Investigating a Private Ubuntu Enterprise Cloud

Minor Thesis

Bachelor of Information Technology (Honours)

SuntisakThammavongsa

100093531

30 October 2011

Supervised by Dr. Raymond Choo

School of Computer and Information Science

University of South Australia

DisclaimerI declare all the following to be my own work, unless otherwise referenced, as defined by the University of South Australia's policy on plagiarism. The University of South Australia's policy on plagiarism can be found at http://www.unisa.edu.au/policies/manual/default.asp

AcknowledgementI would like to express my sincere gratitude to my supervisor Dr. Raymond Choo for your expert advice and guidance, your attention and patience throughout this research project. I wouldn’t have completed this thesis without your help.

I would also like to thank Ben Martini for your generous support during the practical experiment phase.

Finally, I would like to extend my thanks to Dr. Ivan Lee, Phillip Lock, Helen Ashman, Dr. Jill Slay, and Matthew Simon for your advice and guidance at the beginning of this journey.

AbstractRecently, the term “cloud computing” has come to the attention of many people as major technology companies such as Amazon, Google, Microsoft and Apple are now offering cloud computing services. Many believe that cloud computing will become the next mainstream architecture of corporate information systems in the near future for various beneficial reasons including cost savings and improved business outcomes. Meanwhile, digital forensics as part of many organizations’ security strategies would need to be enhanced and continue to evolve so that forensic investigators can respond to crimes that involve the use of cloud computing. As cloud computing is relatively new, published literature concerning a forensic analysis of specific cloud computing technology is still rare. This type of literature is very useful for investigators working on specific cloud forensic cases because it can provide more in-depth analyses of certain cloud computing implementations as opposed to the type of literature that addresses cloud computing forensic domain in general. In this paper, we aim to provide a forensic analysis of a specific private cloud computing technology. With many competing cloud computing platforms on the market, Eucalyptus is one of the most popular open source cloud computing technologies that enables organizations to take advantage of cloud computing behind their own firewall. This is known as a private cloud. In our research, we used Ubuntu Enterprise Cloud (UEC) version 10.10 powered by Eucalyptus version 2.0. With the benefit of having physical access to the datacentre, our findings have shown that usage activities of the private cloud can be traced through a number of system artefacts on the cloud core elements. Our practical experiment has also demonstrated that it is possible to recover deleted artefacts inside virtual machines after they have been deleted by the hypervisor. However, there are certain characteristics of Eucalyptus private cloud computing implementation that could limit the evidence acquisition capability.

Table of Contents1 Overview................................................................................................................................................1

1.1 Introduction....................................................................................................................................1

1.2 Contribution....................................................................................................................................2

1.3 Research Question..........................................................................................................................2

2 Literature Review...................................................................................................................................3

2.1 Digital Forensics..............................................................................................................................3

2.2 Cloud Computing.............................................................................................................................4

2.3 Cloud Forensics...............................................................................................................................5

2.4 Related Works.................................................................................................................................6

2.5 Summary of Literature Review........................................................................................................7

3 Research Method...................................................................................................................................8

3.1 Desk-based......................................................................................................................................8

3.2 Laboratory-based............................................................................................................................9

3.3 Research Outcome..........................................................................................................................9

3.4 Research Schedule........................................................................................................................10

4 Eucalyptus Private Cloud Analysis........................................................................................................11

4.1 Architecture Overview..................................................................................................................11

4.1.1 Cloud elements........................................................................................................................11

4.1.2 Networking features................................................................................................................13

4.2 Identifying Artefacts of Interest....................................................................................................14

4.2.1 Linux system artefacts.............................................................................................................14

4.2.2 Eucalyptus specific artefacts....................................................................................................15

4.2.3 VM Artefacts and User Persistent Data...................................................................................17

4.3 Recovering deleted artefacts.........................................................................................................17

4.3.1 Host System Artefacts..............................................................................................................18

4.3.2 User Persistent Data................................................................................................................18

4.3.3 VM Images...............................................................................................................................18

4.4 Other potential Sources of Evidence.............................................................................................19

4.4.1 Client Side Investigation..........................................................................................................19

4.4.2 Live Investigation.....................................................................................................................20

4.4.3 Network Level Monitoring.......................................................................................................20

5 Conclusion............................................................................................................................................21

5.1 Summary of Research Findings.....................................................................................................21

5.2 Limitations.....................................................................................................................................21

5.3 Future works.................................................................................................................................22

Appendix A – EnCase’s Full Virtual Disk Report.........................................................................................23

Appendix B – EnCase’s Recovered Deleted File Report.............................................................................24

Glossary.....................................................................................................................................................25

References.................................................................................................................................................28

1 Overview

1.1 IntroductionIn traditional physical hosting model, server applications would run on their own dedicated physical servers. One of the main disadvantages of this traditional architecture is that the system has to be designed to meet a predicted peak workload from the outset, which could be a costly solution and result in underutilization of resources for most of the system’s operating life (Aerdts 2009). With the introduction of cloud computing, IT resources can be scaled up and shrunk down a lot more easily to meet different demands. This agility enables organizations to use their resources much more efficiently. For example, in a public cloud environment, data from different clients can be hosted on separate virtual machines but reside on the same physical datacentre provided by the cloud service provider. In such a setting (known as multi-tenancy), software applications running in one virtual machine should not be able to impact or influence software running in another virtual machine; and an individual virtual machine should be unaware of the other virtual machines running in the environment (Choo 2010). This, however, could result in the unintended consequence of disrupting the continuity of businesses whose data and information are hosted on the seized hardware by law enforcement agencies (Choo 2010) – business continuity is one of the key risk areas identified by the Australian Government Information Management Office (2011).

Since cloud computing has certain unique characteristics that make the forensic investigation of cloud computing systems distinct from that of traditional computing systems, cloud forensics is becoming an emerging specialized area of digital forensics. Even though cloud computing may be deployed as a private IT system or a public one that can provide various services to external individuals and organizations, we have narrowed our research area down to a single private cloud computing platform. The focus will be on one of the most popular open source private cloud implementations, Eucalyptus which stands for Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems. Eucalyptus supports the most popular common industry standard of application programming interface (API) used by Amazon for its public cloud services. This means that users can take advantage of existing tools designed for Amazon Web Services and create virtual machine images that will run on both systems (Claybrook 2011). Eucalyptus can be installed on numerous Linux distributions but we will be investigating Ubuntu Enterprise Cloud (UEC) which is powered by Eucalyptus v2.0 as of UEC v10.10 to build a dual node private cloud for our study. This pre-integrated cloud operating system enables organizations to easily build their own private cloud systems on their own premises. Although the research is based on UEC, the concepts and theories should be able to apply to other Eucalyptus powered Linux distributions as well. We will divide our research into two parts: desk-based research and laboratory-based research. The desk-based research will help provide an understanding of how Eucalyptus works, what data that is of forensic value is kept, where and how the data is stored in the private cloud. Complementing the desk-based research, we will perform a laboratory-based research in which we will build a dual node private cloud for conducting a hand-on analysis of the system and try to find answers that we may not be able to find from the desk-based research.

