This document summarizes a project on cloud forensics. It discusses cloud computing models like SaaS, PaaS, and IaaS. It describes implementing a private Eucalyptus cloud and testing live forensics via virtual introspection and recovering ephemeral data from previous cloud tenants. It demonstrates recovering data from a physical disk but not from a new virtual instance due to sparse files. The document concludes ephemeral data is not accessible to new tenants in Eucalyptus clouds due to sparse files and zero-filling.
NIST Cloud Computing Forum and Workshop VIII
July 2015
Cloud Computing Forensic Science
Posted as a courtesy by:
Dave Sweigert
CISA CISSP HCISPP PMP SEC+
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
The document discusses the challenges of cloud forensics. It begins by introducing cloud computing and digital forensics. There are several challenges to cloud forensics including decreased control over forensic data, lack of international collaboration, and different approaches in cloud computing. The document then evaluates the challenges throughout the forensic process of identification, preservation, examination, and presentation. It also discusses some potential solutions and tools for cloud forensics as well as limitations and opportunities for future development.
This document discusses a seminar on cloud computing security and forensics. It covers topics like cloud security risks, risk assessment, and cloud forensics. The seminar aims to help people understand security issues in cloud computing and how to address them.
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Digital forensics involves identifying evidence from digital sources using scientific tools and techniques to solve crimes. There are two criteria for evidence admission in court: relevance to the case and use of scientific methods. Errors in evidence gathering can result in meaningless evidence or penalties. The process involves preservation, identification, extraction, documentation, and interpretation of data. Tools like WetStone's Gargoyle and Niels Provos's stegdetect can detect hidden data. The reliability of found data must undergo a Daubert hearing to ensure the tools and methods are viable in court. Professional, ethical, and legal issues must be considered regarding an investigator's role, privacy concerns, and challenges from evolving technologies.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
NIST Cloud Computing Forum and Workshop VIII
July 2015
Cloud Computing Forensic Science
Posted as a courtesy by:
Dave Sweigert
CISA CISSP HCISPP PMP SEC+
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
The document discusses the challenges of cloud forensics. It begins by introducing cloud computing and digital forensics. There are several challenges to cloud forensics including decreased control over forensic data, lack of international collaboration, and different approaches in cloud computing. The document then evaluates the challenges throughout the forensic process of identification, preservation, examination, and presentation. It also discusses some potential solutions and tools for cloud forensics as well as limitations and opportunities for future development.
This document discusses a seminar on cloud computing security and forensics. It covers topics like cloud security risks, risk assessment, and cloud forensics. The seminar aims to help people understand security issues in cloud computing and how to address them.
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Digital forensics involves identifying evidence from digital sources using scientific tools and techniques to solve crimes. There are two criteria for evidence admission in court: relevance to the case and use of scientific methods. Errors in evidence gathering can result in meaningless evidence or penalties. The process involves preservation, identification, extraction, documentation, and interpretation of data. Tools like WetStone's Gargoyle and Niels Provos's stegdetect can detect hidden data. The reliability of found data must undergo a Daubert hearing to ensure the tools and methods are viable in court. Professional, ethical, and legal issues must be considered regarding an investigator's role, privacy concerns, and challenges from evolving technologies.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Network forensics involves collecting and analyzing network data and traffic to determine how attacks occur. It is important to establish standard forensic procedures and know normal network traffic patterns to detect variations. Tools like packet analyzers, Sysinternals, and honeypots can help monitor traffic and identify intrusions. The Honeynet Project aims to increase security awareness by observing new attacker techniques.
A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
This document provides an overview of Windows file systems and how they are used for digital forensics investigations. It discusses the File Allocation Table (FAT) file system and how it tracks file clusters. It also describes the New Technology File System (NTFS) and how it stores file metadata and tracks unused data clusters. The document outlines how file deletion, renaming and moving works in Windows, and artifacts that can be recovered from deleted files. It identifies several useful file types for forensic analysis, like shortcut files, the Recycle Bin, print spool files and registry keys.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
The document discusses various aspects of network forensics and investigating logs. It covers analyzing log files as evidence, maintaining accurate timekeeping across systems, configuring extended logging in IIS servers, and the importance of log file accuracy and authenticity when using logs as evidence in an investigation.
