Forensic Examination of Ceph

The concept of Software Defined Storage (SDS) has become very popular over the last few years. It is used in public, private, and hybrid clouds to store enterprise, private, and other kinds of data. Ceph is an open-source software that implements an SDS stack. There are no specialized IT forensics tools that could be used to analyze Ceph BlueStore storage devices (OSDs). Common and conventional forensics tools are of limited use with the special data structures used by Ceph. Therefore, a forensic examination of the data was conducted.

This talk shows how the data found on storage devices (OSDs) used to store Ceph BlueStore data can be analyzed from a data forensics point of view. The OSD data is categorized using the model proposed by Carrier into the five categories: file system, content, metadata, file name, and application category. It also shows how the different data can be connected to present useful information about the content of an OSD and presents the implementation of a forensic software tool for OSD analysis.