A RAM triage methodology for Hadoop HDFS forensics
This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through t...
Gespeichert in:
Veröffentlicht in: | Digital investigation 2016-09, Vol.18, p.96-109 |
---|---|
Hauptverfasser: | , , |
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
container_end_page | 109 |
---|---|
container_issue | |
container_start_page | 96 |
container_title | Digital investigation |
container_volume | 18 |
creator | Leimich, Petra Harrison, Josh Buchanan, William J. |
description | This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project. |
doi_str_mv | 10.1016/j.diin.2016.07.003 |
format | Article |
fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_1825437314</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S1742287616300780</els_id><sourcerecordid>4202802291</sourcerecordid><originalsourceid>FETCH-LOGICAL-c372t-17cdb33c8314d4df883a306eaeef08f9f479b33f67d63c554aa52fde9b96c57b3</originalsourceid><addsrcrecordid>eNp9kE1LAzEQhoMoWKt_wNOC513zsbvJgpdSrStUBD_AW0iTSc3SbmqyFfrvzVLPnuYd5n1nhgeha4ILgkl92xXGub6gSReYFxizEzQhgrOcYvp5mjQvaU4Fr8_RRYwdxrRpqnKC6Cx7nT1nQ3BqDdkWhi9v_MavD5n1IWuV8X6XtfeLt7GHPjodL9GZVZsIV391ij4WD-_zNl--PD7NZ8tcM06HnHBtVoxpwUhpSmOFYIrhGhSAxcI2tuRNmtuam5rpqiqVqqg10KyaWld8xabo5rh3F_z3HuIgO78PfTopiaBVyXjanFz06NLBxxjAyl1wWxUOkmA5spGdHNnIkY3EXCY2KXR3DEH6_8dBkFE76DUYF0AP0nj3X_wXZfxrfw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1825437314</pqid></control><display><type>article</type><title>A RAM triage methodology for Hadoop HDFS forensics</title><source>Access via ScienceDirect (Elsevier)</source><creator>Leimich, Petra ; Harrison, Josh ; Buchanan, William J.</creator><creatorcontrib>Leimich, Petra ; Harrison, Josh ; Buchanan, William J.</creatorcontrib><description>This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.</description><identifier>ISSN: 1742-2876</identifier><identifier>EISSN: 1873-202X</identifier><identifier>DOI: 10.1016/j.diin.2016.07.003</identifier><language>eng</language><publisher>Kidlington: Elsevier Ltd</publisher><subject>Big data ; Cloud storage forensics ; Computer forensics ; Data analysis ; Digital forensics ; Distributed filesystem forensics ; Hadoop forensics ; Investigations ; RAM forensics ; Simulation ; Triage</subject><ispartof>Digital investigation, 2016-09, Vol.18, p.96-109</ispartof><rights>2016 Elsevier Ltd</rights><rights>Copyright Elsevier Science Ltd. Sep 2016</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c372t-17cdb33c8314d4df883a306eaeef08f9f479b33f67d63c554aa52fde9b96c57b3</citedby><cites>FETCH-LOGICAL-c372t-17cdb33c8314d4df883a306eaeef08f9f479b33f67d63c554aa52fde9b96c57b3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.diin.2016.07.003$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,780,784,3550,27924,27925,45995</link.rule.ids></links><search><creatorcontrib>Leimich, Petra</creatorcontrib><creatorcontrib>Harrison, Josh</creatorcontrib><creatorcontrib>Buchanan, William J.</creatorcontrib><title>A RAM triage methodology for Hadoop HDFS forensics</title><title>Digital investigation</title><description>This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.