Studying copy-on-read and copy-on-write techniques on block device level to aid in large environment forensics

Similar documents

LiveBackup. Jagane Sundar

DACSA: A Decoupled Architecture for Cloud Security Analysis

Using GitHub for Rally Apps (Mac Version)

Intro to Docker and Containers

Windows Live Messenger Forensics: Contact List Artefacts. Dennis Cortjens

Distributed Databases

System Acquisition Security Risk Survey for Service Providers

Developing tests for the KVM autotest framework

Introduction to Version Control with Git

Digital Forensics for IaaS Cloud Computing

OpenStack Private Cloud

Cloud Attached Storage

Introduction to the Git Version Control System

Determining VHD s in Windows 7 Dustin Hurlbut

GPFS-OpenStack Integration. Dinesh Subhraveti IBM Research

Embracing Cloud for Efficient Development

Bellevue University Cybersecurity Programs & Courses

Guide to Computer Forensics and Investigations, Second Edition

Using the Coherence Cloud Service

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Developer Workshop Marc Dumontier McMaster/OSCAR-EMR

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

Version Control for Computational Economists: An Introduction

How to Create a Free Private GitHub Repository Educational Account

The Porticor Virtual Private Data solution includes two or three major components:

Repeater. BrowserStack Local. browserstack.com 1. BrowserStack Local makes a REST call using the user s access key to browserstack.

Developer support in a federated Platform-as-a-Service environment

LARGE-SCALE DATA STORAGE APPLICATIONS

Article. Robust Signature Capture Using SigPlus Software. Copyright Topaz Systems Inc. All rights reserved.

Tivoli Storage Flashcopy Manager for Windows - Tips to implement retry capability to FCM offload backup. Cloud & Smarter Infrastructure IBM Japan

Oracle Cloud Storage and File system

Digital Forensics at the National Institute of Standards and Technology

DevOps Course Content

MSc Computer Security and Forensics. Examinations for / Semester 1

SPICE and desktop virtualization

Advanced Computing Tools for Applied Research Chapter 4. Version control

Sparx Systems Enterprise Architect Cloud-based repository hosting

Xopero Backup Build your private cloud backup environment. Getting started

Using the IPMI interface

Many projects, one code

NIST CFTT: Testing Disk Imaging Tools

Work. MATLAB Source Control Using Git

Zumastor Linux Storage Server

Unidata Cloud-Related Activities. Unidata Users Committee Meeting September 2014 Ward Fisher

KEY TRENDS AND DRIVERS OF SECURITY

Client Side Filter Enhancement using Web Proxy

Future Threat Landscape - How will technology evolve and what does it mean for cyber security?

DELIVERABLE. Europeana Cloud: Unlocking Europe s Research via The Cloud. Deliverable D2.1 Development Environment

Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

Provide a cost effective Data Backup & Storage Solution for SME Clients. Allow Clients to have total confidence in their Data Solutions.

Version control systems. Lecture 2

REQUIREMENTS LIVEBOX.

CYCLOPS. A Charging platform for OPenStack CLouds. Piyush Harsh. June 10, Institute of Applied Information Technology

D3.1: Operational SaaS Test lab

Computer Forensics. Securing and Analysing Digital Information

Shapes in the Cloud: Defining Unidata s Efforts. Strategic Advisory Committee October 2014 Ward Fisher

Platform as a Service and Container Clouds

Remote Access. Connecting to your computer from home

Digital Forensics. Module 4 CS 996

Efficient Integrity Checking Technique for Securing Client Data in Cloud Computing

Subject: Request for Information (RFI) Franchise Tax Board (FTB) Security Information and Event Management (SIEM) Project.

Workshop on High Performance Computing for Science and Applications for Academic Development

Active Directory Integration OID & AD in Harmony. Ray Tindall SAGE Computing Services

Guidelines on Digital Forensic Procedures for OLAF Staff

WhatsApp Database Encryption on Android and BlackBerry Project Plan. D. Cortjens A. Spruyt F. Wieringa

Panasonic Digital Signage Solutions The right partner for system design and deployment

Web/Cloud based CATI using quexs

EnCase Endpoint Investigator Fundamentals 5/25/2016

Maximizing Configuration Management IT Security Benefits with Puppet

NAS 221 Remote Access Using Cloud Connect TM

Mobilize workforce using Fiori apps: Graybar Story

Software Cost. Discounted STS Rate Units Total $0.00 $0.00 $0.00 $0.00 Total $0.00

