Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform
Loading...
Author/Creator
Author/Creator ORCID
Date
2013-08
Type of Work
Department
Program
Citation of Original Publication
Josiah Dykstra, Alan T. Sherman, Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform, Digital Investigation Volume 10, Supplement, August 2013, Pages S87-S95, https://doi.org/10.1016/j.diin.2013.06.010
Rights
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Attribution-NonCommercial-NoDerivs 4.0 International (CC BY-NC-ND 4.0 DEED)
https://creativecommons.org/licenses/by-nc-nd/4.0/
Attribution-NonCommercial-NoDerivs 4.0 International (CC BY-NC-ND 4.0 DEED)
https://creativecommons.org/licenses/by-nc-nd/4.0/
Abstract
We describe the design, implementation, and evaluation of FROST|three new forensic tools for the OpenStack
cloud platform. Operated through the management plane, FROST provides the rst dedicated forensics capabilities for
OpenStack, an open-source cloud platform for private and public clouds. Our implementation supports an Infrastructure-
as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest rewall logs.
Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the
operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust
in the cloud provider but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in
hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic
examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We
demonstrate through examples how forensic investigators can independently use our new features to obtain forensically-
sound data. Our evaluation demonstrates the e ectiveness of our approach to scale in a dynamic cloud environment.
The design supports an extensible set of forensic objectives, including the future addition of other data preservation,
discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.