We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byZayne Bushey
Modified over 2 years ago
© University of South Wales Information Assurance in a Distributed Forensic Cluster Nick Pringle a *, Mikhaila Burgess a a University of South Wales (formerly University of Glamorgan), Treforest, CF37 1DL, UK
© University of South Wales Introduction As data quantities increase we will need to adopt alternative models in our forensic processing environments. We believe that Distributed Processing will play a key part in this. We believe existing practice breaks down in a distributed system. We’re going to show our design for a framework that provides data assurance in a distributed storage environment. 2
© University of South Wales “Forensic Soundness” It’s a key part of our discipline It’s quite hard to define Existing standards and frameworks are a little vague It’s all down to accepted Best Practice It’s achieved by implementing ‘controls’ 3
© University of South Wales ‘Internal Controls’ on the Forensic Process –By Property, eg. cryptographic hashes, sizes, name! –By Location, eg. on specific media, network storage –By Authority, eg. order and response form –By Access Control, eg. write blocker, password –By Separation of Process, eg. crime scene and lab work –By Checklist, eg. have all the tasks been completed? –By Audit, but this is after the process 4
© University of South Wales At the bedrock of Forensics The Forensic Image –It’s a snapshot at a point in time –It is complete, including Boot Sectors, Unallocated space, HPA, HPC areas –Rather like the pieces of a Jigsaw, the parts form a whole. –We can measure it with SHA-1 etc 5
© University of South Wales ‘Traditional’ Architectures Based around a ‘Forensic Image’ 6 Forensic Image Stores
© University of South Wales A time of Great Change In ‘the Golden Age’ life was so simple (Simson Garfinkel, 2010) 3V – Volume, Variety and Velocity (Gartner, 2007) We now have Desktops, notebooks, netbooks, Virtualisation, Cloud storage, Cloud Processing, Smart Phones, Tablets, SatNav, USB Sticks, Memory cards, Terabyte drives, games machines, Cameras, etc. We find it difficult to cope with the sheer volume of data We have a backlog 7
© University of South Wales ‘Traditional’ Architectures Based around a ‘Forensic Image’ 8 This is limited to SATA3 and 32 cores? Forensic Image Stores SATA3 = 600MB/s SSD Read = 500MB/s If 1 Core can process 4 MB/s This could occupy 150 cores Processor constrained Gigabit Network = 100MB/s This can supply only 50 cores Network constrained
© University of South Wales Anticipated Developments Multi tera-byte crime scenes Multi-Agency Access Multi Device Analysis Complex processing, image and object recognition Semantic meaning of text usage profiling Google had the same type of Problem 9
© University of South Wales Google/Apache Hadoop 10 A processing Model - Map/Reduce A File System - HDfs 1.Split the data as whole files (SIPs/DEBs) across the cluster and 2.Don’t move the data Run the program where the data is stored
© University of South Wales Solutions and Opportunities Distributed processing is one that interests me 11
© University of South Wales Distributed Architecture 12 Encrypted and Secure VPN
© University of South Wales We lose “The Image” Distributed storage of acquired information packages is in direct conflict with ‘the image’ The image’s integrity comes, primarily, from it’s wholesomeness We lose the integrity we have enjoyed for 20 years We need to re-establish Assurance 13
© University of South Wales Distributed Data needs to appear as a single file system 14
© University of South Wales FUSE File-Systems 15 Application Program
