A VIRTUAL DIGITAL FORENSICS LABORATORY



Similar documents
Networking Topology For Your System

The Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Block based, file-based, combination. Component based, solution based

Scalability in Log Management

Hitachi Virtual Storage Platform Family: Security Overview. By Hitachi Data Systems

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

QRadar Security Intelligence Platform Appliances

EVOLUTION OF NETWORKED STORAGE

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Building A Secure Microsoft Exchange Continuity Appliance

Enterprise Data Protection

The Bomgar Appliance in the Network

1 Product. Open Text is the leading fax server vendor in the world. *

Stateful Inspection Technology

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Deploying in a Distributed Environment

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Websense Support Webinar: Questions and Answers

ADDING STRONGER AUTHENTICATION for VPN Access Control

GMI CLOUD SERVICES. GMI Business Services To Be Migrated: Deployment, Migration, Security, Management

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

GE Measurement & Control. Cyber Security for NEI 08-09

Virtual SAN Design and Deployment Guide

Lab Developing ACLs to Implement Firewall Rule Sets

Overcoming Security Challenges to Virtualize Internet-facing Applications

BEST PRACTICES GUIDE: Nimble Storage Best Practices for Scale-Out

L-Series LAN Provisioning Best Practices for Local Area Network Deployment. Introduction. L-Series Network Provisioning

Getting on the Road to SDN. Attacking DMZ Security Issues with Advanced Networking Solutions

Executive Brief for Sharing Sites & Digital Content Providers. Leveraging Hybrid P2P Technology to Enhance the Customer Experience and Grow Profits

Virtualized Network Services SDN solution for enterprises

Network Virtualization

Benefits of virtualizing your network

ADVANCED NETWORK CONFIGURATION GUIDE

Virtualized Security: The Next Generation of Consolidation

Selecting a Firewall Gilbert Held

How To Create A Large Enterprise Cloud Storage System From A Large Server (Cisco Mds 9000) Family 2 (Cio) 2 (Mds) 2) (Cisa) 2-Year-Old (Cica) 2.5

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

VERITAS Backup Exec 9.0 for Windows Servers

Optimizing Large Arrays with StoneFly Storage Concentrators

Broadband Bonding Network Appliance TRUFFLE BBNA6401

Best Practices: Implementing Large Scale Collections with F- Response

Virtualized Network Services SDN solution for service providers

Improving Network Efficiency for SMB Through Intelligent Load Balancing

Windows TCP Chimney: Network Protocol Offload for Optimal Application Scalability and Manageability

White paper. Keys to SAP application acceleration: advances in delivery systems.

How Cisco IT Uses SAN to Automate the Legal Discovery Process

Cloud Security Best Practices

Network System Design Lesson Objectives

Observer Probe Family

Traditionally, a typical SAN topology uses fibre channel switch wiring while a typical NAS topology uses TCP/IP protocol over common networking

IBM Global Technology Services March Virtualization for disaster recovery: areas of focus and consideration.

Virtual Machine in Data Center Switches Huawei Virtual System

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Retention & Destruction

VMware vcloud Networking and Security Overview

Cisco Application Networking for IBM WebSphere

Next Generation Network Firewall

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

Achieving High Availability & Rapid Disaster Recovery in a Microsoft Exchange IP SAN April 2006

Security Design.

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

Achieving PCI-Compliance through Cyberoam

BlackRidge Technology Transport Access Control: Overview

redcoal SMS for MS Outlook and Lotus Notes

M.Sc. IT Semester III VIRTUALIZATION QUESTION BANK Unit 1 1. What is virtualization? Explain the five stage virtualization process. 2.

Broadband Bonding Network Appliance TRUFFLE BBNA6401

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Emerson Smart Firewall

Whitepaper. Controlling the Network Edge to Accommodate Increasing Demand

Big data management with IBM General Parallel File System

Truffle Broadband Bonding Network Appliance

Andrew McRae Megadata Pty Ltd.

Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems Improve Processes...

AT&T activearc unified IP data solution

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Ranch Networks for Hosted Data Centers

Lecture 02b Cloud Computing II

Intel DPDK Boosts Server Appliance Performance White Paper

TRUFFLE Broadband Bonding Network Appliance. A Frequently Asked Question on. Link Bonding vs. Load Balancing

Driving Down the Cost and Complexity of Application Networking with Multi-tenancy

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

ROGERS DELIVERS THE SPEED, POWER AND RELIABILITY OF FIBRE RIGHT TO YOU.

