A RAM triage methodology for Hadoop HDFS forensics

This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through t...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Digital investigation 2016-09, Vol.18, p.96-109
Hauptverfasser: Leimich, Petra, Harrison, Josh, Buchanan, William J.
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 109
container_issue
container_start_page 96
container_title Digital investigation
container_volume 18
creator Leimich, Petra
Harrison, Josh
Buchanan, William J.
description This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.
doi_str_mv 10.1016/j.diin.2016.07.003
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_1825437314</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S1742287616300780</els_id><sourcerecordid>4202802291</sourcerecordid><originalsourceid>FETCH-LOGICAL-c372t-17cdb33c8314d4df883a306eaeef08f9f479b33f67d63c554aa52fde9b96c57b3</originalsourceid><addsrcrecordid>eNp9kE1LAzEQhoMoWKt_wNOC513zsbvJgpdSrStUBD_AW0iTSc3SbmqyFfrvzVLPnuYd5n1nhgeha4ILgkl92xXGub6gSReYFxizEzQhgrOcYvp5mjQvaU4Fr8_RRYwdxrRpqnKC6Cx7nT1nQ3BqDdkWhi9v_MavD5n1IWuV8X6XtfeLt7GHPjodL9GZVZsIV391ij4WD-_zNl--PD7NZ8tcM06HnHBtVoxpwUhpSmOFYIrhGhSAxcI2tuRNmtuam5rpqiqVqqg10KyaWld8xabo5rh3F_z3HuIgO78PfTopiaBVyXjanFz06NLBxxjAyl1wWxUOkmA5spGdHNnIkY3EXCY2KXR3DEH6_8dBkFE76DUYF0AP0nj3X_wXZfxrfw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1825437314</pqid></control><display><type>article</type><title>A RAM triage methodology for Hadoop HDFS forensics</title><source>Access via ScienceDirect (Elsevier)</source><creator>Leimich, Petra ; Harrison, Josh ; Buchanan, William J.</creator><creatorcontrib>Leimich, Petra ; Harrison, Josh ; Buchanan, William J.</creatorcontrib><description>This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.</description><identifier>ISSN: 1742-2876</identifier><identifier>EISSN: 1873-202X</identifier><identifier>DOI: 10.1016/j.diin.2016.07.003</identifier><language>eng</language><publisher>Kidlington: Elsevier Ltd</publisher><subject>Big data ; Cloud storage forensics ; Computer forensics ; Data analysis ; Digital forensics ; Distributed filesystem forensics ; Hadoop forensics ; Investigations ; RAM forensics ; Simulation ; Triage</subject><ispartof>Digital investigation, 2016-09, Vol.18, p.96-109</ispartof><rights>2016 Elsevier Ltd</rights><rights>Copyright Elsevier Science Ltd. Sep 2016</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c372t-17cdb33c8314d4df883a306eaeef08f9f479b33f67d63c554aa52fde9b96c57b3</citedby><cites>FETCH-LOGICAL-c372t-17cdb33c8314d4df883a306eaeef08f9f479b33f67d63c554aa52fde9b96c57b3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.diin.2016.07.003$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,780,784,3550,27924,27925,45995</link.rule.ids></links><search><creatorcontrib>Leimich, Petra</creatorcontrib><creatorcontrib>Harrison, Josh</creatorcontrib><creatorcontrib>Buchanan, William J.</creatorcontrib><title>A RAM triage methodology for Hadoop HDFS forensics</title><title>Digital investigation</title><description>This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.