© University of South Wales 16 FUSE File-Systems Application Program
© University of South Wales 17 FUSE File-Systems Application Program
© University of South Wales FUSE File System in Forensics Forensic discovery auditing of digital evidence containers, Richard, Roussev & Marziale (2007) Selective and intelligent imaging using digital evidence bags. In: Proceedings of the sixth annual digital forensics research workshop (DFRWS), Lafayette, IN; Aug Turner P. Affuse (Simson Garfinkel) MountEWF Xmount for VirtualBox or VMWare format disk images. 18
© University of South Wales FClusterfs – A wish list The ability to store extended directory/file meta data We want unaltered legacy software to run. New software requires no new skillset. Sculptor, bulk_extractor etc will still work Gives access to files on remote servers where they’re stored as whole files The ability to handle multi storage volumes from different media Has end to end encryption built-in Tracks movements and processing: Logging. Is Read Only to the user Highly tailorable access control at volume, directory and file levels 19
© University of South Wales Existing FUSE File-Systems 20 MySQLfs - Substitutes an SQL database for the file-system CurlFTPfs – Mounts an ftp/ssh/sftp/http/https server Loggedfs – Records all file access activity eCryptfs – Encrypts and decrypts data per file on the fly ROfs – a read only file system
© University of South Wales Distributed Data appearing as a single file system 21 MySQLfs Directory FileA FileB FileC FileD FileE FileF FileA FileB FileF FileC FileD FileE eCryptfs CurlFTPfs ROfs Loggedfs
© University of South Wales FClusterfs 22 Host B ftp Server File2 File3 FClusterfs Mount File1 File2 File3 Host A FClusterfs Mount File1 File2 File3 ftp Server File1 Remote Connection – Slower - Ethernet Local Connection – Faster – SATA RAM Connection – even faster – BUS speed! fclusterfs --mysql_user=me --mysql_password=mypassword --mysql_host= mysql_database=fclusterfs --volume=74a8f0f627cc0dc6 --audituser='Investigator Name' /home/user/Desktop/fsmount
© University of South Wales Password varchar(45) FClusterfs – MySQL Tables 23 VolumeListing inodes serveraccessinfo metadata tree
© University of South Wales Our Submission Information Package (SIP/DEB) 24 Header Section Nick Pringle A Villainous Crime 12/May/ :25:23 This is a small 1GB memory stick taken from the desk of the suspect Friday, November :42:52 GMT Friday, November :42:52 GMT 74a8f0f627cc0dc6 My Label /mhash/lib/keygen_s2k.c Dumping attribute $STANDARD_INFORMATION (0x10) from mft record 150 (0x96) Resident: Yes Attribute flags: 0x0000 0x00 ARCHIVE (0x ) Dumping attribute $FILE_NAME (0x30) from mft record 150 (0x96) Resident: Yes Resident flags: 0x01 Parent directory: 136 (0x88) File Creation Time: Sat Jul 20 18:25: UTC File Altered Time: Sat Jul 20 18:25: UTC MFT Changed Time: Sat Jul 20 18:25: UTC Last Accessed Time: Sat Jul 20 18:25: UTC Dumping attribute $DATA (0x80) from mft record 150 (0x96) Resident: No Attribute flags: 0x0000 Attribute instance: 2 (0x2) Compression unit: 0 (0x0) Actual Data size6066 (0x17b2) Allocated size: 8192 (0x2000) >>: 6066 (0x17b2) A8724ACDB2135FE66EB7BE554CCF16091FBC D7A6B1A3F17E33A1F15BF8B815EC4B13410EFED3 FC0198EF2F7782EF9EA E6E3A48B86256D Data Section begin-base FC0198EF2F7782EF9EA E6E3A48B86256D.cpt Dlevh4eFxd761tZ1zaPShNPDvGkB1FZn8UJiMY3zLCOAWKyj5CiPQSQOEGdU KzhQCN3oG0Xh27lSyydHHwA7cCSeRS012Sv74NF16GixZ4f8qx7fMwtV73Ld W9K53EwHUGnbHUw6WEOm0wh9ch8QvJcPcPvW3oIdQAA0HEBaB45I3XOaAr95 Yq37pBkMblDlC+/fu5ueFt6voIcPM9tD53GrO0G0T/6wAaPAqNEDWcCZTztj bRH+FELEM9rxZidX8/glPd/UBXbgZ/IjSIsknIsZG+KMZhJg1AWxmniKj633 A0qeD/Fny9gj1i7f2RhCWrd78y2fXKt4YA/nM4osibDh1o9QsiGTjtrkdFM4 fy4rHA6w98UdIwvROiH+roMKx0twdiDgy+zlvgvSohF9PKMn5Nq7Y4KLw19k p53JixBHilkoKefebVTybKNxNMh6c4QiNZucKQqRQWvVlYMgwqVbzqWiJQPM 5Mzhks7gDqZCx5s5QIl99w9fczGwurXn9yMjnNzGurFG32fo8ve/hoEAgsO6 slJ3/suViTtD+L97BrPqrsnkSv/gOr3aldEfstRgiA0A/v7ApAP6zDOe0TXD HHZ3OkRfopu4HAy+k234k6HQRkvveoS2T53Jz6HrCSplAh2xqpMjRiTl5PF+ EpiHiyy3w8zX5oAgNMdkm/Nwv+CwESi8JnAbaCkcOEbiusNfjtxsF/SnaDPq CzX2ezaKu9ElvLcqYDJA2ycQFw4MXy3Vr4gXNdg456Ael7nJbtfARZFrchg8 /bhN5itxLOda8/BjMlsA9zE9cXAPUM3W5bANniu75AXkbrI6yQDpsO5Kdf0Y
