Visible to the public Biblio

Filters: Keyword is Data Remanence Detection  [Clear All Filters]
2020-02-24
Snyder, Bradley Lee, Jones, James H..  2019.  Determining the Effectiveness of Data Remanence Prevention in the AWS Cloud. 2019 7th International Symposium on Digital Forensics and Security (ISDFS). :1–6.
Previous efforts to detect cross-instance cloud remanence have consisted of searching current instance unallocated space for fragments easily attributable to a prior user or instance, and results were necessarily dependent on the specific instances tested and the search terms employed by the investigator. In contrast, this work developed, tested, and applied a general method to detect potential cross-instance cloud remanence that does not depend on specific instances or search terms. This method collects unallocated space from multiple cloud virtual machine instances based on the same cloud provider template. Empty sectors and sectors which also appear in the allocated space of that instance are removed from the candidate remanence list, and the remaining sectors are compared to sectors from instances based on other templates from that same provider; a matching sector indicate potential cross-instance remanence. Matching sectors are further evaluated by considering contiguous sectors and mapping back to the source file from the other instance template, providing additional evidence that the recovered fragments may in fact be content from another instance. This work first found that unallocated space from multiple cloud instances based on the same template is not empty, random, nor identical - in itself an indicator of possible cross-instance remanence. This work also found sectors in unallocated space of multiple instances that matched contiguous portions of files from instances created from other templates, providing a focused area for determining whether cross-instance data remanence exists. This work contributes a general method to indicate potential cross-instance cloud data remanence which is not dependent on a specific provider or infrastructure, instance details, or the presence of specific user-attributable remnant fragments. A tool to implement the method was developed, validated, and then run on Amazon's AWS cloud service.