Zero Trust: the idea that all access to corporate resources should be restricted until the user has proven their identity and access permissions, and the device has passed a security profile check. A core concept for Okta.
Linux is well-suited for forensic investigations due to its free and open-source tools, flexible environment, and ability to access low-level interfaces. However, its tools are more complicated to use than commercial packages and typically lack technical support. Linux distributions use a directory tree with essential directories like /bin, /etc, /home, and /var. Important commands provide information on processes, network connections, and disk usage. The Linux boot process involves the BIOS, boot loader, kernel initialization, and starting of processes at designated run levels.
Cyber security is important to protect sensitive data from cyber crimes like hacking and cyber attacks. It involves protecting computer systems and networks from unauthorized access and data theft or damage. Common cyber threats include viruses, spyware, phishing and hacking. Effective cyber security practices outlined in standards like ISO 27001 can help organizations securely manage risk and information assets. Digital forensics tools can also help investigate cyber crimes and securely acquire digital evidence from devices.
Open source network forensics and advanced pcap analysisGTKlondike
Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
Computer forensics involves the collection, analysis and presentation of digital evidence for use in legal cases. It combines elements of law, computer science and forensic science. The goal is to identify, collect and analyze digital data in a way that preserves its integrity so it can be used as admissible evidence. This involves understanding storage technologies, file systems, data recovery techniques and tools for acquisition, discovery and analysis of both volatile and persistent data. Computer forensics practitioners must be aware of ethical standards to maintain impartiality and integrity in their investigations.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
The document discusses the process of conducting a computer investigation from start to finish. It begins with preparing an investigation plan that assesses the case details and requirements. Evidence is then gathered following chain of custody procedures. Bit-stream copies are created of the original data using specialized tools to analyze the evidence without altering it. Finally, investigations are concluded by completing a case report and critiquing the process to improve future investigations.
Digital forensics involves analyzing digital artifacts like computers, storage devices, and network traffic as potential legal evidence. The process includes preparing investigators, collecting evidence while maintaining a chain of custody, examining and analyzing the data, and reporting the results. Key steps are imaging systems to obtain an exact duplicate without altering the original, recovering volatile data from memory, and using tools like EnCase and The Sleuth Kit to manually review and search the evidence for relevant information.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
This document discusses various techniques for securing containers and monitoring container activity, including:
- Static and dynamic scanning of container images to detect vulnerabilities
- Using seccomp, seccomp-bpf, SELinux, and Auditd for sandboxing and monitoring system calls
- Sysdig Falco for behavioral monitoring and detecting anomalies based on rules
- Examples of rules to detect things like shells running in containers or overwriting system binaries
The document provides an overview of these various security tools and techniques for containers, with examples of how they can be used to monitor and restrict container behavior to detect security issues or policy violations.
Network forensics involves collecting and analyzing network data and traffic to determine how attacks occur. It is important to establish standard forensic procedures and know normal network traffic patterns to detect variations. Tools like packet analyzers, Sysinternals, and honeypots can help monitor traffic and identify intrusions. The Honeynet Project aims to increase security awareness by observing new attacker techniques.
A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
This document provides an overview of Windows file systems and how they are used for digital forensics investigations. It discusses the File Allocation Table (FAT) file system and how it tracks file clusters. It also describes the New Technology File System (NTFS) and how it stores file metadata and tracks unused data clusters. The document outlines how file deletion, renaming and moving works in Windows, and artifacts that can be recovered from deleted files. It identifies several useful file types for forensic analysis, like shortcut files, the Recycle Bin, print spool files and registry keys.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
The document discusses various aspects of network forensics and investigating logs. It covers analyzing log files as evidence, maintaining accurate timekeeping across systems, configuring extended logging in IIS servers, and the importance of log file accuracy and authenticity when using logs as evidence in an investigation.
Zero Trust: the idea that all access to corporate resources should be restricted until the user has proven their identity and access permissions, and the device has passed a security profile check. A core concept for Okta.
Linux is well-suited for forensic investigations due to its free and open-source tools, flexible environment, and ability to access low-level interfaces. However, its tools are more complicated to use than commercial packages and typically lack technical support. Linux distributions use a directory tree with essential directories like /bin, /etc, /home, and /var. Important commands provide information on processes, network connections, and disk usage. The Linux boot process involves the BIOS, boot loader, kernel initialization, and starting of processes at designated run levels.
