Last year I wrote my Master Thesis in Computer Forensics at University of Erlangen / Hochschule Albstadt-Sigmaringen. My professor was Felix Freiling (FAU) and my advisor Andreas Dewald (ERNW Research).
The topic I chose was a forensic examination of data structures on Ceph OSDs using BlueStore storage format.
The concept of Software Defined Storage (SDS) has become very popular over the last few years. It is used in public, private, and hybrid clouds to store enterprise, private, and other kinds of data. Ceph is an open-source software that implements an SDS stack. This thesis analyzes the data found on storage devices (OSDs) used to store Ceph BlueStore data from a data forensics point of view. The OSD data is categorized using the model proposed by Carrier into the five categories: file system, content, metadata, file name, and application category. It then describes how the different data can be connected to present useful information about the content of an OSD and presents the implementation of a forensic software tool for OSD analysis.