© University of South Wales FClusterfs – MySQL Tables 25 VolumeListing inodes audit serveraccessinfo WorkflowTasks metadata tree nodestate Password varchar(45)
© University of South Wales FCluster Architecture Roles and Zones Acquisition Authority Imager FClusterfs metadata storage Metadata Import/Load Balancer Replicator Data Storage Server Processing Server Results Meta Data table 26
© University of South Wales Assurance Zones – Acquisition - Overview 1.The cluster issues an “authority to image”. This includes a “one time use” key to be used to encrypt the evidence. 2.The imaging device creates the image, SIP/DEB of the file directory and SIP/DEBs of the file data which are encrypted using the one time use key. 3.SIP/DEBs are pushed/pulled to the cluster 27
© University of South Wales 28 Assurance Zones – Acquisition – Detail 1 of 6
© University of South Wales 29 Assurance Zones – Acquisition – Detail 2 of 6
© University of South Wales 30 Assurance Zones – Acquisition – Detail 3 of 6
© University of South Wales 31 Assurance Zones – Acquisition – Detail 4 of 6
© University of South Wales 32 Assurance Zones – Acquisition – Detail 5 of 6
© University of South Wales 33 Assurance Zones – Acquisition – Detail 6 of 6
© University of South Wales Assurance Zones Metadata Import/Load Balancing - Overview 1.The File directory SIP is imported by decrypting with the one-time key generated for the Acquisition. 2.The VolumeID table is updated Only if the directory SIP import was successful 1.Storage locations are chosen and the inodes table is updated accordingly Each Data SIP File is opened and the Loadbalancer reads the header and chooses primary storage based on the ability of the node to deal with this SIP type. 34
© University of South Wales Assurance Zones – Metadata Import – Detail 1 of 6 35
© University of South Wales Assurance Zones – Metadata Import – Detail 2 of 6 36
© University of South Wales 37 Assurance Zones – Metadata Import – Detail 3 of 6
© University of South Wales 38 Assurance Zones – Metadata Import – Detail 4 of 6
© University of South Wales 39 Assurance Zones – Metadata Import – Detail 5 of 6
© University of South Wales 40 Assurance Zones – Metadata Import – Detail 6 of 6
© University of South Wales Assurance Zones – Distribution - Overview 41 1.Each SIP/DEB is read and only if it is expected, ie found in the inodes table, it is copied to the location as recorded in the inode table 2.The SIP is unpacked, decrypted and header data added to the meta-data table 3.The inodes table is updated with the storage data status 4.In due course, the SIP/DEB will be replicated to 2 other locations and the inodes table updated accordingly.
© University of South Wales Assurance Zones – Distribution – Detail 1 of 2 42
© University of South Wales 43 Assurance Zones – Distribution – Detail 2 of 2
© University of South Wales Assurance Zones – Processing - Overview 44 1.Using the processing table, a standard set of tasks is run on the data stored locally on the host 2.Results are usually recorded as XML formatted data in the results table within the same database referenced by inode number.