1

1.2 ContributionBy studying the architecture of a specific open source cloud computing platform and attempting to apply current forensic techniques and tools to an investigation of the cloud platform, this research aims to provide a forensic analysis of a Eucalyptus powered private cloud. More specifically, this paper will help identify the artefacts of interest for a forensic investigation. It will discuss how to recover the artefacts if they are deleted. It will also touch on some additional potential evidence sources other than those already existed on the core cloud elements. Although the contributed forensic analysis may not have a high level of forensic detail, it is an important step leading to further research in the same or other cloud computing platforms.

1.3 Research QuestionHow to investigate a Eucalyptus private cloud?

Sub-research question one (SRQ1): What are the artefacts of interest in the cloud?

Sub-research question two (SRQ2): How to recover deleted artefacts in the cloud?

Sub-research question three (SRQ3): What could be other potential sources of evidence to support a private cloud investigation?

2

2 Literature Review

2.1 Digital ForensicsWhen crimes involve the use of digital devices in some ways, these digital devices could become repositories of information that may be used as evidence to convict persons of crimes. Digital forensics has risen out of the need to use digital evidence and has since become an essential service for law enforcement in the fight against modern crimes.

The forensic investigation process generally consists of the identification, acquisition, preservation, analysis, and presentation of digital evidence. The identification is required to determine the potential sources of evidence (Wiles et al. 2007). For this, the investigator needs to be technically competent in the system under their investigation so that relevant sources of evidence and the methods of how best to collect it can be identified. The next step is to acquire the identified sources of evidence. In this process, an exact copy of the media that contains the data is made while the operation must not cause any changes to the original data (Cross 2008). After that, only duplicates of the data can be worked on so that the integrity of the acquired data is preserved. Every duplicate has to be authenticated to ensure that it is exactly the same as the original one before any analysis work on the duplicate can begin (Cross 2008). Having authenticated the data acquired, the stage of analysis may commence. In this stage, the duplicate will be inspected and examined for evidence. Finally, the findings of the investigation are to be presented to a court hearing or other hearings depending on the cases. Menendez and Marcella (2008) highlight the importance of documentation throughout the whole investigation process. The documentation will help demonstrate the credibility of the investigation shall the process be called into question.

Since the dawn of digital forensic science, a wide range of software and hardware based forensic tools have been developed to help the investigator analyze and recover deleted data on digital storage media. The tools have given investigators the capabilities to acquire data in a forensically sound manner, reconstruct the original environment, search and access data that is visible to the file system, hidden, or even deleted (Cross 2008). Although the tools are not 100% effective in all situations, they are indispensable resources of forensic investigation. Many of these tools were designed for use in the traditional practice known as static analysis where only non-volatile data is acquired locally after the system has been shut down. With advances in technology and increased complexity of modern information systems, the traditional practice of static storage analysis may no longer be enough to collect the required evidence because some important data may only exist in the volatile memory (Hay & Nance 2008). Furthermore, gaining a physical access to the storage media may not be accessible or practical in a timely manner, especially when the machines are in a number of distant remote locations (Philipp, Cowen & Davis 2010). This has prompted for a new practice known as live and remote analysis where data on the target system is collected and analyzed while the system is still online. Live analysis will allow investigators to access more data than that available on the non-volatile storage media. This additional data includes running processes, open ports, raw sockets, and live connections (Barrett &

3

Kipper 2010). Several tools have been developed to support this practice. However, with this rather intrusive technique there are several challenges and issues involving the development and use of the tools. There are non-technical issues such as privacy issues because user activities are being observed (Philipp, Cowen & Davis 2010). There are also various technical challenges such as how to reduce the risk of contaminating the evidence and how to avoid being detected on the target system (Hay & Nance 2008).

2.2 Cloud ComputingIn the literature, cloud computing is often seen as a new paradigm of computing environment. A cloud system may be briefly described as an elastically scalable computer infrastructure that can deliver a range of IT services on demand to users over a network connection (Grossman 2009). The fundamental idea behind this new computing architecture shift is that advances in virtualization, computer clustering, web services and various network communication technologies have enabled a better way to deploy, share and manage scalable computing resources. This has presented a new business opportunity of offering various innovative computing services such as online applications, remote storage services and computer instances on demand. Depending on the design and the type of cloud system, the most commonly discussed benefits of cloud computing technology include scalable compute resources, quick deployment of new virtual machines, the portability of online applications as well as some other more controversial advantages such as lower initial investment capitals, lower running costs, and better security (Grossman 2009; Sultan 2010).

Cloud computing may deliver services to users in a number of ways. Cloud computing can provide Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). SaaS provides users with finished software applications built on a particular cloud platform. Without having to install the application on local computers, users access SaaS applications over the Internet with widely available client software like a web browser. Examples of SaaS applications include Google Docs and Dropbox. This could be a very convenient service for consumers or even business users because they can access, share and collaborate files with anyone regardless of their geo-location. The application is always up-to-date and professionally maintained by the service providers. PaaS enables users to build SaaS applications with the provision of basic operating software and optional services. Google App Engine and Windows Azure are examples of PaaS offerings. This application is highly attractive to big businesses who want to develop their own business software. This deployment option enables them to test and deploy new software faster and with less cost. In addition, the business applications will have the flexibility of being able to allow users to access the applications from anywhere with a standard web browser. This allows businesses to focus on the things that matter the most to their businesses rather than IT infrastructure. IaaS provides users with only the underlying infrastructure including server hardware, storage and bandwidth and other fundamental computing resources. For example, users can rent a machine instance with complete access to all features of the operating system from Amazon EC2 services. With this application, users can set up a server system with their own operating system, tools and applications of choice that can expand when more resources are needed and shrink back when not needed. And they will be able to better manage the cost as the price is predictable with a service

4

subscription model while users don’t have to worry about protecting and maintaining the expensive physical infrastructure. Cloud computing may also be categorized in different deployment models. Cloud systems can be public or private. Public cloud, as the name suggests, is designed to offer services to the open public whereas private cloud is used internally by a single organization.

Despite all the widely discussed benefits, cloud computing is not without criticism and concerns. Security being one of the greatest challenges of IT systems has also had an impact on the adoption of cloud computing, especially the migration to public cloud where data will be kept with the cloud service provider. On the one hand, the provider may have more resources to provide a level of security that may not be financially feasible for small organizations to implement. On the other hand, public cloud systems are usually higher profile targets for hackers because they’re simply more worth it. The security may also be harder to maintain as the infrastructure is shared by many organizations. In cloud computing, the resources are shared using virtualization technology. There are many security challenges in the virtualized environment that need to be addressed. Vulnerabilities in virtualization software may allow a rogue virtual machine to break out of the virtual environment and access the host machine. By exploiting the vulnerabilities of the virtual network, the rogue virtual machine may also be able break the virtual network separation mechanism and perform a number of network attacks on other virtual machines (Wu et la. 2010). Since virtualization is the enabler of cloud computing, virtualization related security issues may be seen as additional security challenges that cloud computing infrastructures have when compared with the traditional infrastructures that do not use any virtualization technology.