</description><subject>Big data</subject><subject>Cloud storage forensics</subject><subject>Computer forensics</subject><subject>Data analysis</subject><subject>Digital forensics</subject><subject>Distributed filesystem forensics</subject><subject>Hadoop forensics</subject><subject>Investigations</subject><subject>RAM forensics</subject><subject>Simulation</subject><subject>Triage</subject><issn>1742-2876</issn><issn>1873-202X</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2016</creationdate><recordtype>article</recordtype><recordid>eNp9kE1LAzEQhoMoWKt_wNOC513zsbvJgpdSrStUBD_AW0iTSc3SbmqyFfrvzVLPnuYd5n1nhgeha4ILgkl92xXGub6gSReYFxizEzQhgrOcYvp5mjQvaU4Fr8_RRYwdxrRpqnKC6Cx7nT1nQ3BqDdkWhi9v_MavD5n1IWuV8X6XtfeLt7GHPjodL9GZVZsIV391ij4WD-_zNl--PD7NZ8tcM06HnHBtVoxpwUhpSmOFYIrhGhSAxcI2tuRNmtuam5rpqiqVqqg10KyaWld8xabo5rh3F_z3HuIgO78PfTopiaBVyXjanFz06NLBxxjAyl1wWxUOkmA5spGdHNnIkY3EXCY2KXR3DEH6_8dBkFE76DUYF0AP0nj3X_wXZfxrfw</recordid><startdate>201609</startdate><enddate>201609</enddate><creator>Leimich, Petra</creator><creator>Harrison, Josh</creator><creator>Buchanan, William J.</creator><general>Elsevier Ltd</general><general>Elsevier Science Ltd</general><scope>AAYXX</scope><scope>CITATION</scope></search><sort><creationdate>201609</creationdate><title>A RAM triage methodology for Hadoop HDFS forensics</title><author>Leimich, Petra ; Harrison, Josh ; Buchanan, William J.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c372t-17cdb33c8314d4df883a306eaeef08f9f479b33f67d63c554aa52fde9b96c57b3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2016</creationdate><topic>Big data</topic><topic>Cloud storage forensics</topic><topic>Computer forensics</topic><topic>Data analysis</topic><topic>Digital forensics</topic><topic>Distributed filesystem forensics</topic><topic>Hadoop forensics</topic><topic>Investigations</topic><topic>RAM forensics</topic><topic>Simulation</topic><topic>Triage</topic><toplevel>online_resources</toplevel><creatorcontrib>Leimich, Petra</creatorcontrib><creatorcontrib>Harrison, Josh</creatorcontrib><creatorcontrib>Buchanan, William J.</creatorcontrib><collection>CrossRef</collection><jtitle>Digital investigation</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Leimich, Petra</au><au>Harrison, Josh</au><au>Buchanan, William J.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A RAM triage methodology for Hadoop HDFS forensics</atitle><jtitle>Digital investigation</jtitle><date>2016-09</date><risdate>2016</risdate><volume>18</volume><spage>96</spage><epage>109</epage><pages>96-109</pages><issn>1742-2876</issn><eissn>1873-202X</eissn><abstract>This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.</abstract><cop>Kidlington</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.diin.2016.07.003</doi><tpages>14</tpages><oa>free_for_read</oa></addata></record> |
fulltext | fulltext |
identifier | ISSN: 1742-2876 |
ispartof | Digital investigation, 2016-09, Vol.18, p.96-109 |
issn | 1742-2876 1873-202X |
language | eng |
recordid | cdi_proquest_journals_1825437314 |
source | Access via ScienceDirect (Elsevier) |
subjects | Big data Cloud storage forensics Computer forensics Data analysis Digital forensics Distributed filesystem forensics Hadoop forensics Investigations RAM forensics Simulation Triage |
title | A RAM triage methodology for Hadoop HDFS forensics |
url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-23T11%3A11%3A42IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20RAM%20triage%20methodology%20for%20Hadoop%20HDFS%20forensics&rft.jtitle=Digital%20investigation&rft.au=Leimich,%20Petra&rft.date=2016-09&rft.volume=18&rft.spage=96&rft.epage=109&rft.pages=96-109&rft.issn=1742-2876&rft.eissn=1873-202X&rft_id=info:doi/10.1016/j.diin.2016.07.003&rft_dat=%3Cproquest_cross%3E4202802291%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1825437314&rft_id=info:pmid/&rft_els_id=S1742287616300780&rfr_iscdi=true |