Distributed Filesystem Forensics: Ceph as a Case Study

  • Krzysztof Nagrabski
  • Michael Hopkins
  • Milda Petraityte
  • Ali DehghantanhaEmail author
  • Reza M. Parizi
  • Gregory Epiphaniou
  • Mohammad Hammoudeh


Cloud computing is becoming increasingly popular mainly because it offers more affordable technology and software solutions to start-ups and small and medium enterprises (SMEs). Depending on the business requirements there are various Cloud solution providers and services, yet because of this it becomes increasingly difficult for a digital investigator to collect and analyse all the relevant data when there is a need. Due to the complexity and increasing amounts of data, forensic investigation of Cloud is turning into a very complex and laborious endeavour. Ceph is a filesystem that provides a very high availability and data self-healing features, which ensure that data is always accessible without getting damaged or lost. Because of such features, Ceph is becoming a favourite file system for many cloud service providers. Hence, understanding the remnants of malicious users activities is become a priority in Ceph file system. In this paper, we are presenting residual evidences of users’ activities on Ceph file system on Linux Ubuntu 12.4 operating system and discuss the forensics relevance and importance of detected evidences. This research follows a well-known cloud forensics framework in collection, preservation and analysis of CephFS remnants on both client and server sides.


Ceph Cloud forensics Cloud storage Investigative framework Metadata Data analysis 