2.3 Cloud ForensicsWhen we put digital forensics and cloud computing together, the product may be seen from two different perspectives. Firstly, cloud computing may be used as a technology that enhances forensic capabilities. As part of cloud computing, virtualization technology used in cloud computing can allow investigators to boot a machine into a virtual environment from a raw disk image file acquired from a physical hard disk of a suspect system (Barrett & Kipper 2010, pp. 83-107). This gives investigators the advantage of being able to view the system from a user-level perspective and perform an examination on the machine while knowing that the original state of the machine can always be rolled back. Another benefit to this method is that the virtual machine can allow the investigators to observe some activities of malwares that may not be seen if the system is not live (John 2009, pp. 229-254). In addition, investigators can also take the same advantage that businesses enjoy, which is the scalability of compute resources because some forensic investigation tasks do require intensive computing resources. Not only can a large public cloud provide the processing power that investigator may need but it can also provide the storage capacity that is virtually unlimited (Barrett & Kipper 2010, pp. 197-209). Secondly, cloud computing itself may be the target system of a forensic investigation. As there are a number of different types of cloud, the level of complexity and challenges involved in the investigation will vary. If it’s a private cloud, then the system is still owned by an organization and most other aspects of the investigation will be similar to investigating a traditional information system except that the architecture of the system is now different. This will then require an understanding of the architecture of the cloud technology implemented. However, if it’s a public cloud, the situation could be much more

5

challenging. Public cloud is likely to be a very large system and the system could consist of several remote sites located in different countries under different jurisdictions. This means that gaining physical access the device that may hold evidential data may be very difficult if not impossible. Public cloud is also a system that is shared by many organizations, it would be extremely difficult to investigate a case for an organization and not affect other customers. Moreover, given that the public cloud is very busy with new data being created and old data getting deleted very often, the evidential data that the investigator is trying to find may get overwritten and becomes impossible to recover. As it is the case for any investigations, a cooperation of the system owner is crucial. Taylor et la. (2010) suggests that there could be a legislation requiring public cloud providers to keep sufficient audit trails for forensic purposes.

2.4 Related WorksReilly, Wren & Berry (2010) explore the new challenges posed by cloud computing and how law enforcement has to adapt and evolve its forensics investigation procedures, practices and tools to catch up with new computing environments. They suggest that in order for cloud computing forensics to be effective, cooperation from service providers is required to design their systems in such a way that will facilitate forensics investigation before incidents take place. There are, however, benefits of cloud computing technologies for investigators such as the scalable computing power and storage capacity.

Talyor et al. (2011) discuss cloud forensics without focusing on any particular platform, and examine the challenges of forensic investigations of cloud computing in general. Depending on the deployment model of the cloud system, whether it is a public or private cloud, the challenges will vary. They explain that while evidence acquisition in a private cloud may be as straightforward as in the traditional environment, the process could be much more complex and time consuming in a large public cloud environment. This is because a large public cloud provider may have distributed datacentres in different jurisdictions. Another challenge is that data may be stored across a large number of devices. And then there is also an issue of impacts on other users as for a public cloud system. These make it much more difficult to pin point the potential sources of evidence and the physical devices that could hold the data of interest. In order to overcome these challenges, the authors suggest a legislation that requires cloud operators to keep audit trails of user activities and records of events.

Lillard et al. (2010) discuss the application of network forensics in cloud environment. The authors explain that cloud computing has changed the way security controls are implemented to protect digital assets and how forensic investigations are conducted. They highlight the importance of understanding the design philosophies employed by different service providers as these design philosophies will determine the limitations on forensic investigations. Although there are commonalities among different designs, the unique characteristics of the chosen system need to be well understood for forensic analysis to be most effective. The authors also suggest that while the standard incident response process should still be followed, additional consideration on how to manage and monitor the system for forensic purposes needs to be incorporated in the plan.

6

Although not specifically for cloud computing, Casey (2008) presents a paper discussing the increasingly common attacks designed against forensic analysis in general. The author points out that modern cybercrimes are becoming more sophisticated than ever before, various anti-forensic techniques have been employed by hackers to undermine the investigations. For a while, a forensic examination that involves the recovery of lost data on hard drives, the analysis of data collected by firewalls and intrusion detection systems and the implementation of reserve software engineering techniques would have sufficiently helped reveal the activities carried out and damages caused by the intruders and malware. However, today hackers have taken their attacks to a new level of sophistication thus these techniques and tools may no longer suffice. Anti-forensic measures such as overwriting files to prevent the recovery of evidence, anti-debugging mechanisms to prevent reverse software engineering, and encrypting network traffics to prevent detection and prolong the analysis have made the traditional techniques and tools less effective.

2.5 Summary of Literature ReviewCloud computing has a strong potential future. There are a number of benefits that make the technology worth considering for many organizations. While there are still some concerns and hesitations in adopting cloud computing, it is inevitable that digital forensic professionals will need to upgrade their techniques and tools to deal with cases that involve cloud computing systems, and at the same time learn how to take advantage of the technology. Through this review of various sources of literature, to date there has been very little published work similar to the research conducting in this thesis. This may be partly attributed to the fact that private cloud computing technologies are still in the state of flux thus we have only found papers concerning forensic investigations and cloud computing in general rather than an investigation of a specific implementation.

7

3 Research Method

The research method for this project consists of two parts. The first part is a desk-based research, largely accounted for about 70% of the research work. Building on top of the background knowledge from the literature review, this part is for studying the documentation of Eucalyptus system and related digital forensics literature. The second part of the research is then allocated to building a small private cloud for performing a hand-on analysis, which accounts for about 30% of the research work. Although small, this part will enable us to gain better understanding of how the system works in practice and perform an investigative analysis on an actual system to find the answers to the questions that we might not be able to answer based on the desk-based research alone.

3.1 Desk-basedThis is essentially a more comprehensive review of existing literature. The goal of this part is to build a fundamental understanding of how the Eucalyptus cloud system works and research existing forensic techniques and tools that may be transferred to private cloud computing investigation. Our primary sources of information would be the official Eucalyptus website where the documentation of the technology is posted. We will also consult a number of academic papers and textbooks for methods of analysis, existing forensic techniques and tools. In addition, we may have to dig into some less reliable sources like Internet forums where people exchange opinions and help each other solve problems in their online communities. This is because the technology under study is relatively new and also an open source project, which means published academic literature and documentation are still limited. It is also understood that the latest knowledge in IT doesn’t always get peer-reviewed and officially published so what we can do is to try to critically assess the information the best we can based on our existing knowledge. Furthermore, we will make use of the laboratory-based research to support the findings.

In this desk-based research phase, we set out the following questions as a guideline in our searching for information:

Understanding the technology

o What elements does a Eucalyptus private cloud consist of?

o What are the elements’ main functions?

o How do the elements interact with each other?

o How does the cloud provide services to the users?

o How does Eucalyptus manage networking in the cloud?

8

Analyzing the cloud for forensic purposes

o How was a system analyzed in other similar works?

o What are we looking for?

o How can we find what we are looking for?

o How may current digital forensic knowledge be applied in this system?

o What are the challenges involved?

o Are there any other potential sources of evidence that could support the private cloud investigation?