WHITE PAPER. Extending Network Monitoring Tool Performance

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Achieving Mainframe-Class Performance on Intel Servers Using InfiniBand Building Blocks. An Oracle White Paper April 2003

VXLAN: Scaling Data Center Capacity. White Paper

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

Security Technology: Firewalls and VPNs

Designing a Windows Server 2008 Applications Infrastructure

Transcription:

Chapter 8 A VIRTUAL DIGITAL FORENSICS LABORATORY Philip Craiger, Paul Burke, Chris Marberry and Mark Pollitt Abstract This paper discusses the concept of a virtual digital forensic laboratory, which incorporates networked examination and storage machines, secure communications, multi-factor authentication, role-based access control, and case management and digital asset management systems. Laboratory activities such as the examination, storage and presentation of digital evidence can be geographically distributed and accessed over a network by users with the appropriate credentials. The advantages of such a facility include reduced costs through shared resources and the availability of advanced expertise for specialized cases. Keywords: Virtual laboratory, virtualization, storage area network 1. Introduction The collection, storage, examination and presentation of digital evidence typically occur in centralized laboratories. This is an inefficient model in that law enforcement agencies duplicate resources that are available elsewhere. A modest laboratory can cost tens of thousands of dollars, even more when the costs of computers, storage, forensic tools and training are considered. The validation of forensic tools also poses problems. Proper forensic procedures require that the tools used in examinations be continually validated. Unfortunately, most examiners may not have the expertise to perform hardware and software validation. Additionally, there is a tremendous amount of duplication if every examiner has to validate the same tools. Digital forensics laboratories of the future will be virtual in nature they will not be limited by geographic boundaries. This paper proposes the concept of a virtual digital forensics laboratory (VDFL).

116 ADVANCES IN DIGITAL FORENSICS IV Figure 1. Virtual digital forensics laboratory. The proposal builds on previous work (e.g., [1]) by decentralizing forensic functionality while providing security and quality management processes. The virtual laboratory incorporates storage area network (SAN) [7, 10] and virtualization [3, 4, 8, 9] technologies, forensic tools and security mechanisms to create a robust alternative to a physical laboratory. Such a laboratory will reduce the duplication of resources and tasks, provide law enforcement agents with cutting-edge tools, resources and expertise, and lower the cost of forensic examinations. 2. Virtual Laboratory Overview The virtual digital forensics laboratory architecture attempts to leverage state-of-the-art networking and digital forensics technologies to support the acquisition, transportation, examination and storage of electronic evidence. This has resulted in somewhat unique problems that, in turn, require unique solutions. Figure 1 presents a schematic diagram of the virtual laboratory. The laboratory provides facilities for examining, storing and presenting electronic evidence. The forensic examination component includes hardware, software and processes associated with the extraction, identifica-

Craiger, Burke, Marberry & Pollitt 117 tion and interpretation of evidence. The storage component incorporates large-scale, redundant magnetic storage that is logically separable by case. The presentation component includes extracted evidence, reports and other relevant information that may be accessed at various levels of detail by authorized parties (investigators, prosecutors, defense attorneys, judges and jury members). The virtual laboratory employs a distributed model, which allows the complete functional separation of components. Each component is tied to the other components via a high-speed network. This approach is used very effectively in data centers, where physical and/or logical components are spread across multiple geographic locations. The first step in defining system requirements is to identify the potential users. The user groups are law enforcement personnel, prosecution and defense attorneys, judges and jury members. Role-based access control allows each user to have the appropriate degree and type of access. For example, a law enforcement agent (examiner) might be granted full read/write access to each subsystem to perform imaging, upload images to long-term storage, conduct examinations of the evidence, and output intermediate results and final reports. Attorneys would not need access to the raw data or to examination tools, only to the intermediate results and final reports. Judges and jury members would only be able to view the final reports containing evidence prepared for trial. Several other issues must be considered when specifying the system requirements. System performance is important in a distributed system because data has to travel over greater distances and on slower links than in a centralized facility. Security is equally important. Imaging, examination, storage and presentation involve machines in multiple locations, but the level of assurance provided must be just as high as that in a physical laboratory. Another issue is system management every system component in every location must be maintained by an administrator who has the appropriate technical expertise and qualifications. The final issue is to create a system that is transparent to end users. Indeed, the system should look, feel and react as if it is a local examination computer. System Performance A virtual system must provide the responsiveness and efficiency of a physical system. Even when high-speed networks are used, the transfer rates of forensic data to a remote location are much slower than the data transfer rates within an average computer, i.e., network speed is much slower than computer bus speed. Furthermore, in a multi-user environment, each data processing component must be capa-