  1. 1.
    J. Baldwin, O. M. K. Alhawi, S. Shaughnessy, A. Akinbi, and A. Dehghantanha, Emerging from the cloud: A bibliometric analysis of cloud forensics studies, vol. 70. 2018.Google Scholar
  2. 2.
    B. Martini and K.-K. R. Choo, “Distributed filesystem forensics: XtreemFS as a case study,” Digit. Investig., vol. 11, no. 4, pp. 295–313, Dec. 2014.Google Scholar
  3. 3.
    K. Ruan, J. Carthy, T. Kechadi, and I. Baggili, “Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results,” Digit. Investig., vol. 10, no. 1, pp. 34–43, Jun. 2013.Google Scholar
  4. 4.
    E. Casey, “Cloud computing and digital forensics,” Digit. Investig., vol. 9, no. 2, pp. 69–70, 2012.Google Scholar
  5. 5.
    F. Daryabar, A. Dehghantanha, N. I. Udzir, N. Fazlida, S. Shamsuddin, and F. Norouzizadeh, “A Survey on Cloud Computing and Digital Forensics,” J. Next Gener. Inf. Technol., vol. 4, no. 6, pp. 62–74, 2013.Google Scholar
  6. 6.
    J. Dykstra and A. T. Sherman, “Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques,” Digit. Investig., vol. 9, pp. S90–S98, Aug. 2012.Google Scholar
  7. 7.
    A. Aminnezhad, A. Dehghantanha, M. T. Abdullah, and M. Damshenas, “Cloud Forensics Issues and Opportunities,” Int. J. Inf. Process. Manag, vol. 4, no. 4, 2013.Google Scholar
  8. 8.
    Y.-Y. Teing, A. Dehghantanha, and K.-K. R. Choo, “CloudMe forensics: A case of big data forensic investigation,” Concurr. Comput., 2017.Google Scholar
  9. 9.
    Y.-Y. Teing, D. Ali, K. Choo, M. T. Abdullah, and Z. Muda, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Trans. Sustain. Comput., pp. 1–1, 2017.Google Scholar
  10. 10.
    O. Osanaiye, H. Cai, K.-K. R. Choo, A. Dehghantanha, Z. Xu, and M. Dlodlo, “Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing,” EURASIP J. Wirel. Commun. Netw., vol. 2016, no. 1, p. 130, May 2016.Google Scholar
  11. 11.
    Y.-Y. Teing, D. Ali, K.-K. R. Choo, M. Conti, and T. Dargahi, “Forensic Investigation of Cooperative Storage Cloud Service: Symform as a Case Study,” J. Forensics Sci., vol. [In Press], 2016.Google Scholar
  12. 12.
    “Ceph Homepage - Ceph.” [Online]. Available: [Accessed: 14-Feb-2018].
  13. 13.
    F. Daryabar, A. Dehghantanha, and K.-K. R. Choo, “Cloud storage forensics: MEGA as a case study,” Aust. J. Forensic Sci., pp. 1–14, Apr. 2016.Google Scholar
  14. 14.
    F. Daryabar, A. Dehghantanha, B. Eterovic-Soric, and K.-K. R. Choo, “Forensic investigation of OneDrive, Box, GoogleDrive and Dropbox applications on Android and iOS devices,” Aust. J. Forensic Sci., pp. 1–28, Mar. 2016.Google Scholar
  15. 15.
    H. Haddadpajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “A Deep Recurrent Neural Network Based Approach for Internet of Things Malware Threat Hunting,” Futur. Gener. Comput. Syst., 2018.Google Scholar
  16. 16.
    E. Oriwoh, D. Jazani, G. Epiphaniou, and P. Sant, “Internet of Things Forensics: Challenges and Approaches,” in Proceedings of the 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, 2013, pp. 608–615.Google Scholar
  17. 17.
    S. Watson and A. Dehghantanha, “Digital forensics: the missing piece of the Internet of Things promise,” Comput. Fraud Secur., vol. 2016, no. 6, pp. 5–8, Jun. 2016.Google Scholar
  18. 18.
    M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of Things Security and Forensics: Challenges and Opportunities,” Futur. Gener. Comput. Syst., Jul. 2017.Google Scholar
  19. 19.
    D. Quick and K.-K. R. Choo, “Impacts of increasing volume of digital forensic data: {A} survey and future research challenges,” Digit. Investig., vol. 11, no. 4, pp. 273–294, Dec. 2014.Google Scholar
  20. 20.
    S. H. Mohtasebi, A. Dehghantanha, and K.-K. R. Choo, Cloud Storage Forensics: Analysis of Data Remnants on SpiderOak, JustCloud, and pCloud. 2016.Google Scholar
  21. 21.
    S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence,” IEEE Trans. Emerg. Top. Comput., 2017.Google Scholar
  22. 22.
    A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning,” IEEE Trans. Sustain. Comput., pp. 1–1, 2018.Google Scholar
  23. 23.
    H. H. Pajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “Intelligent OS X malware threat detection with code inspection,” J. Comput. Virol. Hacking Tech., 2017.Google Scholar
  24. 24.
    D. Kiwia, A. Dehghantanha, K.-K. R. Choo, and J. Slaughter, “A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence,” J. Comput. Sci., Nov. 2017.Google Scholar
  25. 25.
