There are two key features missing from Virtualization and Cloud Computing. Those are auditing and forensics. The A6 project aims to fix this problem for auditing, but there is only some research into forensics. The issue is about discovering who did what when, where, how, and hopefully why. Auditing plays into this for Compliancy but also for forensics. Forensics has two major components in its arsenal: Audit Trails, and Disk Images.
When it comes to Audit Trails, many adopt the standard mechanisms that are required by Linux and UNIX hosts (at least for KVM, Xen, and ESX) with a few add on auditing specific to the management of the virtualization host. For Hyper-V, they treat everything like a Windows host.
For a start this may be adequate but there are many bits and pieces that are missing, that would be helpful to a forensic study of the virtualization host. Specifically where the VM has lived in the past, on disk as well as in memory. With tools that automate LiveMigration and the agility of the cloud, this task can become overwhelming. The Audit Trail may not even exist for such a discovery, even if you could discover it, how do you get the data in a forensically sound mechanism.
So why is where the virtual disk lived so important? Because, when a virtual disk is moved, it leaves remnants of its self around. These remnants could contain clues as to what was going on to answer that all important question of who did what when, where, how, and hopefully why. They also provide a historical timeline of the life of the VM, which also becomes important for forensics. In addition, there may also be remnants of the memory footprint that could also be valuable.
However, most of this data becomes hard to find as disks are reused quite often, and once the virtual disk moves, it is no longer easy to extract this information. You may also pick up ‘collateral’ virtual disk information other than the one you are researching. This disk information could violate city, state, organization, and country privacy policies in multi-tenant cloud environments. At the moment, forensics contends itself with the well known virtual disk in its current form, not the past forms.
The lack of a proper audit trail within the virtual environment and the lack of a good forensic process also implies that forensic scientists must rely on the tried and true methods of gathering disk data, make bit by bit copies of all disks upon which the VM could live – for example, the entire LUN of a SAN. If the virtual machine spans multiple LUNs then each of those LUNs would also be collected. This could lead to issues within a mutli-tenant cloud. The collateral damage due to a forensic study done by law enforcement could be disastrous and violate all sorts of privacy laws (depending on the data of course).
Some companies like Terramark are working with Law Enforcement so that virtual disk images needed by forensics scientists are forthcoming without violating privacy and other policies. Unfortunately, this methodology has yet to be published.
The questions remain,
- given the rich amount of forensic data available on a simple virtual environment, how does a forensic team extract this data with minimal impact to the environment?
- does the audit trail provide enough information to grab all related data without violating privacy and other policies?
- do the Introspection APIs aid in forensics?
The forensic software companies have quite a bit of catching up to do, the desktop is fairly well understood, but the datacenter still remains a mystery from a forensic perspective.