Research And Application Of PaaS Cloud Forensics Technology Based On Docker

Cloud forensics technology is built on forensics technology and cloud computing technology. It can extract and analyze the digital evidence lie in dynamic virtual entity such as virtual machine or container. However, since container virtualization was not mature and widely used once, almost all the research of cloud forensics is focus on extraction and analysis of the digital evidence in virtual machines instead of containers.But, container virtualization technology of today has spent its dark period. And features of lightweight, fast provisioning and low performance loss have made it a mainstay of PaaS technology group. Therefore, we should put more energy into the study of the container forensics, especially container forensics in the PaaS environment on the day of expanding application of virtual container technology.In this paper, we deeply study the PaaS cloud forensics technology based on the container virtualization technology, propose a forensics framework called PDFF and build a prototype system of PDFF by using Docker as starting point. PDFF is composed of Forensics Control Center, Forensics Agent and Local Docker Registry. Forensics Control Center is designed for centralized forensics management service and compatible format conversion, encrypted storage and integrity verification of evidence data. Forensics Agent can acquire data of containers in a very short time and sign these data. Local Docker Registry is a key component for efficient transmission of Docker images by forwarding layered images between Forensics Agent and Forensics Control Center.Furthermore, we verify the function of PDFF and analyze the efficiency of obtaining evidence through the forensics test in Shipyard platform. The experimental results show that PDFF can effectively remove the forensics interference from irrelevant containers, dramatically reduce the pause time of running containers, reliably guarantee the secure storage of evidence data and significantly improve the efficiency of image transmission between Forensics Agent and Forensics Control Center.