CA DLP. Stored Data Integration Guide. Release rd Edition

Workshop on Cloud Services for File Synchronisation and Sharing NOV 2014

Live System Forensics

By: Magiel van der Meer. Supervisors: Marc Smeets Jeroen van der Ham

AC : A VIRTUALIZED NETWORK TEACHING LABORATORY

Oracle Enterprise Manager

The George E. Brown, Jr. Network for Earthquake Engineering Simulation. NEES Experimental Site Backup Plan at

Electronic evidence: More than just a hard drive. March 2015 Publication No

Challenges of the HP Business Appliance (BI)

Privacy-Preserving Distributed Encrypted Data Storage and Retrieval

My Scale Just Told the Cloud I m Fat Access Management, Security, Privacy and IOT

SURFsara HPC Cloud Workshop

Survey of the Operating Landscape Investigating Incidents in the Cloud

COMPARISON BETWEEN CLOUD AND ON- SITE BUSINESS PHONE SYSTEM

Networks and Services

Using Microsoft Azure for Students

Dry Dock Documentation

Deploying Splunk on Amazon Web Services

How To Install Project Photon On Vsphere 5.5 & 6.0 (Vmware Vspher) With Docker (Virtual) On Linux (Amd64) On A Ubuntu Vspheon Vspheres 5.4

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

Secure Cloud and Remote Service Connections for AllJoyn Applications

Integrated version control with Fossil SCM

Understand State Information in Web Applications

Sheepdog: distributed storage system for QEMU

Version Control. Version Control

Transcription:

Studying copy-on-read and copy-on-write techniques on block device level to aid in large environment forensics E. van den Haak System and Network Engineering University of Amsterdam Master Thesis, July 2014 Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 1 / 21

Background Forensics on cloud solutions and large environments Sheer volume of data (Remote) Acquisition is very hard Making a copy of all data is impossible Making data available remotely is a long procedure Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 2 / 21

Concept Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 3 / 21

Research Focus on server block device level Copy only relevant data to local storage Copy-on-Read Enable live forensics without interfering with original block device Copy-on-Write Important aspects Data integrity Reproducible Storable Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 4 / 21

Research What is a good way to mount block devices read only and store read and changed data in separate sparse files? What methods exist that allow copy-on-write and copy-on-read on block device level? Can these methods be effectively used to do remote data acquisition while storing read- and changed data locally? If necessary, how can an existing method be modified in order to meet the requirements of this research? Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 5 / 21

Related Research Forensic mount tool Xmount[1] NIST Cloud Computing Forensic Science Challenges[2] Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 6 / 21

Existing methods Methods that either support copy-on-read or copy-on-write Xmount Fusecow Bcache Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 7 / 21

Ideal situation Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 8 / 21

Proof of concept 1 Both Xmount and Fusecow Open source C GPL Scope Copy-on-read file Read only feature 1 Sources on github[3] Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 9 / 21

Detailed concept Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 10 / 21

Copy-on-write implementation (existing) write(3,x); write(d,z); write(8,y) Fusecow has two separate files Xmount puts bitmap into header of CoW file Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 11 / 21

Copy-on-read implementation read(1); read(e); read(3) Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 12 / 21

Copy-on-read implementation remount Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 13 / 21

Test setup Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 14 / 21

Test setup Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 15 / 21

Second test setup Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 16 / 21

Results QEMU Fusecoraw works flawless DD Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

Results QEMU Fusecoraw works flawless Xmount has trouble remounting as it performs lots of tests DD Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

Results QEMU Fusecoraw works flawless Xmount has trouble remounting as it performs lots of tests For now Read only or Copy-on-Read file as Copy-on-Write file DD Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

Results QEMU DD Fusecoraw works flawless Xmount has trouble remounting as it performs lots of tests For now Read only or Copy-on-Read file as Copy-on-Write file Requires future work Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

Results QEMU DD Fusecoraw works flawless Xmount has trouble remounting as it performs lots of tests For now Read only or Copy-on-Read file as Copy-on-Write file Requires future work Both techniques work as expected, hashes match. Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

Conclusion Both proof-of-concepts perform a good job Remounting writable works only with Fusecoraw No issue for current concept Read data is persistent Fusecoraw recommended if writable remounting is desired Xmount recommended if not Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 18 / 21

Future Research Fusecoraw Xmount Integrate in concept Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 19 / 21

Questions? Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 20 / 21

References Gillen Daniel. xmount, 2008. https://www.pinguin.lu/index.php. NIST Cloud Computing Forensic Science Working Group. Nist cloud computing forensic science challenge (draft), 2014. http://csrc.nist.gov/publications/drafts/nistir-8006/ draft_nistir_8006.pdf. Eric van den Haak. Evdh s git repository, 2014. https://github.com/evdh-nl. Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 21 / 21