Improving Lawful Interception in Virtual Datacenters

The rise of cloud computing led to the need for highly flexible and dynamic infrastructures, which are able to handle a variety of different applications, the accruing big data and the requests of various customers simultaneously. By the use of virtualization modern datacenters provide an environment for cloud computing infrastructures. In these environments hundreds of thousands of physical servers host hundreds of thousands of virtual machines. This huge number of involved systems as well as additional virtual layer inside these environments impede lawful interceptions and network forensic investigations, which are performed to wiretap a suspicious system. Without any constraints, all phases of a network forensic investigation are faced with arising challenges like access and packet capture of virtual network interface cards, record the captured packets on hardware devices or the subsequent analysis of encapsulated network packets. Due to the huge number of relevant systems, the investigation gets inflexible and slow, which prevents a valid and usable wiretapping of a suspicious system. In this paper we propose an improvement of the packet capture process, which in turn enhances the recording and the subsequent analysis of the lawful interception. By reducing the number of relevant physical servers the number of involved hosting servers is decreased. In combination with further information of the virtual environment an enhanced process is possible, which ensures a valid lawful interception of the relevant network traffic.