Cyber security is important to protect sensitive data from cyber crimes like hacking and cyber attacks. It involves protecting computer systems and networks from unauthorized access and data theft or damage. Common cyber threats include viruses, spyware, phishing and hacking. Effective cyber security practices outlined in standards like ISO 27001 can help organizations securely manage risk and information assets. Digital forensics tools can also help investigate cyber crimes and securely acquire digital evidence from devices.
Open source network forensics and advanced pcap analysisGTKlondike
Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
Computer forensics involves the collection, analysis and presentation of digital evidence for use in legal cases. It combines elements of law, computer science and forensic science. The goal is to identify, collect and analyze digital data in a way that preserves its integrity so it can be used as admissible evidence. This involves understanding storage technologies, file systems, data recovery techniques and tools for acquisition, discovery and analysis of both volatile and persistent data. Computer forensics practitioners must be aware of ethical standards to maintain impartiality and integrity in their investigations.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
The document discusses the process of conducting a computer investigation from start to finish. It begins with preparing an investigation plan that assesses the case details and requirements. Evidence is then gathered following chain of custody procedures. Bit-stream copies are created of the original data using specialized tools to analyze the evidence without altering it. Finally, investigations are concluded by completing a case report and critiquing the process to improve future investigations.
Digital forensics involves analyzing digital artifacts like computers, storage devices, and network traffic as potential legal evidence. The process includes preparing investigators, collecting evidence while maintaining a chain of custody, examining and analyzing the data, and reporting the results. Key steps are imaging systems to obtain an exact duplicate without altering the original, recovering volatile data from memory, and using tools like EnCase and The Sleuth Kit to manually review and search the evidence for relevant information.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
This document discusses various techniques for securing containers and monitoring container activity, including:
- Static and dynamic scanning of container images to detect vulnerabilities
- Using seccomp, seccomp-bpf, SELinux, and Auditd for sandboxing and monitoring system calls
- Sysdig Falco for behavioral monitoring and detecting anomalies based on rules
- Examples of rules to detect things like shells running in containers or overwriting system binaries
The document provides an overview of these various security tools and techniques for containers, with examples of how they can be used to monitor and restrict container behavior to detect security issues or policy violations.
Sanger, upcoming Openstack for Bio-informaticiansPeter Clapham
Delivery of a new Bio-informatics infrastructure at the Wellcome Trust Sanger Center. We include how to programatically create, manage and provide providence for images used both at Sanger and elsewhere using open source tools and continuous integration.
An introduction to Linux Container, Namespace & Cgroup.
Virtual Machine, Linux operating principles. Application constraint execution environment. Isolate application working environment.
This document discusses stateless hypervisors that are booted from a live image rather than persisting to local storage. Some key points:
- Rackspace uses stateless hypervisors booted from a network image to improve consistency and allow easy updating of all servers.
- The hypervisors are built using Ansible from a base operating system chroot. Common configurations are applied and different "personalities" like KVM or Xen are configured.
- Servers boot the image over the network using iPXE or locally using GRUB. The image runs in memory and mounts persistent storage.
- This approach allows rapid, consistent provisioning of thousands of hypervisors across different hardware with reproducible builds.
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
Docker offers a new, lightweight approach to application
portability. Applications are shipped using a common container format,
and managed with a high-level API. Their processes run within isolated
namespaces which abstract the operating environment, independently of
the distribution, versions, network setup, and other details of this
environment.
This "containerization" has often been nicknamed "the new
virtualization". But containers are more than lightweight virtual
machines. Beyond their smaller footprint, shorter boot times, and
higher consolidation factors, they also bring a lot of new features
and use cases which were not possible with classical virtual machines.
We will focus on one of those features: separation of operational
concerns. Specifically, we will demonstrate how some fundamental tasks
like logging, remote access, backups, and troubleshooting can be
entirely decoupled from the deployment of applications and
services. This decoupling results in independent, smaller, simpler
moving parts; just like microservice architectures break down large
monolithic apps in more manageable components.
