A Log-Structured Block Preservation and Restoration System for Proactive Forensic Data Collection in the Cloud

Abstract

Preservation and data collection in cloud environments are difficult because forensic data are volatile and they are scattered in many servers. This paper describes a novel surveillance mechanism for virtual block devices on IaaS cloud environments. We first describe some related work on backup applications, versioning file systems, and virtual machine introspection systems that can be applied to cloud forensics. The proposed log-structured block preservation and restoration system can be used for recording cloud consumers' write operations on virtual block devices and for restoring the state of a virtual block device at an arbitrary point in time. This paper presents a design and an implementation of the proposed system by using Xen hypervisor. The prototype implementation achieved better read and write performance compared to the baseline driver provided by Xen when we ran four or more virtual machines simultaneously. This paper shows two forensic applications for preserved data blocks: a file tracking application and a novel diff command that supports time travel.