The IMF Conference is the International Conference on IT Security Incident Management & IT Forensics. This year it took place from May 23 to 24 in Munich. The schedule lists a lot of interesting talks. One of the talks was my presentation on a paper about Ceph forensics, based on my Master Thesis:
The concept of Software Defined Storage (SDS) has become very popular over the last few years. It is used in public, private, and hybrid clouds to store enterprise, private, and other kinds of data. Ceph is an open-source software that implements an SDS stack.
The paper analyzes the data found on storage devices (OSDs) used to store Ceph BlueStore data from a forensics point of view. BlueStore is a storage backend used by Ceph to store information on disk. The OSD data is categorized using the model proposed by Carrier into the five categories: file system, content, metadata, file name, and application category. It then describes how the different types of data can be connected to present useful information about the content of an OSD. For example, it shows how metadata and content of objects stored in Ceph can be extracted and analyzed. It further looks into certain parts of Ceph, such as BlueFS, CephFS and RADOS Block Device (RBD).
The paper also illustrates the implementation of a forensic software tool for OSD analysis based on Ceph 12.2.4 luminous. This tool is called Vampyr and available at https://github.com/fbausch/vampyr.
The paper is now available at the ACM Digital Library (DOI 10.1145/3609862). It is published as open access paper.