SlideShare a Scribd company logo

The Trouble with Cloud Forensics

Download as PPT, PDF
S
Sharique Rizvi

Forensics Definitions & Models Cloud Forensics Challenges Evidence Collection Validation Preservation Cloud Forensics Strategy Network Forensics Cloud Forensics Process and Tools

Internet
1 of 24
The Trouble with Cloud Forensics Sharique M. Rizvi Head of IT Security & Forensic Investigations
Agenda • Forensics – Definitions & Models • Cloud Forensics Challenges – Evidence – Collection – Validation – Preservation • Cloud Forensics Strategy • Network Forensics • Cloud Forensics Process and Tools The Trouble with Cloud Forensics
Cloud Forensics Introduction Digital Forensics: •Digital Forensics is the application of science for the identification, examination, collection, and analysis of data while preserving the information and maintaining a strict chain of custody for the evidence. •Digital Forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The Trouble with Cloud Forensics
Network Forensics •Network forensics is a sub-branch of digital forensics involving the monitoring and analysis of computer network traffic for the purpose of information gathering, legal evidence, or intrusion detection. Network investigations deal with volatile and dynamic information. Cloud Forensics: •Cloud forensics is the application of digital forensics in cloud computing as a subset of network forensics. Basically, it is a cross-discipline between cloud computing and digital forensics. (NIST: National Institute of Standards and Technology) The Trouble with Cloud Forensics Cloud Forensics Introduction
Cloud Computing Services Models Software as a Service (SaaS) •Client use software applications available from the cloud provider. – Typically, users interact with SaaS applications using a web-browser. – Example of SaaS is the Google App suite offered by Google. • Clients can use this service to deploy an email and collaboration platform within their organizations, and make use of Google Docs, Calendar, Gmail and other productivity applications. All data generated using the applications is stored in the cloud. The Trouble with Cloud Forensics
Service Models Platform as a Service (PaaS) •Provides an application programming interface (API) for clients to create and host custom-built applications. – Example of PaaS is the Google App Engine, • Provides a platform for developers to create and host web-based applications. • Also includes cloud providers offering database management systems such as Amazon SimpleDB Infrastructure as a Service (IaaS) •Leasing of virtualized computing resources such as processing power, volatile memory and persistent storage space to host virtual machines. – Example Amazon EC2, which allows clients to create and launch virtual machines running a variety of operating systems. – Can then be loaded with customer-specified applications – The virtual machine image can be stored and re-deployed, according to the client's requirements The Trouble with Cloud Forensics
Service Models • The way services are deployed in a cloud can influence the evidence available to an investigator and the way it is collected. • Example – IaaS platforms present an interface to a user that is indistinguishable from that of a remote physical server – The data that represents an IaaS-based server is inherently more volatile. – SaaS and PaaS models restrict the flexibility with which users can interact with a cloud platform – By offering a restricted set of applications, or specifying the constraints within which new software can be created. – The storage of data on these services is not by the user, instead by the cloud owner. The Trouble with Cloud Forensics
Deployment Models Private Cloud •Infrastructure is operated solely by the organization •Cloud will likely be found within the same premises •Within its administrative control, and include only organization’s data Public Clouds •Owned by a provider organization •Cloud facilities in one or more corporate data centres •The administrative control resides with the provider •Consumers lease virtual storage and compute resources as required •Contain data from more than one user. Community Cloud •Shared between several organizations •Common organizational goal, or to pool IT resources. •Located within one or more premises, administered by community Hybrid Cloud •Composition of two or more of the above deployment options. •Used to provide load balancing to multiple clouds. – Example, an organization may have exhausted the available resources within its private cloud, and so incorporate resources available on lease from a public cloud. The Trouble with Cloud Forensics
Consequences • A consequence of these different organizational configurations may have an impact on the way that data can be collected as evidence. • The data held in a cloud may be physically stored in one or more geographically distributed locations, making the determination of which legal framework and procedures to apply to the evidence gathering process difficult. • In summary, multiple deployment options and the variety of services offered to cloud users introduce new challenges when conducting digital forensic investigations in these environments. The Trouble with Cloud Forensics
Cloud Forensics Challenges Establishing forensic capabilities for cloud will be difficult without hurdling several enormous challenges. The legal dimension •No agreements among cloud organizations for collaborative investigation •Majority of SLAs have no terms and conditions present •No segregation of responsibilities between CSP and customers. •Policies and Cyber laws from different regions are different •Conflicts and issues arising from multi-jurisdiction investigations Forensic Data Collection •Cloud customer encounter issues with access to forensic data depending on the cloud model. – IaaS users may easy access to all data required for forensic investigation – SaaS customer may won’t be able to access the pertinent data they need. •Lack of access to forensic data to cloud customer – Where their data is physically located – Only specify the location of their data at a higher level of abstraction, typically as a virtual object or container. •CSP hide the physical location of the data – To help data movement and replication. The Trouble with Cloud Forensics