3.2 Laboratory-basedIn this phase, we will build a dual node Eucalyptus private cloud in order to perform a hand-on analysis of the system. We will be using Ubuntu Enterprise Cloud version 10.10 powered by open source Eucalyptus version 2.0. The installation and configuration of this software package will be based on the UEC Beginner’s Guide. The cloud will be set up as an Infrastructure-as-a-Service style private cloud. Using the minimum number of required computers, the cloud will consists of two physical servers. One server will be the frontend running most major Eucalyptus cloud components that provide user access and storage services. The other server is used for providing compute resources. We will use pre-packaged machine images from Ubuntu website as the base images for running a couple of virtual machines in the cloud. Through the process of installation, configuration and troubleshooting, we should be able to gain a good understanding of how the system operates. After this, we will proceed with our analysis tasks. The tasks will consist of checking the configuration files and examining the logs in order to identify to locations of the artefacts of interest and traces of activities. As production servers will run as virtual machines in the cloud, we will try to find out whether we will be able to recover deleted data inside the virtual machines. This will be set up by running a virtual machine in the cloud. We will then create and delete text files inside the user home directory. Once the virtual machine is shut down, the virtual hard disk file will be deleted by the hypervisor. However, we believe that this deletion is not exhaustive. Therefore, the virtual hard disk file should still be recoverable. From there, we will use a forensic tool, EnCase, to try to recover the deleted text files inside the recovered virtual hard disk file.

3.3 Research OutcomeWith the advantage of still having the entire infrastructure under the sole control of the organization, it is expected that investigators would still be able to track down and obtain the key artefacts of interest in a private cloud provided that the sources of traces such as logs are well protected. Even though resources are dynamically allocated in cloud computing and some evidence in running virtual machines may never be persistently saved, we expect that it would still be possible to recover the lost evidence

9

using existing forensic techniques and tools. Meanwhile, we also expect that some of the major challenges of private cloud forensics would be the dynamic nature of resource usage as virtual machines allow hardware resources to be shared dynamically. Consequently, critical evidential data may be overwritten. In addition, with the advent of more complex data storage and dissemination technologies, forensic examiners face an increasingly difficult task in investigating high data-volume cases.

3.4 Research Schedule

Period Task

Early Mar 2011 Identify research interest and find supervisor

Mar 2011 Work on annotated bibliography

Early Apr 2011 Determine research topic

Late Apr 2011 – 26 May 2011 Review literature & prepare research proposal

27 May 2011 – 30 May 2011 Prepare presentation

31 May 2011 Give presentation

1 Jun 2011 Prepare research proposal continued

10 Jun 2011 Submit research proposal

11 Jun 2011 – 3 Jul 2011 Desk-based research

4 Jul 2011 – 20 Jul 2011 Away

18 Jul 2011 – 31 Aug 2011 Desk-based research continued

1 Sep 2011 – 30 Sep 2011Laboratory-based research

Write first draft

1 Oct 2011 – 21 Oct 2011Write subsequent drafts

Give presentation

24 Oct 2011 Submit thesis for review

27 Oct 2011 – 31 Oct 2011 Review thesis based on feedback

1 Nov 2011 Submit final bound copy of thesis

10

4 Eucalyptus Private Cloud Analysis

Given that the goal is to find traces of activities and evidentiary data in a private cloud, we will begin our analysis by first forming an understanding of how the system works. Then, we will try to identify system artefacts that may hold potential evidence. Once we know what we are looking for, we may start searching for the artefacts. However, these artefacts may not always be readily available and easy to find because they could be deleted by accident or on purpose. Therefore, our next step is to examine the storage management of the system in order to figure out how to recover deleted artefacts. Finally, we will briefly touch on some other potential sources of evidence outside the core elements of the Eucalyptus cloud system.

4.1 Architecture OverviewThis Eucalyptus architecture overview is based on a UEC edition, which should be similar to other Eucalyptus implementations. UEC version 10.10 is a Linux server distribution that integrates open source Eucalyptus version 2.0 as its core cloud component. This complete operating system package enables users to deploy an Infrastructure-as-a-Service (IaaS) style private cloud system more conveniently. Eucalyptus adopts the industry leading standard of API thus it enables users to take advantage of existing tools developed for Amazon Web Services and deploy images that can run on both Amazon and Eucalyptus based cloud systems. The system also has a modular design and extensible services which allows developers to build customized add-ons to extend the capabilities of the system.

4.1.1Cloud elementsEucalyptus architecture is comprised of five core elements: cloud controller (CLC), cluster controller (CC), node controller (NC), walrus storage controller (WS3) and elastic block storage controller (EBS). Each core element is implemented as a web service and makes use of various industry standard web services technologies.

11

Figure 1: Eucalyptus cloud architecture diagram (Wardley, Goyer & Barcet 2009)

The cloud controller (CLC) is the frontend of the entire cloud system. It handles user requests and communicates with the cluster controller to allocate resources. It is also the server where linking information between users and instances can be discovered (Wardley, Goyer & Barcet 2009).

The walrus storage controller (WS3) is a simple file level storage solution. While its primary function is to store machine images that can be instantiated and run on a node controller, it also provides storage service for snapshots of volumes from elastic block storage controller as well as other data files that can be accessed through S3 API (Johnson et la. 2010).

The elastic block storage controller (EBS) provides a persistent data storage service. Users are presented with block level storage volumes that can be formatted with a file system. Users can attach and detach the volumes from running instances but a volume cannot be attached to multiple instances at the same time (Eucalyptus Systems 2010).

The cluster controller manages node controllers within its cluster. It responds to requests from the cloud controller and decides which node controller to use to run a machine instance (Wardley, Goyer &

12

Barcet2009). It also manages the virtual network of machine instances within its cluster zone (Eucalyptus Systems 2010).

The node controller interacts with its operating system and hypervisor or virtual machine manager. It provides the virtualization platform for running machine instances. In the process of instantiation, the node controller downloads the machine image from WS3, creates the required virtual network interface according to the instruction from its cluster controller and starts the machine instance with requested virtual machine type (Wardley, Goyer & Barcet 2009).

4.1.2Networking featuresDepending on the networking mode chosen, there could be both virtual and physical networks. If the virtual network is configured, each instance will be assigned with two interfaces and addresses: a private one and a public one. The private one is used to communicate within the virtual network whereas the public one is used to communicate with the rest of the world. Virtual subnets have been designed to separate the network of VMs from the physical network in which Eucalyptus main service components interact. Eucalyptus supports four networking modes and these virtual subnets are used in some networking modes only. Investigators may encounter different network setup. Each network mode has features and limitations that could affect the ability to perform a network level forensic investigation (Eucalyptus Systems n.d.a).

Eucalyptus provides a feature rich networking mode called Managed mode. In this mode, CC acts as a DHCP server and assigns IPs to VMs. This mode supports a feature called Elastic IP address assignment which allows IP addresses to be associated with user accounts instead of instances. This mode also introduces the concept of security group which enables administrator to apply ingress filtering rules as if there is a firewall separating the local group traffic from non-local group traffic. While VLAN tags are used to enforce this isolation so that VMs from one group cannot eavesdrop traffic in another group, traffic between VMs within the same security group is not isolated and thus may be eavesdropped (Eucalyptus Systems n.d.a).