</description><subject>Big data</subject><subject>Cloud storage forensics</subject><subject>Computer forensics</subject><subject>Data analysis</subject><subject>Digital forensics</subject><subject>Distributed filesystem forensics</subject><subject>Hadoop forensics</subject><subject>Investigations</subject><subject>RAM forensics</subject><subject>Simulation</subject><subject>Triage</subject><issn>1742-2876</issn><issn>1873-202X</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2016</creationdate><recordtype>article</recordtype><recordid>eNp9kE1LAzEQhoMoWKt_wNOC513zsbvJgpdSrStUBD_AW0iTSc3SbmqyFfrvzVLPnuYd5n1nhgeha4ILgkl92xXGub6gSReYFxizEzQhgrOcYvp5mjQvaU4Fr8_RRYwdxrRpqnKC6Cx7nT1nQ3BqDdkWhi9v_MavD5n1IWuV8X6XtfeLt7GHPjodL9GZVZsIV391ij4WD-_zNl--PD7NZ8tcM06HnHBtVoxpwUhpSmOFYIrhGhSAxcI2tuRNmtuam5rpqiqVqqg10KyaWld8xabo5rh3F_z3HuIgO78PfTopiaBVyXjanFz06NLBxxjAyl1wWxUOkmA5spGdHNnIkY3EXCY2KXR3DEH6_8dBkFE76DUYF0AP0nj3X_wXZfxrfw</recordid><startdate>201609</startdate><enddate>201609</enddate><creator>Leimich, Petra</creator><creator>Harrison, Josh</creator><creator>Buchanan, William J.</creator><general>Elsevier Ltd</general><general>Elsevier Science Ltd</general><scope>AAYXX</scope><scope>CITATION</scope></search><sort><creationdate>201609</creationdate><title>A RAM triage methodology for Hadoop HDFS forensics</title><author>Leimich, Petra ; Harrison, Josh ; Buchanan, William J.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c372t-17cdb33c8314d4df883a306eaeef08f9f479b33f67d63c554aa52fde9b96c57b3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2016</creationdate><topic>Big data</topic><topic>Cloud storage forensics</topic><topic>Computer forensics</topic><topic>Data analysis</topic><topic>Digital forensics</topic><topic>Distributed filesystem forensics</topic><topic>Hadoop forensics</topic><topic>Investigations</topic><topic>RAM forensics</topic><topic>Simulation</topic><topic>Triage</topic><toplevel>online_resources</toplevel><creatorcontrib>Leimich, Petra</creatorcontrib><creatorcontrib>Harrison, Josh</creatorcontrib><creatorcontrib>Buchanan, William J.</creatorcontrib><collection>CrossRef</collection><jtitle>Digital investigation</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Leimich, Petra</au><au>Harrison, Josh</au><au>Buchanan, William J.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A RAM triage methodology for Hadoop HDFS forensics</atitle><jtitle>Digital investigation</jtitle><date>2016-09</date><risdate>2016</risdate><volume>18</volume><spage>96</spage><epage>109</epage><pages>96-109</pages><issn>1742-2876</issn><eissn>1873-202X</eissn><abstract>This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.</abstract><cop>Kidlington</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.diin.2016.07.003</doi><tpages>14</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 1742-2876
ispartof Digital investigation, 2016-09, Vol.18, p.96-109
issn 1742-2876
1873-202X
language eng
recordid cdi_proquest_journals_1825437314
source Access via ScienceDirect (Elsevier)
subjects Big data
Cloud storage forensics
Computer forensics
Data analysis
Digital forensics
Distributed filesystem forensics
Hadoop forensics
Investigations
RAM forensics
Simulation
Triage
title A RAM triage methodology for Hadoop HDFS forensics
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-23T11%3A11%3A42IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20RAM%20triage%20methodology%20for%20Hadoop%20HDFS%20forensics&rft.jtitle=Digital%20investigation&rft.au=Leimich,%20Petra&rft.date=2016-09&rft.volume=18&rft.spage=96&rft.epage=109&rft.pages=96-109&rft.issn=1742-2876&rft.eissn=1873-202X&rft_id=info:doi/10.1016/j.diin.2016.07.003&rft_dat=%3Cproquest_cross%3E4202802291%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1825437314&rft_id=info:pmid/&rft_els_id=S1742287616300780&rfr_iscdi=true