Evaluation of a Sector-Hash Based Rapid File Detection Method for Monitoring Infrastructure-as-a-Service Cloud Platforms

Current computer forensics tools have some limitations on anti-forensics attacks, cloud computing, and a large increase in the size of forensics targets. To solve these problems, this paper proposes a system that preserves storage data on virtual machines by acquiring all data sectors with time stamps. The proposed system can restore a previous state of a block device at any date and time that is specified by an investigator. The proposed system aims to monitor users' behavior in Infrastructure-as-a-Service (IaaS) cloud platforms. This paper also presents a rapid file detection system that finds a target file from a large collection of the acquired data sectors by using sector-hashes and parallel distributed processing. This system enables investigators to track and to find a target file that is related to incidents or crimes in the cloud. First, this paper reports the preliminary experiments of a sector-hash based file detection method on three major operating systems for evaluating its effectiveness. We present a design and an implementation of the proposed monitoring and target file detection system by using Xen hypervisor and MapReduce. We report results of its performance evaluation. Finally, we discuss possible methods to improve the performance and the limitations of the current proposed mechanism.