Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

Date

2013-08

Department

Program

Citation of Original Publication

Josiah Dykstra, Alan T. Sherman, Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform, Digital Investigation Volume 10, Supplement, August 2013, Pages S87-S95, https://doi.org/10.1016/j.diin.2013.06.010

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Attribution-NonCommercial-NoDerivs 4.0 International (CC BY-NC-ND 4.0 DEED)
https://creativecommons.org/licenses/by-nc-nd/4.0/

Abstract

We describe the design, implementation, and evaluation of FROST|three new forensic tools for the OpenStack cloud platform. Operated through the management plane, FROST provides the rst dedicated forensics capabilities for OpenStack, an open-source cloud platform for private and public clouds. Our implementation supports an Infrastructure- as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest rewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate through examples how forensic investigators can independently use our new features to obtain forensically- sound data. Our evaluation demonstrates the e ectiveness of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.