Assessing the evidential value of artefacts recovered from the cloud

Cloud computing offers users low-cost access to computing resources that are scalable and flexible. However, it is not without its challenges, especially in relation to security. Cloud resources can be leveraged for criminal activities and the architecture of the ecosystem makes digital investigation difficult in terms of evidence identification, acquisition and examination. However, these same resources can be leveraged for the purposes of digital forensics, providing facilities for evidence acquisition, analysis and storage. Alternatively, existing forensic capabilities can be used in the Cloud as a step towards achieving forensic readiness. Tools can be added to the Cloud which can recover artefacts of evidential value. This research investigates whether artefacts that have been recovered from the Xen Cloud Platform (XCP) using existing tools have evidential value. To determine this, it is broken into three distinct areas: adding existing tools to a Cloud ecosystem, recovering artefacts from that system using those tools and then determining the evidential value of the recovered artefacts. From these experiments, three key steps for adding existing tools to the Cloud were determined: the identification of the specific Cloud technology being used, identification of existing tools and the building of a testbed. Stemming from this, three key components of artefact recovery are identified: the user, the audit log and the Virtual Machine (VM), along with two methodologies for artefact recovery in XCP. In terms of evidential value, this research proposes a set of criteria for the evaluation of digital evidence, stating that it should be authentic, accurate, reliable and complete. In conclusion, this research demonstrates the use of these criteria in the context of digital investigations in the Cloud and how each is met. This research shows that it is possible to recover artefacts of evidential value from XCP

Enabling dCache to use preexistent mass storage systems

A mesura que la investigació depèn cada vegada més dels computadors, l'emmagatzematge de dades comença a convertir-se en un recurs escàs per als projectes, i suposa una gran part del cost total. Alguns projectes intenten resoldre aquest problema emprant emmagatzament distribuït. És doncs necessari que alguns centres proveeixin de grans quantitats d'emmagatzematge massiu de baix cost basat en cintes magnètiques. L'inconvenient d'aquesta solució és que el rendiment disminueix, particularment a l'hora de tractar-se de grans quantitats d'arxius petits. El nostre objectiu és crear un híbrid entre un sistema d'alt cost i rendiment basat en discs, i un de baix cost i rendiment basat en cintes. Per això, unirem dCache, un sistema d'emmagatzematge distribuït, amb Castor, un sistema d'emmagatzematge jeràrquic, creant sistemes de fitxers virtuals que contindran grans quantitats d'arxius petits per millorar el rendiment global del sistema.A medida que la investigación depende cada vez más de los computadores, el almacenamiento de datos comienza a ser un recurso escaso para los proyectos y supone una gran parte del coste total. Algunos proyectos intentan solucionar estos problemas usando almacenamiento distribuido, por ello es necesario que algunos centros proporcionen almacenamiento masivo de bajo coste basado en librerías de cintas. El inconveniente de esta solución reside en que el rendimiento disminuye, particularmente cuando se trata de grandes cantidades de archivos pequeños. Nuestro objetivo es crear un híbrido entre un sistema de almacenamiento de alto coste y rendimiento basado en discos, y otro de bajo coste y rendimiento basado en cintas. Para ello uniremos dCache, un sistema de almacenamiento distribuido, con Castor, un sistema de almacenamiento jerárquico, creando así sistemas de archivos virtuales que contengan grandes cantidades de archivos pequeños para mejorar el rendimiento global del sistema.As modern research relies more and more on computers, data storage is becoming a scarce resource for research projects, as well as a large part of the cost. Some projects try to solve this problem by relying on distributed data storage. It is therefore necessary, for some centers, to provide massive amounts of lower cost storage based in tape libraries. The drawback to this approach is that performance decreases, particularly when dealing with large amounts of small files. Our goal is to create a hybrid between a high-cost high-performance disk drive pool array,and a lower-cost, not so high performance tape based library. To this end we will link dCache, a distributed storage system, to Castor, a hierarchical storage management system, while creating virtual file systems containing large amounts of small files to improve the overall performance of the system

