Limits to the Forensic Analysis of Container Applications in Cloud Environments

Limits to the Forensic Analysis of Container Applications in Cloud Environments

연구 분야: Safety

학회: Digital Threats: Research and Practice

User-space virtualization in form of containers is an increasingly popular deployment method for software applications. When containers are used in the cloud, an orchestration layer such as Kubernetes is utilized for automated and efficient management. All large cloud service providers offer container solutions in different cloud models. They differ in the level of administrative responsibility that remains with the user. Since containerized applications are affected by these design choices, incident responders face the challenge of quickly accessing relevant artifacts in case a security incident occurs. We investigate, for three different practical cloud deployment models from AWS (EKS, EKS Fargate, and ECS) and two increasingly severe attack scenarios, how much relevant information is accessible in each situation. We show that critically relevant forensic evidence is not available, especially at lower access levels. Our results reveal the limits to the forensic analysis of container applications in the cloud and call for cloud service providers to provide additional information in more lightweight deployment models for incident response.