《云计算环境中面向取证的现场迁移技术研究》由会员分享,可在线阅读,更多相关《云计算环境中面向取证的现场迁移技术研究(108页珍藏版)》请在金锄头文库上搜索。
1、华中科技大学 博士学位论文 云计算环境中面向取证的现场迁移技术研究 姓名:周刚 申请学位级别:博士 专业:计算机系统结构 指导教师:谢长生;曹 强 2011-05-26 I 华华 中中 科科 技技 大大 学学 博博 士士 学学 位位 论论 文文 摘摘 要要 云计算的特点是整合计算资源,在保持低成本的状态下提供良好的计算服务质 量,企业和个人用户都能通过云计算的海量信息库来实现信息的自由分享。虽然云 计算平台可以给广大用户提供高效服务,但是不法分子也可以在此平台上进行违法 活动,取证技术是有效发现、证实违法行为的必要手段。但是传统以文件为基础的 取证方式已经不适应云计算的服务模式,云计算环境主要
2、由大量的分布式异构虚拟 计算资源构成,这些复杂的结构给计算机取证工作的开展带来巨大的挑战。为了适 应这些取证环境的变化,实现在云计算环境下进行取证工作成为一个重要的课题。 系统虚拟化技术和数据迁移技术的运用让云计算环境下进行取证工作成为可 能。云计算环境下还缺乏可用的取证模型,通过对云计算取证的建模,将云计算平 台视为由多个虚拟机构成的系统,其上运行的虚拟机实例可以作为取证分析对象。 为了获取取证分析对象,利用了现场迁移技术,在虚拟化软件层对虚拟机实例进行 信息保全,保证迁移的镜像文件的内容完整性和一致性。为了在本地化系统中加载 虚拟机镜像文件进行取证分析,利用单独划分的临时镜像文件分区作为镜
3、像文件和 本地化系统之间的信息交换场所,可以正确加载虚拟机镜像文件,实现云计算环境 下的现场取证工作。 为此,首先提出了一种新的云计算环境下的计算机取证模型云计算取证模 型,该模型定义了云计算环境下的工作层次,通过场景描述和过程组件的划分,刻 画了完整的取证机制。通过对云计算取证模型的完整性和强隔离性的证明,可以将 虚拟机镜像文件作为取证的对象进行分析,进而实现云计算环境下的计算机取证过 程。 其次,在云计算平台中通过对虚拟化软件层的控制,利用其状态转换,提出了 一种虚拟机镜像文件的迁移方法。通过对虚拟化软件层迁移状态时的上层虚拟机的 进程标识,内存映射,网络连接情况信息和文件系统信息进行保存
4、和重构设计,可 以完整的保存虚拟机的整个系统状态,并通过本地化镜像加载,将虚拟机镜像整个 从云计算平台迁移到本地取证环境中进行分析,实现云计算平台下电子证据的获取。 II 华华 中中 科科 技技 大大 学学 博博 士士 学学 位位 论论 文文 再次,由于迁移出来的虚拟机镜像文件需要在本地化加载,才能进一步进行取 证分析,据此提出了一种临时镜像磁盘的加载方法。为了使镜像文件可以正常在本 地环境下加载,设计了一个非文件系统分配的临时磁盘分区作为镜像文件系统和本 地设备的操作系统之间信息交互的场所,以保持两个系统在硬件配置和服务的一致 性,使虚拟机镜像文件正确加载。 最后,为方便查找分析和管理取证的
5、对象文件,提出了一种针对涉案取证镜像 文件的数据库管理结构。通过上述方法的研究,实现了云计算环境下取证工作。 关键词关键词:云计算,计算机取证,取证模型,系统虚拟化,虚拟机镜像,虚拟机迁移, 现场取证 III 华华 中中 科科 技技 大大 学学 博博 士士 学学 位位 论论 文文 Abstract The main advantages of cloud computing are its lower cost by use of computing services to achieve sustainability, and both business and individual use
6、rs being able to achieve the freedom of information sharing through the cloud mass information. Although cloud computing can provide efficient service to customers, but criminals can also conduct illegal activities on this platform. Forensic technology is effective, proven violations method to preve
7、nt crime. But the traditional file-based evidence approach is not suited for cloud computing service model. Large-scale distributed heterogeneous virtual computing infrastructure of non-authorized investigation and evidence gathering is a big challenge in cloud computing environment. In order to mee
8、t these changes, forensic work has become an important issue in the cloud computing environment. System virtualization and data migration technology is possible to use for forensic work in cloud computing environment. Cloud computing is a virtualization platform in the business model. There is lack
9、of available evidence model a cloud computing environment. Cloud computing platform can be viewed as a system composed by multiple virtual organizations if the evidence is modeled by the cloud. And the instance of virtual machines can be used as forensic analysis. In order to obtain the object of fo
10、rensic analysis, we get use of the site migration technology, virtualization software layer on the virtual machine instances of information security, to ensure the content of the image file transfer integrity and consistency. In order to locate the system in a virtual machine image file to load the
11、forensic analysis by using a separate partition for the temporary image file system image file and the exchange of information between localized sites, you can load the virtual machine image file correctly, the cloud computing evidence of work-site environment. Therefore, firstly, we proposed a new
12、environment in the cloud model of computer forensics - Cloud Computing Forensics Model (CCFM), CCFM defines the evidence of work under the cloud level, through the scene description and process components division, gives evidence of a complete model. Through the cloud computing model integrity and s
13、trong evidence of proof isolation, the virtual machine image file can be IV 华华 中中 科科 技技 大大 学学 博博 士士 学学 位位 论论 文文 analysized as evidence in the cloud computing environment to fulfill computer forensics process. Secondly, a virtual machine image files migration method have been proposed in the cloud pl
14、atform virtualization software layer with the use of the state transition. Through the migration of the virtualization software layer on top of virtual machine state, the process of identity, memory mapping, network connection information, and file system information preservation and reconstruction
15、of the design, you can save the complete state of the system virtual machine, and by localization Image loading, the entire virtual machine image transfer from the cloud computing platform to the local forensics analysis environment, under the cloud computing platform for electronic evidence. Thirdl
16、y, a temporary disk image loading methods is introduced. Because migration the virtual machine image file need load in the localization to further forensic analysis. To make image files can be loaded properly in the local environment, the design of a provisional allocation of non-file system image file system disk partition as the operating system and local device information exchange between the sites, to keep the two systems and services in the hardware configuration the consistency of th