If the physical network has been designed to use VLANs, then the network is not considered VLAN clean meaning that the VLAN tags used in Managed mode will conflict with the VLAN tags use in the physical network. For these circumstances, Eucalyptus offers a managed-NOVLAN mode which has all the same features mentioned in the managed mode except the lack of VLAN tagging. Without VLAN tagging, VM traffic isolation between different security groups may still be enforced by assigning different subnets to different security groups. This is known as Layer-3 only VM isolation (Eucalyptus Systems n.d.a).

The other two networking modes: System and Static modes don’t use virtual subnets. Virtual NICs of VMs and physical NICs of the NC are directly bridged but not necessarily a one-to-one mapping. There are no elastic IP, security group and VM isolation features. This means each VM will appear on the network as an individual system without any extra protection from Eucalyptus except the personal firewall of the VM itself. The main difference between these two modes is that static mode allows

13

system administrator to statically assign IPs to VMs from the CC whereas in system mode, a network DHCP server is required to perform IP address management function (Eucalyptus Systems n.d.a).

To identify the networking mode in use, we can check the eucalyptus.conf file on each machine running a Eucalyptus component (Eucalyptus Systems n.d.a).

4.2 Identifying Artefacts of InterestDepending on the case an investigator is working on, the questions that the investigator has in mind may vary. In answering these forensic related questions, it is important to understand what information is related to which artefact so that the artefacts of interest could be identified, acquired, and examined to find the answers. The artefacts that we are going to discuss in this section are those that should already exist in the cloud by default without any additional configurations. This section will address the first sub-research question: What are the artefacts of interest in the cloud?

4.2.1Linux system artefactsEucalyptus is a Linux platform based technology. Each Eucalyptus’ core controller is a software component running on top of a Linux operating system. Multiple controllers may run on the same physical machine or on their own separated physical servers but they are essentially Linux servers with common characteristics. Therefore, common Linux system artefacts could hold useful information for cloud investigations.

4.2.1.1 Swap spaceOne of the most commonly investigated Linux system artefacts is swap space. Although Linux supports swap space in the form of swap files, a dedicated swap partition is more commonly used. Swap space is used to store virtual memory. Virtual memory holds inactive pages from the main physical memory (RAM). This means some contents in the RAM may be found in the swap space. If the system is off, examining the swap space could reveal malicious programs, opened files, and much more that were in the RAM but no longer exist on the hard disk. The Linux swap space may be accessed through the /proc directory (Craiger 2005).

14

4.2.1.2 LogsAnother common artefact of interest is Linux system logs. Linux systems keep a sheer amount of logs thus finding the relevant logs could be challenging. Linux system logs are typically located under the /var directory.

/var/log/messages Catch-all, nonspecified logs

/var/log/auth.log User authentication successes/failures

/var/log/sulog “su” attempts/success

/var/log/httpd/* Apache Web Server

/var/log/wtmp User logons and logoffs

Linux servers in the cloud are often accessed through SSH and managed with a command line console. BASH is the most common shell used in Linux systems. Under user’s home directory, .bash_history shows a history of commands executed on the BASH shell but it is important to note that this file does not contain timestamps which could be critical for some investigations (Altheide & Carvey 2011).

4.2.1.3 Temporary filesAnother location in a typical Linux system that may hold artefacts of interest is the /tmp directory. This directory is used to store non-user specific temporary files. Because this directory is world readable, writable, and executable, it is one of the most likely places where the adversary could hide their data (Altheide & Carvey 2011).

4.2.2Eucalyptus specific artefacts4.2.2.1 Logs

All major controller components of Eucalyptus have their corresponding log files designed for troubleshooting but these log files can also be useful for investigators. The level of details that these log files will keep can be configured in the file called eucalyptus.conf. The following table shows the log file produced by its corresponding Eucalyptus component:

15

Cluster controller (CC)cc.log, httpd-cc_error.log, registration.log

Node controller (NC)Nc.log, httpd-nc_error.log, euca_test_nc.log

Cloud controller (CLC)Cloud-debug.log, cloud-error.log, cloud-output.log, axis2c.log

Elastic block storage controller (EBS) Sc-state.log, registration.log

Walrus storage controller (WS3) Walrus-state.log, registration.log

These log files will contain sufficient information to allow investigator to find out when a machine instance was started and terminated, which node controller (NC) the machine instance ran on, which user account was using the instance, how long the instance was on, which machine image was used and which persistent volume on elastic block storage controller (EBS) the instance accessed. Each instance will have a unique ID. This ID can be used as a keyword to search in Cloud-output.log to pinpoint the physical machine that runs a particular instance at a given time.

4.2.2.2 Eucalyptus essential system filesAfter a crash or failed upgrade, the full eucalyptus installation can be restored with the following files:

configuration file ($EUCALYPTUS/etc/eucalyptus.conf) on CLC

database files ($EUCALYPTUS/var/lib/eucalyptus/db) on CLC

cryptographic keys ($EUCALYPTUS/var/lib/eucalyptus/keys) on CLC

Walrus buckets ("Buckets path" in Web configuration, by default $EUCALYPTUS/var/lib/eucalyptus/bukkits) on WS3

EBS volumes ("Volumes path" in Web configuration, by default $EUCALYPTUS/var/lib/eucalyptus/volumes) on EBS

Therefore, it is extremely important for system administrators to backup these files frequently. For investigators, backups of these files can be used to compare with the ones on the failed system to identify the changes which could be a result of an unscrupulous activity. Even though the system may have crashed, we should still be able to investigate the offline cloud by analysing these files to form an understanding of how the system was setup, how to access images managed by the WS3 and the data volumes managed by the EBS.

16

4.2.3VM Artefacts and User Persistent Data4.2.3.1 Images

Cloud computing leverages on virtualization technology to dynamically provide compute resources to users. In UEC, KVM is the default virtual machine manager or hypervisor on each node controller that can run multiple virtual machine instances. A virtual machine is instantiated from a set of images. These images are the blueprint of the virtual machine. For a Linux virtual machine, the image set consists of a ramdisk image, a boot disk image and a virtual hard disk image. These images are bundled together as a package with a set of xml documents that provide data about the images. As a virtual machine is instantiated, a set of new files are created and will be used for the lifetime of the particular virtual machine instance. If a virtual machine instance is to be investigated, these new set of files will be the artefact of interest.

4.2.3.2 VolumesWhile a virtual machine has its own virtual hard disk, this virtual hard disk is not meant for storing users’ persistent data. This is because the virtual hard disk and all related files of the instance will be deleted upon the instance’s termination. To store persistent data, Eucalyptus provides an S3 style data storage for that purpose. Users can create volumes on the EBS. These volumes are presented as raw block devices to the user so the user can format the volume with a file system of choice and attach the volume to their virtual machine instance. If the investigator is looking for user stored data files, then these volumes will be the artefact of interest.

4.2.3.3 SnapshotsEucalyptus also has the ability to create a snapshot of volume. A snapshot is a point-in-time copy of volume. This snapshot can then be used to create a new replicated volume. It is important to note that these snapshots are not snapshots of virtual machines. Machine images are the only persistent form of the virtual machine. New images have to be created and bundled for any changes to be added to the virtual machines’ operating systems.

