [4]. Birk, D. (n.d.). Technical Challenges of Forensic Investigations in Cloud Computing Environments. Retrieved April 8, 2011, from http://www.zurich.ibm.com/~cca/csc2011/submissions/birk.pdf [5]. Buchanan, W. J., Macfarlane, R. J., Flandrin, F., Graves, J., Buchanan, B., Fan, L., et al. (2011). Cloudbased Digital Forensics Evaluation Test (D-FET) Platform. Cyberforensics. [6]. Garfinkel, S. L. (2010). Digital forensics research: the next 10 years. Digital Forensics Research Workshop. [7]. Marty, R. (2011). Cloud Application logging for forensics. SAC. [8]. National Institue of Standard and Technology. (n.d.). The NIST Definition of Cloud Computing. Retrieved April 28, 2011, from http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc [9]. Roussev, V., & Richard, G. G. (2004). Breaking the performance wall: the case for distributed digital forensics. Proceedings of the fourth digital forensic research workshop. [10]. Roussev, V., Wang, L., Richard, G., & Marziale, L. (2009). A CLOUD COMPUTING PLATFORM FOR LARGE-SCALE FORENSIC COMPUTING. Advances in Digital Forensics V, IFIP AICT 306, , 201-214. [11]. VMware Supports the Largest Number of Guest Operating Systems. (n.d.). Retrieved 04 12, 2011, from http://www.vmware.com/technical-resources/advantages/guest-os.html