Evaluation of the DFET Cloud.

Abstract

The DFET (Digital Forensics Evaluation and Training) Cloud creates new training methods/techniques to support judicial authorities, law enforcement agencies and associated stakeholders in the fight against cybercrime through the development of a virtual (cloud-based) cybercrime training environment to include real life simulation and scenario analysis. Currently it is partly funded by DG Home – Prevention Of and Fight against Crime, and aims to improve crime detection rates by providing scenario-based training in line with the dynamic nature of cybercrime. Overall DFET aims to create a training infrastructure which can share cyber training across Europe, and allow access to hands-on environments, no matter the physical location of trainer. Its core partners are Edinburgh Napier University, Joseph Stefan Institute (JSI), Stockholm University, Police Scotland, and Aconite Internet Solutions. This paper outlines the evaluation of running the Cloud-based system over two semesters at Edinburgh Napier University, and shows the performance footprint for five modules: e-Security (focusing on cryptography), Advanced Cloud and Network Forensics (mainly focused in security event information and network forensics); Network Security and Cryptography (focusing on firewalls, servers and cryptography); Security Testing and Advanced Network Forensics (mainly focused on Penetration Testing); and Host-based Forensics (mainly using EnCase). Overall, over the two semesters, over 400 students used the Cloud environment, and mainly used a range of virtual machines, including for Kali Linux, Ubuntu, EnCase, and a range of Windows servers and network devices (including firewalls), and which included a range of tools and systems, including Snort IDS, and Splunk SIEM. The current DFET Cloud contains four main cluster nodes, where each cluster node runs VMware vSphere 5.1 with VMware vCenter used to manage the instances. This gives a total of 119 GHz CPU, 520 GB of physical memory, and 18 TB of disk space. The paper shows the main architecture, and show that all of the management components, such as a domain controller, are run as virtual machines. The paper outlines the Power Shell scripts and C# code which was used to automate the deployment of the instances with the Cloud, and in the footprint that these create while deploying. Along with this the paper shows the footprint over the past two semesters, showing CPU utilization, disk activity and memory, and presents the peak workload around the start of a lab assignment. Over many years of using the Cloud infrastructure, the results show that an architecture based on creating a pool of clean instances is the best way to create the infrastructure. With this the instances are created clean, with a snap shot, and then once the lab has been completed, the instance, if required, is cleaned and returned to the pool. This considerably reduces the footprint within the creation of instances, which can often swamp the system at the start-up of a lab. The results also highlight a key breakpoint in the Cloud which occurred when over 80 students where completing their Penetration Testing coursework and working for a 12pm deadline, and where the resources within the infrastructure became stressed where there was a considerably lag in remotely accessing the DFET Cloud. Overall the system coped by increasing memory allocation for vCenter, and in stopping running instances which had been dormant for several weeks. In conclusion the paper outlines the best practice in creating and running a virtualised Cloud-based environment, and gives pointers on creating failover, backups, and in optimising performance, while showcasing Power Shell scripts and C# to automate the creation of virtual machines for students. New plans for investment will show how DFET will scale, and overcome many of the problems of the past, and in supporting many more students.