KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Method of Digital Forensic Investigation of Docker-Based Host

도커 기반 호스트에 대한 디지털 포렌식 조사 기법

  • 김현승 (고려대학교 정보보호대학원 정보보호학과) ;
  • 이상진 (고려대학교 정보보호대학원)
  • Received : 2016.10.10
  • Accepted : 2016.11.11
  • Published : 2017.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Docker, which is one of the various virtualization technology in server systems, is getting popular as it provides more lightweight environment for service operation than existing virtualization technology. It supports easy way of establishment, update, and migration of server environment with the help of image and container concept. As the adoption of docker technology increases, the attack motive for the server for the distribution of docker images and the incident case of attacking docker-based hosts would also increase. Therefore, the method and procedure of digital forensic investigation of docker-based host including the way to extract the filesystem of containers when docker daemon is inactive are presented in this paper.

오늘날 다양한 서버 내 가상화 기술 중 도커(Docker)는 기존의 방식보다 경량화된 서비스 운영 환경을 제공함으로써 많은 기업 환경에 도입되고 있다. 도커는 이미지, 컨테이너 개념을 통해 서버 환경 구축, 업데이트, 이동을 효율적으로 할 수 있게 지원한다. 도커가 많이 보급될수록 도커 이미지를 배포하는 서버나 도커 기반의 호스트에 대한 공격 유인이 증가할 것이다. 이에 본 논문에서 도커 데몬이 비활성화 된 상태에서도 컨테이너의 파일 시스템을 추출할 수 있는 방안을 포함하여 도커를 사용하는 호스트에 대한 포렌식 조사 기법과 그 절차를 제시하였다.

Keywords

References

  1. Data dog article, "8 surprising facts about real docker adoption"[Internet], https://www.datadoghq.com/docker-adoption/.
  2. Right Scale Survey, "New DevOps Trends: 2016 State of the Cloud Survey" [Internet], http://www.rightscale.com/blog/cloud-industry-insights/new-devops-trends-2016-state-cloud-survey.
  3. Yu-mi Bae, Sung-jae Jung, and Woo-young Soh, "Comparative Analysis of the Virtual Machine and Containers Methods through the Web Server Configuration," Journal of the Korea Institute of Information and Communication Engineering, vol.18, No. 11, pp. 2670-2677, 2014. https://doi.org/10.6109/jkiice.2014.18.11.2670
  4. Jung-Yeon Hwang and Ho-Yong Ryu, "Performance Comparison and Forecast Analysis between KVM and Docker," Journal of KIIT, Vol. 13, No. 11, pp. 127-136, 2015.
  5. Ann Mary Joy, "Performance comparison between Linux containers and virtual machines," Computer Engineering and Applications (ICACEA), 2015 International Conference, pp. 342-346, 2015.
  6. Andrea Tosatto, Pietro Ruiu, and Antonio Attanasio, "Container-based orchestration in cloud:state of the art and challenges," 2015 Ninth International Conference on Complex, Intelligent, and Software Intensive Systems, pp. 70-75, 2015.
  7. P. China Venkanna Varma, Venkata Kalyan Chakravarthy K., V. Valli Kumari, and S. Viswanadha Raju, "Analysis of a Network IO Bottleneck in Big Data Environments Based on Docker Containers," Big Data Research, Vol. 3, pp. 24-28, 2016. https://doi.org/10.1016/j.bdr.2015.12.002
  8. B. R. Cha and E. J. Kang, "Global Network Verification Test for Docker-based Secured mobile VoIP," Smart Media Journal, Vol. 4, no.4, pp. 47-55, 2015
  9. Y. J. Lee and S. R. Rim1, "A scheme of Docker-based Version Control for Open Source Project," Journal of the Korea Academia-Industrial Cooperation Society, Vol. 17, No. 2, pp. 8-14, 2016. https://doi.org/10.5762/KAIS.2016.17.2.8
  10. J. W. Park and Jaegyoon Hahm, "Container-based Cluster Management System for User-driven Distributed Computing," KIISE Transactions on Computing Practices, Vol. 21, No. 9, pp. 587-595, 2015. https://doi.org/10.5626/KTCP.2015.21.9.587
  11. Thanh Bui, "Analysis of Docker Security" [Internet], https://pdfs.semanticscholar.org/ab69/38ec199280213fc092b45abd6170ec95abda.pdf.
  12. Lenny Zeltser, "Running Malware Analysis Apps as Docker Containers"[Internet] https://digital-forensics.sans.org/blog/2014/12/10/running-malware-analysis-apps-as-docker-containers.
  13. Dohyun Kim, Jungheum Park, and Sangjin Lee, "File Carving for Ext4 File Systemon Android OS," Journal of the Korea Institute of Information Security & Cryptology (JKIISC) Vol. 23, No. 3, pp. 417-429, 2013. https://doi.org/10.13089/JKIISC.2013.23.3.417
  14. Jae-hyoung Ahn, Jung-heum Park, and Sang-jin Lee, "The Rese arch on the Recovery Techniques of Deleted Files in the XFS Filesystem," Journal of the Korea Institute of Information Security & Cryptology, Vol. 24, No. 5, pp. 885-896, 2014. https://doi.org/10.13089/JKIISC.2014.24.5.885