25 - Cloud Forensics

Question 1

The cloud as defined by NIST.

Answer 1

“Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal management
effort or service provider interaction.”.

Question 2

Cloud service models.

Answer 2

Three main models: IaaS, PaaS, and SaaS.

Question 3

Cloud deployment models.

Answer 3

Private, public, hybrid.

Question 4

Cloud forensics as defined by NIST.

Answer 4

“Cloud forensics is the application of digital forensics science in
cloud computing environments. Technically, it consists of a
hybrid forensic approach (e.g., remote, virtual, network, live,
large-scale, thin-client, thick-client) towards the generation of
digital evidence. Organizationally, it involves interactions
among cloud actors (i.e., cloud provider, cloud consumer, cloud
broker, cloud carrier, cloud auditor) for the purpose of
facilitating both internal and external investigations. Legally it
often implies multi-jurisdictional and multi-tenant situations. ”

Question 5

Challenges of Cloud Forensics. (4).

Answer 5

• Storage system is no longer local
• Each cloud server contains files from multiple users
• Even if data belonged to a particular subject is identified, separating it from different users is difficult
• Other than cloud service providers (CSPs), there is usually no evidence that links a given data file to a particular suspect

In a cloud, the forensic investicator cannot collect data by himself

Question 6

Obtaining a search warrant.

Answer 6

There are some problems with the search warrant in respect of cloud
environment, for example:
- Warrant must specify a location, but in cloud the data may not be located at a precise location or a particular storage server
- The data can not be seized by confiscating the storage server in a cloud, as the same disk can contain data from many unrelated users
- To identify the criminal, we need to know whether the virtual machine has a static IP
- Almost in all aspects, it depends on the transparency and cooperation of the cloud provider

Question 7

Virtual Machines and volatile data.

Answer 7

When we turn off a Virtual Machine (VM), all the data will be lost if we do not have the image of the instance.

Some owner of a cloud instance can fraudulently claim that her instance was compromised by someone else and had launched a malicious activity:
- Later, it will be difficult to prove her claim as false by a forensic investigation

Question 8

Trust issues.

Answer 8

After issuing a search warrant, the examiner needs a technician of the cloud provider to collect data
- However, the employee of the cloud provider who collects data is most likely not a licensed forensics investigator and it is not possible to guarantee his integrity in a court of law
- The date and timestamps of the data are also questionable if it comes from multiplesystems
- It is not possible to verify the integrity of the forensic disk image in Amazon’s EC2 cloud because Amazon does not provide checksums of volumes, as they exist in EC2

Question 9

Large bandwidth requirements.

Answer 9

• In traditional forensic investigation, we collect the evidence from the suspect’s computer hard disk
• Conversely, in cloud, we do not have physical access
  to the data
• One way of getting data from cloud VM is downloading the VM instance’s image
• The size of this image will increase with the increase of data in the VM instance
• We will require adequate bandwidth and incur expense to download this large image

Question 10

Multi-tenancy issues.

Answer 10

• Multiple VM can share the same physical infrastructure, i.e.,
  data for multiple customers may be co-located
• This nature of clouds is different from the traditional single owner
  computer system
• How to prove that data were not comingled with other users’ data?
• How to preserve the privacy of other tenants while performing an
  investigation?
• How to ensure that VM isolation has not been violated through side-channel attacks?

Question 11

Conducting a cloud investigation.

Answer 11

• The type of incident determines how to proceed with
  planning the investigation
• If the investigation involves searching for and
  recovering data from cloud storage or cloud customers

Question 12

Logging.

Answer 12

Process logs, network logs, and application logs are really
useful to identify a malicious user.

Not as simple as it is in privately owned computer system:
- Decentralization
- Volatility of logs
- Multiple tiers and layers
- Accessibility of logs
- Dependence on the CSP

Question 13

Investigating CSPs.

Answer 13

If a CSP has no team or limited staff, investigators should
ask questions to understand how the CSP is set up.

Question 14

Investigating cloud customers.

Answer 14

If a cloud customer doesn’t have the CSP’s application
installed:
- You might find cloud-related evidence in a Web browser’s
cache file (porque por exemplo ia ao website Google Cloud yas)
If the CSP’s application is installed:
- You can find evidence of file transfers in the application’s
folder
- Usually found under the user’s account folder

Question 15

Tools for cloud forensics.

Answer 15

Few tools designed for cloud forensics are available.
Many digital, network, and e-discovery tools can be
combined to collect and analyze cloud data.
Some vendor with integrated tools:
- Guidance Software EnCase eDiscovery
- AccessData Digital Forensics Incident Response
- ProDiscover Incident Response and Forensics

Question 16

Limitations of current forensic tools.

Answer 16

Due to the distributed and elastic characteristic of cloud computing, the available forensic tools cannot cope up with this environment
- Tools and procedures are yet to be developed for investigations in virtualized environment, especially on hypervisor level
- Need of forensic tools for the CSP and the clients to collect forensic data

Question 17

Virtual Machine Introspection.

Answer 17

Virtual Machine Introspection (VMI) is the process of
externally monitoring the runtime state of VM from either
the Virtual Machine Monitor (VMM), or from some virtual
machine other than the one being examined.

By runtime state, we are referring to processor registers,
memory, disk, network, and other hardware-level events.

Through this process, we can execute a live forensic
analysis of the system, while keeping the target system
unchanged.

LIVE!