4.3 Recovering deleted artefactsWe have so far identified a number of artefacts of interest but these artefacts may not always be readily available and easy to find because they could be deleted either by normal operations such as when the system discards unused files or an attempt of the adversary to cover traces such as file tampering and exhaustive file deletion. Therefore, in order to obtain the artefacts, first of all, it is important to understand the storage management of the system because different platforms may manage storage differently. We have learned that a cloud computing system has its own architectural design which is different from that of the traditional information system. In terms of storage management, Eucalyptus uses the same approach as Amazon does with their public cloud where system software and data are managed separately. This section will address the second sub-research question: How to recover deleted artefacts in the cloud?

17

4.3.1Host System ArtefactsHost system artefacts refer to the Linux system artefacts and Eucalyptus components specific artefacts that we have covered in the previous section. These artefacts contain useful information that may help answer questions such as when a machine instance was accessed, by whom and from where. In addition, if the host has been compromised, then the traces and damages of the penetration may also be discovered here.

Since Eucalyptus cloud is made up of a number of Linux servers, these systems will have typical Linux root partitions with ext4 file system, and swap partitions for storing virtual memory data. The host system artefacts are stored on the local hard disks of these servers. To recover deleted host system artefacts, we may apply existing forensic tools and techniques to analyse the local hard disk the same way as we would on a typical Linux server in the traditional system. A widely accepted professional forensic tool such as EnCase is a very powerful tool that may be used to analyse Linux’s ext4 file systems and recover deleted data.

4.3.2User Persistent DataIf investigators are looking for data such as user created files and databases, these artefacts may be found at persistent storage media on the elastic block storage controller. Leveraging on Linux Logical Volume Manager (LVM) (Eucalyptus Systems n.d.b), EBS can create multiple volumes with various sizes that can be formatted with a number of different file systems. Professional forensic tool such as EnCase has the ability to mount images with LVM volumes (The Mail-archive 2006). However, the challenge would depend on the underlying hardware storage system used for the EBS. This is because investigating enterprise storage system such as shared storage server, a network attached storage (NAS), and a storage area network (SAN) could be time consuming as the storage system is likely to consist of several hard disks with a number of different RAID configurations.

4.3.3VM ImagesVirtual machine images and snapshots are managed by the walrus storage controller. When a new virtual machine is to be instantiated, the related virtual machine images will be downloaded from the walrus controller to a node controller. As explained in the architecture section, node controllers have hypervisors that are responsible for running multiple virtual machines but the node controllers are different from a standalone Linux server with a hypervisor. On the standalone server, the virtual disk image files remain on the local server hard disk after the virtual machine is powered off and when it’s powered back on all the changes made to the virtual machine are not lost. Whereas, the virtual disk image files of the instances on the node controller are volatile objects meaning that when the instances are shut down all the files associated with the instances are deleted thus all the changes made to the instances are lost. This could create a challenge for investigators because if the adversary only performs his malicious activities on the running instance without saving anything to the persistent volume and then shutdowns the instance, his traces of activities would be lost with the deleted virtual machine

18

instance. Thus, having the ability to recover these artefacts that have been deleted on the node controllers is so important.

In Ubuntu Enterprise Cloud, Kernel Virtual Machine (KVM) is the default hypervisor. KVM supports the use of block device or disk image files as virtual local storage for virtual machines (IBM 2010). If KVM is configured to use block device then the block device will be the place to find remnants of terminated running instances. On the same token, if disk image file is the configuration option then disk image files will need to be recovered. In our experiment, due to a lack of resources, we were unable to obtain a suitable hardware device to connect the SATA hard disk from our node controller to our mobile EnCase workstation for the purpose of recovering the deleted virtual hard disk files of the terminated instance. So, we have to skip this step and create a backup copy of the virtual hard disk files before it gets deleted by the node controller. To pinpoint the location of the virtual hard disk files of the instance that we want, the instance ID would be a good searching key word. We may check eucalyptus.conf where INSTANCE_PATH variable specifies the location that stores copies of disk image files of running instances and the original cached images downloaded from walrus controller. Given that we have obtained the virtual hard disk files, we used EnCase version 6.1 in our laboratory to mount the virtual hard disk file. EnCase has no problem understanding the default format of the KVM’s virtual hard disk files at all (See Appendix A). On top of that, EnCase was also able to successfully recover the text file that we created and deleted for this purpose (See Appendix B). This means that investigators will be able to examine the volatile virtual machine instances even after they have been terminated on the node controller as long as the virtual hard disk files don’t get overwritten by new virtual machine instances or deleted exhaustively.

This has indicated a challenge that investigators could face when trying to recover virtual machine instance artefacts, especially in a busy private cloud where virtual machines are brought up and torn down often. After the resources are released, the resources may be used by new instances thus the disk image files that we would like to recover on the local storage, could be overwritten. This possibility of data being overwritten can undermine the ability to recover a complete and intact disk image files for further data collection.

4.4 Other potential Sources of EvidenceWhen investigating a private cloud, there are more sources of evidence than just those exist on the core servers by default. As cloud computing is a networked system, there are other sub-system components that may be investigated to acquire further evidential data to support the cloud investigation. Therefore, this section will address the third sub-research question: What could be other potential sources of evidence to support a private cloud investigation?

4.4.1Client Side InvestigationSince cloud computing has a client-server model in which users access virtual machines in the cloud from remote client machines, a cloud computing related criminal investigation may be extended to cover the investigation of the client machines. Client tools for cloud computing can be categorized as

19

those for performing cloud management tasks and those for accessing the virtual machines in the cloud. The management tools are available as a command line tool and a web based graphical user interface tool in the form of a browser plug-in. Examples of these tools that can be used with Eucalyptus cloud are Firefox browser’s hybridfox and elasticfox, and the command line based euca2ools. Since hybridfox and elasticfox are browser based applications, the web browser’s cache would be an artefact of interest to investigate. For eua2ools, it is a Linux based command line tool thus the command history of the Linux shell would reveal the use of the tool. For accessing virtual machines in the cloud, typical remote access tools such as SSH, VNC and RDP clients are commonly used. Kerai (2010) shows that the artefacts such as log files and those in the Windows registry, left behind by these remote access tools could prove that the client was used to access the remote system. While examining the client tools may not reveal the detailed activities performed on the remote system, it is still helpful to cross check the investigative findings from the cloud.

4.4.2Live InvestigationIn recent years, live investigation is becoming increasingly popular as the need to investigate volatile data such as memory, running processes and applications, opened ports, raw sockets and active connections, is growing. This volatile data is mostly lost when the system is offline making static analysis less effective (Hay & Nance 2008). However, live investigation poses many challenges that could make the evidence acquired through this method forensically inadmissible. This is because live investigation may alter the states of the investigated system and the result may not be verifiable and repeatable (Barrett & Kipper 2010). To further complicate the matter, the target system in the cloud is in a virtual environment. Some live investigation tools for investigating live physical systems may no longer work in this environment (Barrett & Kipper 2010). Despite these difficulties, many research attempts have been made to make live virtual machine investigation possible. One of the methods is the application of virtual introspection. The intent of virtual introspection tools is to allow the hypervisor to monitor the activities on the virtual machines without being detected. Although much work remains to be done, the open source project of VIX which is a suite of virtual introspection tools developed for Xen hypervisor, has shown a significant progress and provided a proof of concept in using this type of tool to facilitate live virtual machine investigation (Hay & Nance 2008).

