Dr Petra Leimich P.Leimich@napier.ac.uk
Lecturer
Dr Petra Leimich P.Leimich@napier.ac.uk
Lecturer
Josh Harrison
Prof Bill Buchanan B.Buchanan@napier.ac.uk
Professor
This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured, and forensic artefacts simulated upon it by deleting data originally stored in in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.
Leimich, P., Harrison, J., & Buchanan, W. J. (2016). A RAM triage methodology for Hadoop HDFS forensics. Digital Investigation, 18, 96-109. https://doi.org/10.1016/j.diin.2016.07.003
Journal Article Type | Article |
---|---|
Acceptance Date | Jul 16, 2016 |
Online Publication Date | Jul 18, 2016 |
Publication Date | 2016-09 |
Deposit Date | Jul 18, 2016 |
Publicly Available Date | Jul 19, 2017 |
Journal | Digital Investigation |
Print ISSN | 1742-2876 |
Publisher | Elsevier |
Peer Reviewed | Peer Reviewed |
Volume | 18 |
Pages | 96-109 |
DOI | https://doi.org/10.1016/j.diin.2016.07.003 |
Keywords | Digital forensics, distributed filesystem forensics, cloud storage forensics, Hadoop forensics, triage; RAM forensics, big data, |
Public URL | http://researchrepository.napier.ac.uk/Output/305106 |
Contract Date | Jul 18, 2016 |
A RAM triage methodology for Hadoop HDFS forensics
(1 Mb)
PDF
Publisher Licence URL
http://creativecommons.org/licenses/by-nc-nd/4.0/
From crime to court - an experience report of a digital forensics group project module.
(2014)
Presentation / Conference Contribution
A Comparison of Geo-tagging in Mobile Internet Browsing Applications on iOS and Android.
(2014)
Presentation / Conference Contribution
An assessment of data leakage in Firefox under different conditions.
(2014)
Presentation / Conference Contribution
On the digital forensic analysis of the Firefox browser via recovery of SQLite artefacts from unallocated space
(2012)
Presentation / Conference Contribution
Fast Filtering of Known PNG Files Using Early File Features
(2017)
Presentation / Conference Contribution
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
Apache License Version 2.0 (http://www.apache.org/licenses/)
Apache License Version 2.0 (http://www.apache.org/licenses/)
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search