This document provides information about Linux containers and Docker. It discusses:
1) The evolution of IT from client-server models to thin apps running on any infrastructure and the challenges of ensuring consistent service interactions and deployments across environments.
2) Virtual machines and their benefits of full isolation but large disk usage, and Vagrant which allows packaging and provisioning of VMs via files.
3) Docker and how it uses Linux containers powered by namespaces and cgroups to deploy applications in lightweight portable containers that are more efficient than VMs. Examples of using Docker are provided.
This document provides an overview of a capstone project to design, create, and implement a cloud computing lab (CCL) at Durham Technical Community College. The project goals are to create an operational CCL that allows students to remotely access and use virtual machines from the lab or at home. Key aspects of the project include using PXE booting to load ESXi onto diskless lab computers, provisioning virtual machines using vSphere AutoDeploy, and providing storage using OpenFiler. NetLab will be used for scheduling and remote access to the virtual machines.
The Lies We Tell Our Code (#seascale 2015 04-22)Casey Bisson
This document discusses various lies and forms of virtualization that are commonly used in computing. It begins by summarizing different virtualization technologies used at Joyent like zones, SmartOS, and Triton. It then discusses lies told at different layers of the stack, from virtual memory to network virtualization. Some key lies discussed include hyperthreading, paravirtualization, hardware virtual machines, Docker containers, filesystem virtualization techniques, and network virtualization. The document argues that many of these lies are practical choices that improve performance and workload density despite not perfectly representing the underlying hardware. It concludes by acknowledging the need to be mindful of security issues but also not to stop lying at the edge of the compute node.
- Alfresco solutions can be provisioned and deployed on Amazon Web Services (AWS) infrastructure as a service (IaaS) cloud platform. This provides advantages like infinite resources, pay as you go pricing, rapid scalability, and provisioning speed.
- AWS services like EC2, S3, and EBS allow deployment of virtual servers and storage. DevOps tools like Puppet can help automate configuration and provisioning.
- Deploying Alfresco on AWS provides opportunities for auto scaling, historical usage statistics from monitoring, and a potential Alfresco admin console for management of the AWS environment. However, challenges include network and storage configuration and automated provisioning of new nodes
Containerization Is More than the New VirtualizationC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1E5GzZX.
Jérôme Petazzoni borrows from his experience at Docker Inc. to explain live applications running in Docker, including reading logs, remote access, and troubleshooting tips. Filmed at qconsf.com.
Jérôme Petazzoni is a senior engineer at dotCloud, where he rotates between Ops, Support and Evangelist duties and the nickname of “master Yoda”, has earned.
Cloud orchestration major tools comparisionRavi Kiran
Cloud Orchestration major tools comparison (including history, installation, market share, integration with other public cloud system for each tool) For any clarification contact kiran79@techgeek.co.in
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORVanika Kapoor
Xen virtualization allows multiple virtual machines to run simultaneously on a single physical server. This increases hardware utilization and makes provisioning new servers easier. NFS allows files to be accessed remotely over a network, enabling file sharing between systems. NFS uses RPC to perform file operations like reads, writes and attribute retrieval. It has advantages of flexibility but also security risks if not configured properly. Newer NFS versions aim to improve performance and mandate strong authentication.
Deployment of WebObjects applications on CentOS LinuxWO Community
With the rise of cloud computing and the death of the Xserve, learn how you can deploy your WebObjects applications on a CentOS server. You will also get tips about how to secure your server so that you don't get hack.
This document discusses Infrastructure as a Service (IaaS) and creating cloud images using OpenStack and Oz. It provides an overview of IaaS and OpenStack components available to instances. It then covers creating cloud images, including using Oz to automate image creation through kickstart files and template definition language files. Finally, it briefly discusses setting up an image factory line with Oz.
This document discusses moving a Magento e-commerce platform to the AWS cloud to improve scalability, availability, and cost efficiency. It provides an overview of traditional Magento infrastructure and proposes an alternative infrastructure design on AWS using services like EC2, ELB, RDS, S3, CloudFront, Route53, and Elasticache. It highlights key considerations for each technology and steps to automate the infrastructure and deployment process.
