Suntisak Thammavongsa28-11-2011

Bachelor of IT (Honours)

Supervised by Dr Raymond ChooUniversity of South Australia

Investigatinga Private Ubuntu Enterprise Cloud

Investigatinga Private Ubuntu Enterprise Cloud

BackgroundResearch TopicResearch MethodResearch Findings

Outline

Cloud ComputingCloud Computing

Background

“A whole broad range of IT services as long as those IT services are delivered on demand and they’re delivered elastically in terms of being able scale out and scale in” defined by Dasmalchi (2010)

Traditional Physical HostingTraditional Physical Hosting InternetInternet

Web 1

Web 2

Directory

E-Mail

File

Database

Background

Private CloudPrivate Cloud InternetInternet

Cloud Controller

Database

Centralized Data Storage

Web 1 Web 2 Web 3 Directory 1 Directory 2

CRM APP DHCP Email DNS

Background

Private CloudPrivate Cloud InternetInternet

Cloud Controller

Database

Email 1 Email 2 DNS DHCP

Centralized Data Storage

Background

Web 1 Web 2 Web 3 Directory 1 Directory 2

CRM 1 CRM 2 APP 1 APP 2

Digital ForensicsDigital Forensics

“The process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable” defined by McKemmish (1999)

Background

Digital ForensicsDigital Forensics

Primary questions• What happened?• When did it happen?• How did it happen?• Who was involved?

Background

Investigate a private Ubuntu Enterprise Cloud v10.10 powered by Eucalyptus open source edition v2.0

SRQ1: What are the artefacts of interest?SRQ2: How to recover deleted artefacts?SRQ3: What are other sources of evidence?

Research TopicResearch Topic

Desk-based• A more comprehensive literature review• To gain a deeper understanding of how

the technology worksLaboratory-based• Build a dual-node private cloud• Generate text files for a data recovery

experiment

Research MethodResearch Method

Block Storage Controller (EBS)

Node Controller (NC)

Node Controller (NC)

Node Controller (NC)

Block Storage Controller (EBS)

Node Controller (NC)

Node Controller (NC)

Node Controller (NC)

Cluster Controller (CC)

Walrus Storage Controller (WS3)

Cloud Controller (CLC)

Storage Server

Cluster Controller (CC) iSCSI

Eucalyptus ArchitectureEucalyptus Architecture

Research Findings

Linux system artefacts on Eucalyptus controllers• SWAP space under /proc• Linux logs under /var• Temporary files under /tmp

SRQ1: What are the artefacts of interest?SRQ1: What are the artefacts of interest?

Research Findings

Cluster Controller (CC) cc.log, httpd-cc_error.log, registration.log

Node Controller (NC) nc.log, httpd-nc_error.log, euca_test_nc.log

Cloud Controller (CLC) cloud-debug.log, cloud-error.log, cloud-output.log, axis2c.log

Elastic Block Storage Controller (EBS)

sc-state.log, registration.log

Walrus Storage Controller (WS3)

walrus-state.log, registration.log

Eucalyptus logs

SRQ1: What are the artefacts of interest?SRQ1: What are the artefacts of interest?

Research Findings

Cloud Controller (CLC) $EUCALYPTUS/etc/eucalyptus.conf

Cloud Controller (CLC) $EUCALYPTUS/var/lib/eucalyptus/db

Cloud Controller (CLC) $EUCALYPTUS/var/lib/eucalyptus/keys

Elastic Block Storage Controller (EBS)

$EUCALYPTUS/var/lib/eucalyptus/bukkits

Walrus Storage Controller (WS3)

$EUCALYPTUS/var/lib/eucalyptus/volumes

Eucalyptus essential files

SRQ1: What are the artefacts of interest?SRQ1: What are the artefacts of interest?

Research Findings

Virtual machine files• VM images & associated XML files on

WS3• Virtual hard disk files on NCUser data files• User persistent data volumes on EBS• Snapshots of volumes on WS3

SRQ1: What are the artefacts of interest?SRQ1: What are the artefacts of interest?

Research Findings

• The process would be the same as the process in the traditional physical hosting

• Each Eucalyptus controller is essentially a standard Linux server with Eucalyptus software

• Data files are stored with EXT4

SRQ2: How to recover deleted artefacts?SRQ2: How to recover deleted artefacts?

Research Findings

If a forensic copy of the local storage of each Eucalyptus controller can be acquired, current forensic tools like EnCase can access and recover the following deleted files:• Linux system artefacts on Eucalyptus controllers• Eucalyptus logs • Eucalyptus essential files• VM images & associated XML files on WS3• Virtual hard disk files on NC• Snapshots of volumes on WS3

SRQ2: How to recover deleted artefacts?SRQ2: How to recover deleted artefacts?

Research Findings

User data files on EBS volumes• Data files may be stored in different

filesystems• The underlying hardware storage

technology could be NAS, SAN, etc.

SRQ2: How to recover deleted artefacts?SRQ2: How to recover deleted artefacts?

Research Findings

Artefacts inside virtual machines• Use VM ID to track down the NC• Recover virtual hard disk files• Recover deleted files on the virtual hard

disk files

SRQ2: How to recover deleted artefacts?SRQ2: How to recover deleted artefacts?

Research Findings

VirtualizationDynamic nature of resource usageIncreased number of nodes involvedCentralised data storage

Summary of additional challengesSummary of additional challenges

Research Findings

Client side investigation • VNC, RDP, SSH, FireFox, etc.Live investigation• EnCase Enterprise• Virtual IntrospectionNetwork level monitoring • IDS, Firewall, WAF, etc.

SRQ3: What are some other sources of evidence?SRQ3: What are some other sources of evidence?

Research Findings

Thank you