Studying copy-on-read and copy-on-write techniques on block device - - PowerPoint PPT Presentation

studying copy on read and copy on write techniques on
SMART_READER_LITE
LIVE PREVIEW

Studying copy-on-read and copy-on-write techniques on block device - - PowerPoint PPT Presentation

Feb 03, 2023 410 likes •676 views

Studying copy-on-read and copy-on-write techniques on block device level to aid in large environment forensics E. van den Haak System and Network Engineering University of Amsterdam Master Thesis, July 2014 Eric van den Haak (UvA) Remote Data

slide-1
SLIDE 1

Studying copy-on-read and copy-on-write techniques on block device level to aid in large environment forensics

  • E. van den Haak

System and Network Engineering University of Amsterdam

Master Thesis, July 2014

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 1 / 21

slide-2
SLIDE 2

Background

Forensics on cloud solutions and large environments Sheer volume of data (Remote) Acquisition is very hard

Making a copy of all data is impossible Making data available remotely is a long procedure

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 2 / 21

slide-3
SLIDE 3

Concept

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 3 / 21

slide-4
SLIDE 4

Research

Focus on server block device level Copy only relevant data to local storage

Copy-on-Read

Enable live forensics without interfering with original block device

Copy-on-Write

Important aspects Data integrity Reproducible Storable

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 4 / 21

slide-5
SLIDE 5

Research

What is a good way to mount block devices read only and store read and changed data in separate sparse files? What methods exist that allow copy-on-write and copy-on-read on block device level? Can these methods be effectively used to do remote data acquisition while storing read- and changed data locally? If necessary, how can an existing method be modified in order to meet the requirements of this research?

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 5 / 21

slide-6
SLIDE 6

Related Research

Forensic mount tool Xmount[1] NIST Cloud Computing Forensic Science Challenges[2]

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 6 / 21

slide-7
SLIDE 7

Existing methods

Methods that either support copy-on-read or copy-on-write Xmount Fusecow Bcache

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 7 / 21

slide-8
SLIDE 8

Ideal situation

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 8 / 21

slide-9
SLIDE 9

Proof of concept1

Both Xmount and Fusecow Open source C GPL Scope Copy-on-read file Read only feature

1Sources on github[3] Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 9 / 21

slide-10
SLIDE 10

Detailed concept

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 10 / 21

slide-11
SLIDE 11

Copy-on-write implementation (existing)

write(3,X); write(D,Z); write(8,Y) Fusecow has two separate files Xmount puts bitmap into header of CoW file

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 11 / 21

slide-12
SLIDE 12

Copy-on-read implementation

read(1); read(E); read(3)

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 12 / 21

slide-13
SLIDE 13

Copy-on-read implementation remount

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 13 / 21

slide-14
SLIDE 14

Test setup

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 14 / 21

slide-15
SLIDE 15

Test setup

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 15 / 21

slide-16
SLIDE 16

Second test setup

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 16 / 21

slide-17
SLIDE 17

Results

QEMU Fusecoraw works flawless DD

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

slide-18
SLIDE 18

Results

QEMU Fusecoraw works flawless Xmount has trouble remounting as it performs lots of tests DD

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

slide-19
SLIDE 19

Results

QEMU Fusecoraw works flawless Xmount has trouble remounting as it performs lots of tests

For now Read only or Copy-on-Read file as Copy-on-Write file

DD

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

slide-20
SLIDE 20

Results

QEMU Fusecoraw works flawless Xmount has trouble remounting as it performs lots of tests

For now Read only or Copy-on-Read file as Copy-on-Write file Requires future work

DD

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

slide-21
SLIDE 21

Results

QEMU Fusecoraw works flawless Xmount has trouble remounting as it performs lots of tests

For now Read only or Copy-on-Read file as Copy-on-Write file Requires future work

DD Both techniques work as expected, hashes match.

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 17 / 21

slide-22
SLIDE 22

Conclusion

Both proof-of-concepts perform a good job

Remounting writable works only with Fusecoraw No issue for current concept

Read data is persistent Fusecoraw recommended if writable remounting is desired Xmount recommended if not

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 18 / 21

slide-23
SLIDE 23

Future Research

Fusecoraw Xmount Integrate in concept

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 19 / 21

slide-24
SLIDE 24

Questions

?

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 20 / 21

slide-25
SLIDE 25

References

Gillen Daniel. xmount, 2008. https://www.pinguin.lu/index.php. NIST Cloud Computing Forensic Science Working Group. Nist cloud computing forensic science challenge (draft), 2014. http://csrc.nist.gov/publications/drafts/nistir-8006/ draft_nistir_8006.pdf. Eric van den Haak. Evdh’s git repository, 2014. https://github.com/evdh-nl.

Eric van den Haak (UvA) Remote Data Acquisition July 2, 2014 21 / 21