4.4.3Network Level MonitoringIn typical enterprise information systems, external security controls such as external Intrusion Detection Systems (IDSs) and Firewalls, are commonly used to provide additional security and increase forensic readiness. These systems can analyse network traffics and keep logs of activities as configured by the system administrator. Examining data from these devices would reveal a lot of valuable information for forensic investigations. With the introduction of cloud computing, a lot of activities will take place over network connections thus the use of external IDS and firewall will become even more important than ever. These sub-systems will certainly continue to play a vital role in the era of cloud computing.

20

5 Conclusion

5.1 Summary of Research FindingsIn this research, we set out to investigate a Ubuntu Enterprise Cloud version 10.10 powered by Eucalyptus version 2.0. This has been accomplished through a combination of desk-based research and laboratory-based research that aim at analysing the system architecture design of the technology, the features of the system, the key enabling technology of the cloud, which is the virtualization software, and the storage management of the cloud. Leveraging on the existing digital forensic knowledge including various techniques and tools, we have identified key forensic artefacts that may hold evidential data in the cloud. These include:

Common Linux system artefacts such as Linux swap space, Linux system logs under /var/log directory, temporary files under /tmp,

Eucalyptus specific logs located on each controller; and

Eucalyptus essential system files, virtual machine images, persistent data volumes, and volume snapshots.

We have also investigated the methods that we may use to recover the artefacts of interest if they are destroyed on purpose, or by accident. The process should be straightforward once we know where and how these artefacts are stored. To recover artefacts such as running virtual machine instances on node controllers would be more challenging as these artefacts are non-persistent and their remnants could already be overwritten. Finally, we have also considered some other potential sources of evidence that do not exist in the cloud by default. These include client side investigation of the end user's machine that has been used to access the cloud, virtual machine introspection technology that monitor users' activities on virtual machines in real time, and conventional security controls such as firewall and IDS systems which will continue to be useful sources of evidence in the cloud computing age. Having these potential sources available will certainly enhance the effectiveness of the investigation.

5.2 LimitationsThis study has a number of limitations. Due to the limited timeframe of the research, the study has not provided a very in-depth analysis of the private cloud system and could only base on a specific open source version of the technology which is less likely to reflect the situation in the real world where the enterprise edition of Eucalyptus is more likely to be used and there will be more features to examine. Due to the limited resources in the laboratory-based research part, the system setup was highly simplified which again cannot represent to the real world production systems.

21

5.3 Future worksThis topic is a very interesting area of research and could be extended into a number of further research projects. There is an opportunity to perform a more in-depth analysis on the same set of cloud technologies but in different deployment and delivery models. Another area to explore could be to investigate the system in a larger scale with different virtualization technologies. In the open source arena, there are a number of competing cloud technologies that are worth investigating. For example, OpenStack is going to be the new default cloud computing technology in the UEC version 11.10. There could also be a combination of open source and commercial technologies that form the cloud. As cloud computing advances, further research in the new technologies used in the cloud will continue to be in demand.

22

Appendix A – EnCase’s Full Virtual Disk Report

Name Disk ImageDescription Physical Disk, 21,000,192 Sectors 10GBLogical Size 0Initialized Size 0Physical Size 512Starting Extent 0S0File Extents 1References 0Physical Location 0Physical Sector 0Evidence File Disk ImageFile Identifier 0Code Page 0Full Path KVM\Disk Image

DeviceName Disk ImageFile Path C:\Documents and Settings\thasy022\Desktop\kvm\Images\disk.ddDrive Type FixedFile Integrity This raw image file cannot be verifiedEnCase Version 6.12System Version Windows XPIs Physical •Raid Stripe Size 0Error Granularity 0Process ID 0Index File C:\Documents and Settings\thasy022\Desktop\kvm\Index\Disk Image.IndexRead Errors 0Missing Sectors 0CRC Errors 0Compression UnknownTotal Size 10,752,098,304 Bytes (10GB)Total Sectors 21,000,192Disk Signature 56940100Partitions Valid

Hash PropertiesName ValueHash SetHash CategoryPartitionName Id Type Start Sector Total Sectors Size

83 Linux Native 0 2,050,112 1001MB83 Linux Native 2,050,112 17,382,001 8.3GB82 Linux Swap 19,432,113 1,568,079 765.7MB

23

Appendix B – EnCase’s Recovered Deleted File Report

Bookmark Type Highlighted DataPreview hello world I have stolen some data and deleted

itComment Data foundShow Picture •File Offset 262144Length 50Name Unallocated ClustersIn Report •Description File, Unallocated ClustersLogical Size 455,581,696Initialized Size 455,581,696Physical Size 455,581,696Starting Extent 0hda1-C2File Extents 111References 1Physical Location 40,448Physical Sector 79Evidence File Disk ImageFile Identifier 0Code Page 0Full Path KVM\Disk Image\hda1\Unallocated ClustersBookmark Path NoNameBookmark Start 20,016,640Bookmark Sector 39,095

KVM\Disk Image\hda1\Unallocated ClustersData foundhello world I have stolen some data and deleted it

24

Glossary

Anti-debugging The implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process.

API (Application Programming Interface

A set of functions that a programme or person can use to send request and receive results from another programme.

AWS

(Amazon Web Services)

A collection of remote computing services (also called web services) that together make up a cloud computing platform, offered over the Internet by Amazon.com.

Brute-force attacks A strategy used against encrypted data. It involves systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.

Digital Forensics The process of identifying, preserving, analysing and presenting digital evidence under forensically sound conditions

Electronic evidence Evidence in digital or electronic form, such as e-mail, computer files, and instant messages.

Email forensics A sub-branch of digital forensics relating to recovery of digital evidence or data from emails on the client and server systems, including deleted emails, calendars and contacts.

Encrypting The process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

Eucalyptus A software platform for the implementation of private cloud computing on computer clusters.

25

File server A computer attached to a network that has the primary purpose of providing a location for shared disk access, i.e. shared storage of computer files that can be accessed by the workstations that are attached to the computer network.

Firewall A piece of software, a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.

Google Docs Web-based word processor, spreadsheet, slide show, form, and data storage service offered by Google.

Hackers Persons who breaks into computers and computer networks for profit, as protest, or sometimes by the motivation of the challenge.

Hypervisor Also called virtual machine manager, it is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. The hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems.

Intrusion detection system A piece of software, a device or set of devices designed to monitor network and/or system activities for malicious activities or policy violations and produces reports to a Management Station

Malware

(malicious software)

Programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour.

Mobile device forensics A sub-branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions.

Network forensics A sub-branch of digital forensics relating to the monitoring and

26

analysis of computer network traffic for the purposes of information gathering, legal evidence or intrusion detection.

Penetration testing A method of evaluating the security of a computer system or network by simulating an attack from a malicious source

REST (Representational State Transfer)

A style of software architecture for distributed hypermedia systems such as the World Wide Web.