RLINKS: A MECHANISM FOR NAVIGATING TO RELATED FILES

This thesis introduces Relative links or rlinks, which are directed labeled links from one file to another in a file system. Rlinks provide a clean way to build and share related-file information without creating additional files and directories. Rlinks form overlay graphs between files of a file system, thus providing useful alternate views of the file system. This thesis implements rlinks for the Linux kernel and modifies the storage structure of the Ext2 file system to store the rlinks

Lecture - CSCI 275: Linux Systems Administration and Security

Lecture for CSCI 275: Linux Systems Administration and Securit

I/O Subsystem Optimalization Using SSD

Bakalářská práce zkoumá optimalizace výkonu diskového subsystému za využití SSD disků. Prozkoumal jsem možné serverové zátěže a vybral z nich podmnožinu vhodnou k urychlení pomocí cache. V první části představuji 2 kešovací systémy, LVM cache a B-cache, spolu s možnostmi jejich správy a 2 souborové systémy Ext4 a XFS. V praktické části je naměřen výkon souborového subsystému za využití LVM cache a B-cache spolu se souborovými systémy Ext4 a XFS a jejich výkon porovnán vůči poli rotačních disků.The bachelor thesis examines IO subsystem optimization using SSD cache to speed up HDDs. I examined possible server loads and identified those that are suitable for caching. In the first part I introduce 2 caching solutions, LVM cache and B-cache with their management capabilities and 2 filesystems Ext4 and XFS. In the second part IO performance of LVM cache and B-cache with Ext4 and XFS filesystem is benchmarked and compared to an uncached HDD array.

Performance of Size-Changing Algorithms in Stackable File Systems

Stackable file systems can provide extensible file system functionality with minimal performance overhead and development cost. However, previous approaches are limited in the functionality they provide. In particular, they do not support size-changing algorithms, which are important and useful for many applications, such as compression and security. We propose fast index files, a technique for efficient support of size-changing algorithms in stackable file systems. Fast index files provide a page mapping between file system layers in a way that can be used with any size-changing algorithm. Index files are designed to be recoverable if lost and add less than 0.1\% disk space overhead. We have implemented fast indexing using portable stackable templates, and we have used this system to build several example file systems with size-changing algorithms. We demonstrate that fast index files have very low overhead for typical workloads, only 2.3\% over other stacked file systems. Our system can deliver much better performance on size-changing algorithms than user-level applications, as much as five times faster

TgFuseFs: How High School Students Can Write a Filesystem Prototype

Italian high school students who are majoring in Computer Science usually study subjects like programming, databases, networks, system engineering, electronics and operating systems. While most of these subjects let the students practice with projects, operating systems usually is taught in a more theoretical way because practical projects either are too simple to be didactically useful or require too many prerequisites. Hence, components like filesystems are only studied in theory from an high level point of view. We think that building a filesystem prototype could be considered active learning and could improve the operating systems learning experience. For this reason in this work we will show how fifth year students with very few prerequisites can build their first working prototype of a remote filesystem in userspace using Python, FUSE and Telegram. Since the activity is designed for high school students, the prototype won’t be perfect but we will present some of the issues that students should be aware of and more advanced students should address

Online Deduplication for Btrfs

Btrfs je copy-on-write linuxový souborový systém, který obsahuje vlastního správce oddílů a podporuje efektivní operace se snapshoty. Online deduplikace dat je metoda odstranění duplicitních bloků dat ještě předtím než jsou zapsány na disk. Tato funkcionalita šetří místo na uložišti avšak může v jistých případech znamenat pokles výkonu při zápisu. Hlavním využitím jsou soubory obrazů disků virtuálních strojů. Takové soubory obsahují z velké části stejná data (stejný operační systém) a tedy tyto části lze zapsat na disk pouze jednou. Tato diplomová práce se zabývá návrhem a implementací online deduplikace pro souborový systém Btrfs.Btrfs is a copy-on-write Linux filesystem that has its own built-in volume management and supports efficient snapshotting. Online data deduplication is a technique of eliminating duplicate blocks before they are written out to disk. This feature saves storage space, however, might decrease performance in some cases. The most notable use case for this feature is virtual machine image files. Most of the blocks are of the same content (same operating system) in these files and thus those blocks might be written out to disk just once. This thesis deals with design and implementation of such feature for the Btrfs filesystem.