This paper presents the LogDrive framework for mitigating the following problems of storage forensics in Infrastructure-as-a-Service (IaaS) cloud environments: volatility, increasing volume of forensic data, and anti-forensic attacks that hide traces of incidents in virtual machines. The proposed proactive data collection function of virtual block devices mitigates the problem of volatility within the cloud environments and enables a time-traveling investigation to reveal overwritten or deleted evidence files. We employ a sector-hash-based file detection method with random sampling to search for an evidence file in the record of the write logs of the virtual storage. The problem formulation, the investigation context, and the design with five algorithms are presented. We explore the performance of LogDrive through a detailed evaluation. Finally, security analysis of LogDrive is presented based on the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) threats model and related work. We posted the source code of LogDrive on GitHub.

中文翻译：

---

LogDrive：一种主动数据收集和分析框架，用于在IaaS云环境中进行时间旅行法证调查

本文提出了LogDrive框架，用于缓解基础设施即服务（IaaS）云环境中的以下存储取证问题：易变性，取证数据量增加以及隐藏虚拟机事件痕迹的反取证攻击。拟议的虚拟块设备的主动数据收集功能缓解了云环境中的波动性问题，并使时间旅行调查能够揭示被覆盖或删除的证据文件。我们采用具有随机采样的基于扇区哈希的文件检测方法，以在虚拟存储的写日志记录中搜索证据文件。介绍了问题的表述，调查的背景以及五种算法的设计。我们通过详细评估来探讨LogDrive的性能。最后，基于STRIDE（欺骗，篡改，抵赖，信息泄露，拒绝服务和特权提升）威胁模型和相关工作，对LogDrive进行了安全性分析。我们在GitHub上发布了LogDrive的源代码。