118 ADVANCES IN DIGITAL FORENSICS IV ble of supporting multiple users reliably and with a satisfactory level of responsiveness. Security Security is paramount for a distributed forensic system. The legal requirements for evidence handling must be met, and there should be explicit guarantees about the confidentiality, integrity and availability of all data. The system must incorporate a strong user authentication mechanism, ideally one that relies on multi-factor authentication. The system must logically separate users to ensure that forensic data can only be accessed by authorized individuals. A logging system must be in place to provide accountability for user actions and to track system use because of the sensitive nature of the data and the applicable legal requirements (e.g., evidence handling and chain of custody). System Management System management is not a major concern for the typical forensics examiner. A distributed, multi-user system, however, requires a system administrator with demonstrable technical skills to create users, set access controls, maintain performance requirements, troubleshoot network problems and ensure system integrity. Usability Ease-of-use is also important. A distributed architecture leads to increased complexity for users; this must be addressed by making the system appear cohesive and familiar to all types of users, and by providing adequate documentation and support to ease the transition to a virtual laboratory. Additionally, the system should facilitate information sharing and collaboration. 3. Virtual Laboratory Architecture We have developed a prototype virtual laboratory that meets the requirements described above. However, it is only the laboratory users who are distributed; all the hardware and software components are currently situated in one geographic location. We chose to use a single location initially in order to evaluate the interactions between the hardware and software components, which would be more difficult to accomplish in a distributed environment. After the components are tested individually and as a complete system, the components will be distributed and the virtual laboratory will subsequently be tested. Figure 2 presents the architecture of the virtual laboratory. The examination system uses a virtual machine pool with a variety of operating systems and complete user separation. SAN technology is used for local data storage because it can reliably store case data and is designed to support multiple users simultaneously. Authentication and security

Craiger, Burke, Marberry & Pollitt 119 Figure 2. Virtual digital forensics laboratory architecture. are implemented via a virtual private network (VPN) bound to a multifactor authentication system. The next few sections discuss the design themes pertaining to the prototype laboratory. 3.1 Internal Network A hardware-based firewall is used to control and filter inbound and outbound traffic. A gigabit Ethernet switch is used for internal network traffic. Multiple virtual LANs (VLANs) are employed on the switch to logically and securely segment management and user traffic. The switch also provides access control. Specifically, every port is configured to only accept connections from predefined hardware; this prevents a rogue user with physical access from connecting to the internal network. 3.2 Authentication and Access Control The virtual laboratory uses multi-factor authentication and multiple access control techniques. Remote access to the network is controlled via

120 ADVANCES IN DIGITAL FORENSICS IV two methods. One is a hardware-based VPN appliance that uses twofactor authentication (username/password and hardware token). The other is IP-based authentication that allows access to users from a predetermined list of static IP addresses. Using these two methods in combination reduces the potential for system compromise [5]. Users connected to the internal network access their personalized workspace (e.g., user preferences, software and casework) using the same two-factor authentication mechanism. User authentication and access control are handled by a central management (LDAP) directory running on a non-virtualized system. 3.3 Virtualization The VDFL has a pool of physical servers that host a number of virtual machines (Figure 2). These virtual machines are used by examiners to operate on the data stored in the SAN. Virtualization software was chosen instead of separate physical machines for several reasons. Virtualization allows for the logical separation of users. It reduces costs by consolidating hardware; also, deployment time is decreased because the virtual machine hardware is standardized. Moreover, virtualization allows administrators to move active virtual machines in the pool of host servers in real time to improve system performance and reliability. 3.4 Forensic Tools Examiners using the virtual laboratory would have access to a variety of commercial and open source forensic tools running under virtual machines. Access would be available to multiple operating systems and related tools based on examination needs. Note that access control is role-based and determined by user credentials, not by the particular operating system or tool used. Costs would be reduced because forensic tools would be shared. 3.5 Storage One of the principal issues is to provide an adequate storage pool for users. Another is to maintain satisfactory throughput for multiple simultaneous users. SAN technology was selected for its speed and reliability. Throughput is provided by a fibre channel connection running at 2 Gbps, which offers dedicated bandwidth for multiple users working with large data sets. The SAN is partitioned into various logical storage roles to include virtual machine storage and case data (raw data, intermediate results and presentation data). Logical separation of storage allows access con-

