A RAM triage methodology for Hadoop HDFS forensics |
| |
| Institution: | 1. Centre for Distributed Computing, Networks, and Security, Edinburgh Napier University, Edinburgh EH10 5DT, UK;2. Corax Cyber Security, 535 Mission Street, San Francisco, CA 94105, USA;1. Norwegian University of Science and Technology, Norway;2. Norwegian Police University College, Norway;3. DSV, Stockholm University, Sweden;1. University of Southern Mississippi, Hattiesburg, MS 39406, USA;2. Department of Electrical Engineering, Indian Institute of Technology Jammu, Nagrota, Jammu 181221, India;3. Department of Electronics and Communication Engineering, National Institute of Technology Goa, Ponda, Goa 403401, India;4. Machine Intelligence Unit, Indian Statistical Institute, Kolkata 700108, India;1. Department of Computer Science & Media Technology, Malmö Universitet, Malmö, Sweden;2. Department of Computer Science, University of Pretoria, South Africa;3. College of Computing and Software Engineering, Kennesaw State University, Marietta, GA, USA;4. Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249-0631, USA |
| |
| Abstract: | This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project. |
| |
| Keywords: | Digital forensics Distributed filesystem forensics Cloud storage forensics Hadoop forensics Triage RAM forensics Big data |
| 本文献已被 ScienceDirect 等数据库收录! |
|
