Dr Petra Leimich P.Leimich@napier.ac.uk
Lecturer
A RAM triage methodology for Hadoop HDFS forensics
Leimich, Petra; Harrison, Josh; Buchanan, William J.
Authors
Josh Harrison
Prof Bill Buchanan B.Buchanan@napier.ac.uk
Professor
Abstract
This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured, and forensic artefacts simulated upon it by deleting data originally stored in in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.
Citation
Leimich, P., Harrison, J., & Buchanan, W. J. (2016). A RAM triage methodology for Hadoop HDFS forensics. Digital Investigation, 18, 96-109. https://doi.org/10.1016/j.diin.2016.07.003
| Journal Article Type | Article |
|---|---|
| Acceptance Date | Jul 16, 2016 |
| Online Publication Date | Jul 18, 2016 |
| Publication Date | 2016-09 |
| Deposit Date | Jul 18, 2016 |
| Publicly Available Date | Jul 19, 2017 |
| Journal | Digital Investigation |
| Print ISSN | 1742-2876 |
| Publisher | Elsevier |
| Peer Reviewed | Peer Reviewed |
| Volume | 18 |
| Pages | 96-109 |
| DOI | https://doi.org/10.1016/j.diin.2016.07.003 |
| Keywords | Digital forensics, distributed filesystem forensics, cloud storage forensics, Hadoop forensics, triage; RAM forensics, big data, |
| Public URL | http://researchrepository.napier.ac.uk/Output/305106 |
| Contract Date | Jul 18, 2016 |
Files
A RAM triage methodology for Hadoop HDFS forensics
(1 Mb)
PDF
Publisher Licence URL
http://creativecommons.org/licenses/by-nc-nd/4.0/
You might also like
On the digital forensic analysis of the Firefox browser via recovery of SQLite artefacts from unallocated space
(2012)
Presentation / Conference Contribution
Fingerprinting JPEGs With Optimised Huffman Tables
(2018)
Journal Article
An investigation into PL/SQL Injection.
(2013)
Presentation / Conference Contribution
Editorial: TLAD 2015
(2015)
Presentation / Conference Contribution
Editorial: TLAD 2014
(2014)
Presentation / Conference Contribution
Downloadable Citations
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2025
Advanced Search