© University of South Wales Assurance Zones – Processing – Detail 1 of 1 45
© University of South Wales Audit 46
© University of South Wales Mounting the file system 47 2 Select a file system from multiple available 3 Choose a mount point 1 Connect to a database 4 Mount The mounted FClusterfs file system is indistinguishable from a ‘normal’ file system
© University of South Wales Latency and Multi-threading and Parallel Processing 48 Linear Processing Multi-Threading/ Parallel/ Distributed Processing Task setupProcessingTask closure
© University of South Wales Why is this the right approach? This could be achieved within an application program but each package would to implement it and gain approval. Working at file system level the efficacy is global Interaction with FClusterfs is unavoidable Fclusterfs controls data access and maintains Assurance 49
© University of South Wales In Summary Distributed processing is a prime candidate to reduce the backlog but there are problems We lose ‘the image’; one of the foundations that has evolved in digital forensics over the last 20 years We can replace it by learning from, not adopting, Hadoop 50
© University of South Wales Funded by… 51
© University of South Wales Information Assurance in a Distributed Forensic Cluster Questions? 52
PP Test Review Sections 6-1 to 6-6 Mrs. Rivas 1. 2.
BMU - E I 1 Development of renewable energy sources in Germany in
BMU – KI III 1 Development of renewable energy sources in Germany in
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
×1= 9 4 1×1= 1 5 8×1= 8 6 7×1= 7 7 8×3= 24.
Time for a BREAK! You have 45 Minutes. Time Left 44.
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
C Copyright © 2005, Oracle. All rights reserved. Practice Solutions.
Break Time Remaining 10:00. Break Time Remaining 9:59.
1 hi at no doifpi me be go we of at be do go hi if me no of pi we Inorder Traversal Inorder traversal. n Visit the left subtree. n Visit the node. n Visit.
Copyright © Action Works 2008 All Rights Reserved - Photos by David D. Kempster 1.
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
David Burdett May 11, 2004 Package Binding for WS CDL.
Operating Systems Operating Systems - Winter 2010 Chapter 3 – Input/Output Vrije Universiteit Amsterdam.
Sample Service Screenshots Enterprise Cloud Service 11.3.
13:00 Clock will move after 1 minute PPT – VCIC Timer 15.ppt.
Adding Up In Chunks. Category 1 Adding multiples of ten to any number.
1 RA III - Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Buenos Aires, Argentina, 25 – 27 October 2006 Status of observing programmes in RA.
AP STUDY SESSION 2. Answers 1.A 2.E 3.A 4.D 5.B 6.E 7.B 8.E 9.A 10.D 11.C 12.B 13.D 14.B 15.E 16.A 17.E 18.C 19.C 20.D 21.B 22.C 23.A 24.D 25. B 26. E.
Petersons Practice AP Exam Cengage Learning Infotrack Database.
Custom Services and Training Provider Details Chapter 4.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
MaK_Full ahead loaded 1 Alarm Page Directory (F11)
Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.
Chapter 13 Fluids Physics for Scientists & Engineers, 3 rd Edition Douglas C. Giancoli © Prentice Hall.
Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.
Plan My Care Brokerage Training Working in partnership with Improvement and Efficiency South East.
1 Budapest University of Technology and Economics, BME, 1872 Budapest University of Technology and Economics, BME, 1872 Happy New Year 2012.
Chapter 12 Membrane Transport Essential Cell Biology Third Edition Copyright © Garland Science 2010.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt Synthetic.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 6 Processes and Operating Systems.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
CALENDAR NEW CALENDAR
DLMSO Classroom Timer Select a time to count down from the clock above 60 min 45 min 30 min 20 min 15 min 10 min 5 min or less.
Numbers Treasure Hunt
Table 12.1: Cash Flows to a Cash and Carry Trading Strategy.
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
PSSA Preparation. Question 1(no calculator) D Question 2 (no calculator)
by D. Fisher (2 + 1) + 4 = 2 + (1 + 4) Associative Property of Addition 1.
1 STANDARD 1.3 Converting a Fraction to % Problem 1 Problem 4 Problems 3 Problem 2 Problem 5 END SHOW PRESENTATION CREATED BY SIMON PEREZ. All rights reserved.
Symantec 2010 Windows 7 Migration Global Results.
Threads, SMP, and Microkernels Chapter 4 1. Process Resource ownership - process includes a virtual address space to hold the process image Scheduling/execution-
1 Turing Machines. 2 A Turing Machine Tape Read-Write head Control Unit.
Subtraction: Adding UP. Category 1 The whole is a multiple of ten.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt RhymesMapsMathInsects.
© 2016 SlidePlayer.com Inc. All rights reserved.