2. What is Cloud Computing?
• The delivery of computing as a service as
opposed to a product
• Three types:
– SaaS (Software as a Service)
– PaaS (Platform as a Service)
– IaaS (Infrastructure as a Service)
3. SaaS (Software as a Service)
• Provider controls infrastructure
• Client uses a hosted application
4. PaaS (Platform as a Service)
• Provider controls operating system and hardware
• Client controls middleware and interfaces to
allow for software development
5. IaaS (Infrastructure as a Service)
• Provider rents hardware and storage space as
service
• Client can install virtualized operating systems on
which their applications can run
6. (IaaS Cloud Platform)
• What if you want to create your own cloud?
• Eucalyptus is a leading private cloud platform
• Allows organizations to use existing infrastructure
to create IaaS clouds
• Can become a hybrid cloud when interfaced with
Amazon Web Services for migration of workloads
7. Project Description
1. Implementation of Eucalyptus cloud
2. Testing potential for live forensics via virtual
introspection
3. Testing potential for recovering previous cloud
tenant ephemeral data
9. 1. Virtualization Definitions:
• Physical host – Computer or server that will host
virtual instances
• Virtual Instance – Guest operating system that
runs on top of physical host
• Hypervisor – Allows multiple virtual instances to
run concurrently on the physical host
• KVM – One hypervisor option for Linux
• QEMU – Processor emulator and virtualizer
10. Hypervisor
• KVM turns Linux Kernel into hypervisor and
virtual instance becomes Linux process
• Host processor must support virtualization
extensions: egrep ‘(vmx|svm)’ /proc/cpuinfo
• Originally used Shadow page tables for virtual to
physical memory translation
• Now uses Intel’s Extended Page Tables or AMD’s
Nested Page Tables for faster memory translation
11. Processor Emulator
• Runs instance code on host CPU
• Provides ability for virtual instance to access
physical host I/O resources
• Uses malloc() function for memory allocation
• Virtual instance sees malloc() defined memory as
its “physical” memory
14. - Front End Server
• Manages underlying resources
• Bucket storage (images, data)
• Provides block level storage
• Controls execution of instances
15. - Node
• Uses KVM hypervisor to control instance
• Kernel interfaces with host hardware
• Runs instance code on host CPU)
• Virtual instance that holds operating system
• Linux Kernel based full virtualization solution
17. Virtual Introspection
• Process of monitoring virtual instance state from
a virtual machine monitor (VMM)
• Two Examples:
– QEMU-Monitor
• QEMU provides a monitoring interface to control and
inspect virtual instance
– Libvirt
• Toolkit to interact with KVM/QEMU in order to control
virtual instance
18. Example 1: QEMU-Monitor
• Can inspect running virtual instance
(screenshots, memory dump, information about
instance)
• Can be accessed through:
– Holding down CTRL-ALT plus Shift-2 which brings up a
new window with the QEMU-Monitor
– AQEMU (QEMU GUI)
– Libvirt
19. Example 2: libvirt
• A toolkit to interact with QEMU and hypervisor
• 3 main pieces:
– API library
– Libvirtd daemon
– Virsh command line utility
• libvirt allows for scripting of the QEMU-Monitor:
21. QEMU Monitor – ‘pmemsave’
• Command that dumps virtual instance’s “RAM” to
file
• The instance see the “RAM” as its physical
memory but it is really virtual
• pmemsave 0 536870912 memory.dump
– 0 = start of memory offset in bytes
– 536870912 = end of memory offset in bytes (512
MB)
– memory.dump = output file name
22. Virtual Introspection - Scenario
• A forensics examiner would like to crack the
password of username shawn on virtual instance
Shawn2
• Here is a video of the manual process:
28. What is Ephemeral Storage?
• Left over space after file system is installed and
swap space is allocated
• Virtual instances without persistent storage will
utilize ephemeral storage for user data.
• Example:
– Virtual Disk Total – Filesystem – Swap = Ephemeral
29. Scenario 1:
A. A cloud tenant cancels their subscriber
agreement
B. Cloud provider shuts down and terminates
previous tenant’s instance
C. New tenant signs up and instance is launched
D. Is it possible for new tenant to recover previous
tenant’s ephemeral data?