UEC

(Ubuntu Enterprise Cloud)

An edition of Linux-based Ubuntu operating system for cloud computing platforms.

Virtualization The creation of a virtual (rather than actual) version of something, such as a hardware platform, operating system, a storage device or network resources.

VMware A commercial virtualization software product.

Vulnerabilities A weakness which allows an attacker to reduce a system's information assurance.

Web Server It can refer to either the hardware (the computer) or the software (the computer application) that helps to deliver content that can be accessed through the Internet.

27

References

Aerdts, R 2009, Adapting to 21st Century Customer-Driven Demands, Hewlett-Packard Development Company, viewed 15 October 2011, <http://h20195.www2.hp.com/V2/GetPDF.aspx/4AA2-9242ENW.pdf>.

Altheide, C &Carvey, H 2011, Digital Forensics with Open Source Tools, Elsevier, United States of America, pp. 95-121.

Australian Government Information Management Office 2011, Cloud Computing Strategic Direction Paper, Australian Government, viewed 30 November 2011, <http://www.finance.gov.au/e-government/strategy-and-governance/docs/draft_cloud_computing_strategy.pdf>.

Barrett, D & Kipper, G 2010, 'Cloud Computing and the Forensic Challenges', Virtualization and Forensics, Syngress, Boston, pp. 197-209.

Barrett, D & Kipper, G 2010, 'Investigating Dead Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 83-107.

Barrett, D & Kipper, G 2010, 'Investigating Live Virtual Environments', Virtualization and Forensics, Syngress, Boston, pp. 109-128.

Casey, E 2008, 'Attacks against forensic analysis', Digital Investigation, vol. 4, no. 3-4, pp. 105-106.

Choo, K-KR 2010, 'Cloud computing: Challenges and future directions', Trends & issues in crime and criminal justice, vol. 400.

Claybrook, B 2011, Comparing four cloud computing strategies, TechTarget, viewed 11 October 2001, <http://searchcloudcomputing.techtarget.com/feature/Comparing-four-cloud-computing-strategies>.

Craiger, P 2005, 'Recovering Digital Evidence from Linux Systems Advances in Digital Forensics', International Federation for Information Processing Digital Library - Advances in Digital Forensics, vol. 194, pp. 233-244.

Cross, M 2008, Scene of the cybercrime, 2nd edn, Elsevier, United States of America.

Eucalyptus Systems 2010, Eucalyptus Cloud Computing Platform Adminstrator’s Guide Enterprise Edition 2.0, Eucalyptus Systems, viewed 28 August 2011, <http://www.eucalyptus.com/sites/default/files/docs/EucalyptusEE2.0.AdminGuide.v2.0.5.a.pdf>.

Eucalyptus Systems n.d.a, Eucalyptus Network Configuration (2.0), Eucalyptus Systems, viewed 22 August 2011, <http://open.eucalyptus.com/wiki/EucalyptusNetworkConfiguration_v2.0>.

Eucalyptus Systems n.d.b, Eucalyptus Prerequisites, Eucalyptus Systems, viewed 3 October 2011, <http://open.eucalyptus.com/wiki/EucalyptusPrerequisites_v1.5.2>.

28

Grossman, RL 2009, 'The Case for Cloud Computing', IT Professional, vol. 11, no. 2, pp. 23-27.

Haggerty, J & Taylor, M 2006, 'Managing corporate computer forensics', Computer Fraud & Security, vol. 2006, no. 6, pp. 14-16.

Hay, B & Nance, K 2008, ‘Forensics Examination of Volatile System Data Using Virtual Introspection’, ACM SIGOPS Operating Systems Review, vol. 42, no. 3, pp. 74-82.

Hay, B & Nance, K 2008, ‘Forensics Examination of Volatile System Data Using Virtual Introspection’, ACM SIGOPS Operating Systems Review, vol. 42, no. 3, pp. 74-82.

Hilley, S 2004, The corporation: the non-policed state, Infosecurity Today, Vol. 1, No. 6, pp 36-37.

IBM 2010, Kernel Virtual Machine (KVM) Best practices for KVM, IBM Corporation, viewed 14 September 2011, <http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/liaatbestpractices_pdf.pdf>.

John, H 2009, ‘Forensic Analysis’, Virtualization for Security, Syngress, Boston, pp. 229-254.

Johnson D, Murari, K, Raju, M, Suseendran R &Girikumar, Y 2010, Eucalyptus’s Beginner Guide – UEC edition (Ubuntu Server 10.10 - Maverick Meerkat) v2.0, CSS CORP, viewed 28 August 2011, <http://cssoss.files.wordpress.com/2010/12/eucabookv2-0.pdf >.

Lillard, TV, Garrison, CP, Schiller, CA & Steele, J 2010, 'What Is Network Forensics?',Digital Forensics for Network, Internet, and Cloud Computing, Syngress, Boston, pp. 3-20.

McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology, Canberra.

Menendez, D & Marcella, A 2008, A field Manual for collecting, examining, and preserving evidence of computer crimes, 2nd edn, Auerbach Publications, United States of America.

Philipp A, Cowen, D & Davis, C 2010, Hacking Exposed: Computer Forensics, McGraw-Hill, New York.

Reilly, D, Wren, C & Berry, T 2010, 'Cloud computing: Forensic challenges for law enforcement', paper presented at 2010 International Conference for Internet Technology and Secured Transactions (ICITST 2010), 8-11 Nov. 2010.

Taylor, M, Haggerty, J, Gresty, D & Lamb, D 2011, 'Forensic investigation of cloud computing systems', Network Security, vol. 2011, no. 3, pp. 4-10.

Taylor, M, Haggerty, J, Gresty, D &Hegarty, R 2010, 'Digital evidence in cloud computing systems', Computer Law & Security Review, vol. 26, no. 3, pp. 304-308.

The Mail-archive 2006, Mounting LVM image for analysis,The Mail-archive, viewed 3 October 2011, < http://www.mail-archive.com/forensics@securityfocus.com/msg00232.html>.

29

Wardley, S, Goyer, E &Barcet, N 2009, Ubuntu Enterprise Cloud Architecture, Canonical, viewed 10 August 2011, < http://www.canonical.com/sites/default/files/active/Whitepaper-UbuntuEnterpriseCloudArchitecture-v1.pdf>.

Wikipedia 2010, File:Eucalyptus cloud architecture-1.6.png, Wikipedia.org, viewed 2 September 2011, <http://en.wikipedia.org/wiki/File:Eucalyptus_cloud_architecture-1.6.png>.

Wiles, J, Alexander, T, Ashlock, S, Ballou, S, Depew, L, Dominguez, G, Ehuan, A, Green, R, Long, J, Reis, K, Schroader, A, Schuler, K & Thompson, E 2007, Techno Security’s Guide to E-Discovery and Digital Forensics, Elsevier, United States of America.

Wu, H, Ding, Y, Winer, C & Yao, L 2010, ‘Network Security for Virtual Machine in Cloud Computing’, Computer Sciences and Convergence Information Technology (ICCIT), 2010 5th International Conference on , vol., no., pp.18-21.

30