    D. Birk and C. Wegener, “Technical Issues of Forensic Investigations in Cloud Computing Environments,” in 2011 IEEE Sixth International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), 2011, pp. 1–10.Google Scholar
  26. 26.
    Y.-Y. Teing, A. Dehghantanha, K.-K. R. Choo, T. Dargahi, and M. Conti, “Forensic Investigation of Cooperative Storage Cloud Service: Symform as a Case Study,” J. Forensic Sci., vol. 62, no. 3, 2017.Google Scholar
  27. 27.
    Y.-Y. Teing, A. Dehghantanha, K.-K. R. Choo, and L. T. Yang, “Forensic investigation of P2P cloud storage services and backbone for IoT networks: BitTorrent Sync as a case study,” Comput. Electr. Eng., vol. 22, no. 6, pp. 1–14, 2016.Google Scholar
  28. 28.
    A. Dehghantanha and T. Dargahi, Residual Cloud Forensics: CloudMe and 360Yunpan as Case Studies. 2016.Google Scholar
  29. 29.
    M. Shariati, A. Dehghantanha, B. Martini, and K.-K. R. Choo, “Chapter 19 - Ubuntu One investigation: Detecting evidences on client machines,” in The Cloud Security Ecosystem, R. K.-K. R. Choo, Ed. Boston: Syngress, 2015, pp. 429–446.CrossRefGoogle Scholar
  30. 30.
    Y.-Y. Teing, D. Ali, K.-K. R. Choo, M. Zaiton, M. T. Abdullah, and W.-C. Chai, “A Closer Look at Syncany Windows and Ubuntu Clients’ Residual Artefacts,” in Proceedings of 9th International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage (SpaCCS 2016).Google Scholar
  31. 31.
    M. Shariati, A. Dehghantanha, and K.-K. R. Choo, “SugarSync forensic analysis,” Aust. J. Forensic Sci., vol. 48, no. 1, pp. 95–117, Apr. 2015.Google Scholar
  32. 32.
    B. Blakeley, C. Cooney, A. Dehghantanha, and R. Aspin, “Cloud Storage Forensic: hubiC as a Case-Study,” in 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), 2015, pp. 536–541.Google Scholar
  33. 33.
    R. B. van Baar, H. M. a van Beek, and E. J. van Eijk, “Digital Forensics as a Service: A game changer,” Digit. Investig., vol. 11, pp. S54–S62, 2014.Google Scholar
  34. 34.
    T. Dargahi, A. Dehghantanha, and M. Conti, Investigating Storage as a Service Cloud Platform: PCloud as a Case Study. 2016.Google Scholar
  35. 35.
    M. Petraityte, A. Dehghantanha, and G. Epiphaniou, “A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies,” Springer, Cham, 2018, pp. 219–237.Google Scholar
  36. 36.
    H. Haughey, G. Epiphaniou, H. Al-Khateeb, and A. Dehghantanha, Adaptive traffic fingerprinting for darknet threat intelligence, vol. 70. 2018.Google Scholar
  37. 37.
    “NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response.”Google Scholar
  38. 38.
    B. Martini and K.-K. R. Choo, “An integrated conceptual digital forensic framework for cloud computing,” Digit. Investig., vol. 9, no. 2, pp. 71–80, Nov. 2012.Google Scholar
  39. 39.
    R. McKemmish, What is forensic computing? Canberra: Australian Institute of Criminology, 1999.Google Scholar
  40. 40.
    “Intro to Ceph — Ceph Documentation.” [Online]. Available: [Accessed: 14-Feb-2018].
  41. 41.
    N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, “Machine learning aided Android malware classification,” Comput. Electr. Eng., vol. 61, 2017.Google Scholar
  42. 42.
    S. Homayoun, M. Ahmadzadeh, S. Hashemi, A. Dehghantanha, and R. Khayami, “BoTShark: A Deep Learning Approach for Botnet Traffic Detection,” Springer, Cham, 2018, pp. 137–153.Google Scholar
  43. 43.
    M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec), 2015, pp. 23–27.Google Scholar
  44. 44.
    J. Baldwin and A. Dehghantanha, Leveraging support vector machine for opcode density based detection of crypto-ransomware, vol. 70. 2018.Google Scholar
  45. 45.
    M. K. Pandya, S. Homayoun, and A. Dehghantanha, Forensics investigation of openflow-based SDN platforms, vol. 70. 2018.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Krzysztof Nagrabski
    • 1
  • Michael Hopkins
    • 1
  • Milda Petraityte
    • 1
  • Ali Dehghantanha
    • 2
    Email author
  • Reza M. Parizi
    • 3
  • Gregory Epiphaniou
    • 4
  • Mohammad Hammoudeh
    • 5
  1. 1.School of Computing, Science, and Engineering, University of SalfordManchesterUK
  2. 2.Cyber Science LabSchool of Computer Science, University of GuelphGuelphCanada
  3. 3.Department of Software Engineering and Game DevelopmentKennesaw State UniversityMariettaUSA
  4. 4.Wolverhampton Cyber Research Institute (WCRI), School of Mathematics and Computer Science, University of WolverhamptonWolverhamptonUK
  5. 5.School of Computing, Mathematics and Digital Technology, Manchester Metropolitan UniversityManchesterUK

Personalised recommendations