30. Scenario 1: Item A. (Old Tenant)
A cloud tenant cancels their subscriber agreement
• Node B has an 80GB physical drive
• We created and launched a virtual instance sized
to 107GB (Instance ID - i-47AC0940)
– Allows majority of physical drive to be allocated for
ephemeral storage to ensure some overlap with next
tenant instance
31. Scenario 1: Item A. (Ephemeral)
• Ephemeral Space of Instance ID – i47AC0940
• c1.xlarge - /dev/sda = 107.4GB
/dev/sda1 = root filesystem (1.5GB)
/dev/sda2 = ephemeral (103GB)
/dev/sda3 = swap (3.1GB)
32. Scenario 1: Item A. (Seed Data)
• A unique seed was needed to simulate the prior
tenant ephemeral data
• We picked:
– SecurityByObscurityIsNoSecurityAtAll!
– Hex:
536563757269747942794f627363757269747949734
e6f53656375726974794174416c6c21
• Two Python scripts used to create and plant seed
throughout instance ephemeral space
33. Scenario 1: Item B. (Termination)
Cloud provider shuts down and terminates
previous tenant’s instance
• Search performed with od and grep to verify seed
data plant successful
• In HybridFox we terminated instance i-47AC0940
34. Scenario 1: Item C. (New Tenant)
New tenant signs up and instance is launched
• A new instance with same 107GB size created
and launched which ensures some overlap with
prior terminated instance
• (New Instance ID- i-476B083A)
35. Scenario 1: Item D. (Analysis)
Is it possible for new tenant to recover previous
tenant’s ephemeral data?
• Search run with linux tool od and
mmcat, img_cat, and sigfind from The Sleuth Kit
(TSK)
• No traces of the original seed were found in the
new instance!
36. Scenario 1: Conclusion
A new Eucalyptus cloud tenant is NOT
able to recover a previous tenant’s
ephemeral data!
Scenario 2:
What about a forensics examiner looking at the
entire physical disk after termination??
37. Scenario 2: Physical Disk - Analysis
• After new instance creation, we used Helix 2009
on Node B and took a bit for bit level copy of the
entire physical drive with the enhanced dd
program dcfldd
• We then loaded the dd image into forensics
analysis software EnCase and ran a search for the
planted seed string.
39. Scenario 2: Physical Disk – Conclusion
• Seed data is found all over the physical drive!
– Why is the seed data not found from within the new
instance but found on the physical drive??
– Sparse Files!
40. Sparse Files
• Uses file system space more efficiently on empty
blocks allocated to a file
• Writes metadata representing empty blocks until
block contains actual (non-empty) data
– Is the reason a 107GB disk file can be created on an
80GB node controller disk
– Reason why virtual disk can be created so quickly
41. Eucalyptus – Ephemeral Partition
• An ephemeral partition can be created where all
space is pre-allocated or it can use sparse files to
simply reserve the empty space.
• If Eucalyptus were to allocate the entire space
upfront without sparse files, it would use the
following dd command to sanitize prior session
data:
42. Ephemeral Fully Allocated
“dd bs=1M count=%11d if=dev/zero of=$s/
ephemeral 2>/dev/null”
– (if=dev/zero) destroys preexisting data by filling the
ephemeral partition with zeroes
43. Ephemeral Sparsely Allocated
• If Eucalyptus thin provisions the disk via the use
of sparse files:
• Outside virtual instance:
– Physical host sees sparse space as empty holes
• Inside virtual instance:
– Instance sees sparse space as zeroes even though
zeroes are not physically written
44. Final Conclusions
• Virtual instance can’t see seed because KVM
translates sparse space into zeroes.
• Seed can be seen on physical drive because the
sparse file concept doesn’t really write zeroes to
the space, it only uses metadata to “reserve” the
space.
45. Non-Eucalyptus Environments
• libvirt also has a secure wiping utility:
– Forensics examiner could check virsh.log to see if
either of these commands were used on a non-
eucalyptus system:
• Overwrites existing data with all zeroes or a specific pattern:
– #virsh vol-wipe <volume>
• Deletes volume file but data still present on storage device:
– #virsh vol-delete <volume>
• Libvirt supports:
– KVM/QEMU, Xen, Vmware, Microsoft Hyper-V, etc.
46. Documents
• Please email us if you would like a copy of our
documentation:
– Technical Document
– User Manual (Cloud Creation, Introspection
Tools, Script Code)