Craiger, Burke, Marberry & Pollitt 121 trols to be applied through the management directory. Law enforcement agencies are often required to retain case evidence for decades. Providing long-term storage is a goal for the virtual laboratory. However, using the SAN for this purpose should be considered carefully along with the possibility of using other archiving technologies. 3.6 Internal Network Security Security is an integral part of the virtual laboratory architecture because of the sensitivity of the data and the requirements imposed by federal and state laws. Every component must be secured using applicable procedures and best practices [6]. Also, extensive logs must be maintained of user access and resource utilization. The current design uses segmented logging channels (separate from those used by the main network traffic) to send data to a central logging server. 4. Challenges Several challenges were encountered while designing and implementing the virtual laboratory. A major challenge was the inability of the current configuration to support the uploading of large data sets. This was largely due to the limited bandwidth available for consumer-level Internet connections. A promising solution is to use a high-speed network (e.g., Internet 2 Abilene/Florida LambdaRail [2]). Another challenge is posed by popular forensic examination suites that rely on physical hardware locks (typically a USB key or dongle ). Mapping and managing these dongles to individual virtual machines are problematic due to various physical and logical constraints (e.g., mapping identically-named devices to their virtual machines and coping with physical limitations of the available ports to connect these devices). A promising solution is to use special connectivity software that would allow a dongle to be remotely connected to a local virtual machine. This software would also enable users to use their own dongles and the virtual laboratory to host dongles. Ultimately, however, the principal challenge is to address cultural and political barriers to the use of hardware and software resources located outside the local law enforcement agency jurisdiction. Furthermore, even if state-of-the-art technologies and best practices are employed to maintain the confidentiality, integrity and availability of digital evidence in the virtual laboratory environment, questions will persist. All the stakeholders law enforcement agents, attorneys, judges and juries will have to be educated about the benefits of the laboratory and the proper use of its facilities.

122 ADVANCES IN DIGITAL FORENSICS IV 5. Conclusions A virtual digital forensics laboratory is not limited by geographic boundaries it decentralizes forensic functionality while providing security and quality management processes. As such, it would reduce the duplication of resources and tasks, provide law enforcement agents with cutting-edge tools, resources and expertise, and lower the cost of forensic examinations. Practically every crime now involves some aspect of digital evidence and the volume of digital evidence is growing faster than the ability of law enforcement to process it. Several challenges remain to be addressed before virtual digital forensics laboratories can become operational, let alone thrive. Nevertheless, these facilities may be the single best hope for law enforcement agencies to cope with the deluge of digital evidence. Acknowledgements This research was supported by the Electronic Crime Program of the National Institute of Justice under Contract No. 2005-MU-MU-KO44. References [1] M. Davis, G. Manes and S. Shenoi, A network-based architecture for storing digital evidence, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 33 42, 2005. [2] Florida LambdaRail, Florida s Research and Education Network (www.flrnet.org). [3] International Business Machines, IBM Systems Virtualization (Version 2, Release 1), Armonk, New York, 2005. [4] N. McAllister, Server virtualization, InfoWorld, February 12, 2007. [5] V. Mukhin, Multi-factor authentication as a protection mechanism in computer networks, Cybernetics and Systems Analysis, vol. 35(5), pp. 832 835, 1999. [6] National Security Agency, NSA Security Configuration Guides, Fort Meade, Maryland (www.nsa.gov/snac), 2005. [7] B. Phillips, Have storage area networks come of age? IEEE Computer, vol. 31(7), pp. 10 12, 1998. [8] A. Singh, An Introduction to Virtualization (www.kernelthread.com/publications/virtualization), 2004.

Craiger, Burke, Marberry & Pollitt 123 [9] M. Stockman, J. Nyland and W. Weed, Centrally-stored and delivered virtual machines in the networking/system administration lab, ACM SIGITE Newsletter, vol. 2(2), pp. 4 6, 2005. [10] J. Tate, F. Lucchese and R. Moore, Introduction to Storage Area Networks, IBM Redbooks/Vervante, Rolling Hills Estates, California, 2006.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information