Cloud Forensics Challenges • CSP avoid providing services or interfaces for gathering forensic data in the cloud. – SaaS providers will not provide IP logs or clients accessing content – IaaS providers will not provide copies of recent VM states and disk images. • Cloud as it functions doesn’t provide end users – Access to all the relevant log files and metadata – Limits the ability to audit the operations of the network used by their provider – Not to conduct real time monitoring on their own networks. Time synchronization • Time synchronization is vital for audit logs – Used as source of evidence in the investigations. – A cloud environment needs to synchronize timestamps consistent with different devices located all over different time zones, between equipment, and remote web clients that include numerous end points. Log Formats • Consolidation of log formats is a issue in network forensics, • Some providers intentionally create proprietary log formats Ex – Amazon’s AWS gives the right to change the original snapshot only to the AWS account that created the volume. – Once the AWS account owner deletes data within the domain, the removal of the mapping starts immediately and is completed within seconds. After that, there is no longer any way to access the deleted data remotely, – Storage space once occupied by said data is made available for future write operations, and it is very likely that the storage space will be overwritten by newly stored data. – While some deleted data may still be recoverable from the snapshot even after deletion, the challenge is in recovering them, identifying the ownership, and using the information as a means of plotting out what happened in the cloud. The Trouble with Cloud Forensics
Cloud Forensics Challenges Evidence Segregation •The various instances of VMs running on the same physical machine are completely isolated from each other via hypervisor. •The instances are treated as if they are on separate physical hosts •No access to each other despite being hosted on the same machine. Virtualized Environments – Data and computing power redundancy by replicating and distributing resources. – CSPs do this by using different instances of a cloud computer environment within a virtualized environment – Each instance running as a standalone VM that is monitored by a hypervisor. – Attackers can target the hypervisor, and successfully gives them free reign to all the machines being managed by it. •Lack of policies, techniques, and procedures on the hypervisor that facilitate investigation. •There are currently no tools, policies, procedures, or agreements that address cross-provider investigations. Multi-Jurisdiction and Multi-Tenancy •Legislations in all the countries and states that the cloud and its customers reside in differ vastly, •Investigations can be hampered due to said differences in law and jurisdiction. The Trouble with Cloud Forensics
Amazon EC2 PlayStation Network Attack Case •An attack that brought down Sony’s PlayStation Network •Amazon’s Cloud services used to break-in •Hackers signed for a legitimate server rentals on Amazon EC2 services •Attackers were able to access within Sony’s network •Sony noticed a batch of servers unexpectedly rebooted •Investigation discovered that an intruder is in PlayStation Network Observation "The forensic teams confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators and escalate privileges inside the servers” •The intruders deleted log files in order to hide the extent of their work and activity within the network. •Personal Data of 77 millions compromised The Trouble with Cloud Forensics
DIGITAL FORENSICS IN CLOUD First Step Identification •Identify that a potential criminal or improper act has taken place involving computer-based systems. •These events may relate to traditional crimes or activity using IT, or IT-specific crimes. – Example, complaints made by individuals, anomalies detected by IDS, monitoring and profiling or because of an audit of a computer system. – The identification phase is not just concerned with digital forensics, it does have an impact on how the investigation is conducted as well as defining the purpose for conducting the investigation. – The detection of suspicious events in a cloud will depend on the deployment model adopted and the form of cloud services (SaaS, PaaS or IaaS) used. Preservation and Collection •Collecting data from computer-based systems as an evidence •Crime or another illicit act has been committed •Legal and forensic standards, require that forensic evidence be testable •The methods used to produce evidence be repeatable. •Ensure the integrity of data throughout the investigation life cycle •Several aspects of the preservation phase are affected by the use of a cloud environment. The Trouble with Cloud Forensics
DIGITAL FORENSICS IN CLOUD Steps.. Storage Capacity •A pre-requisite of evidence preservation is to have available sufficient secure storage capacity •This increase imposes extra costs on investigators – responsibility to store and curate the data – increasing amount of investigator time required to examine it. •Cloud environments exacerbate the problem of data storage. – The elastic ability to dynamically scale a service’s storage capabilities per on-going requirements. – Typical public IaaS cloud offer limitless data storage capability as and when required – Investigators may face with gathering an extremely large amount of data •Solution is to use of public clouds to store evidence to restore – This too will bring its own challenges, from both a legal and technical perspective. – Investigators will need to address the rules and regulations regarding data protection and privacy issues, and their impact on evidence stored in the cloud. The Trouble with Cloud Forensics
DIGITAL FORENSICS IN CLOUD Steps.. Chain of Custody •Conventional accepted practice is to maintain a CoC for evidence •CoC provides the history for the lifetime of evidence discovered •How the evidence was gathered and managed by whom and when – In a conventional investigation, the chain of custody begins when an investigator assumes physical control of digital electronic artefacts (and any incorporated storage devices) that is suspected to be pertinent to the investigation. – There are two methods of preserving data on a PC • Powering down the computer by a command to the OS causing a shutdown • Removing the power source, causing an immediate halt. • Storage devices can be removed from the computer and examined separately. – The CoC documentation refer to these devices, which are isolated and disconnected from a power supply with little risk of loss of evidence. •Remote nature of cloud services, this assumption is not valid. – Services can be accessed by any system with a network connection to the hosting cloud. – Unless an investigator is able to gain control and disable a service, evidence could be destroyed relatively quickly, either by a service user, or by the cloud provider. – Practicality obtaining control of a cloud service during an on-going forensic investigation. (no work as such) – Challenges include the speed with which an investigator can gain control of a service, – The appropriate legal and regulatory framework that should be developed to enable this capability. The Trouble with Cloud Forensics
DIGITAL FORENSICS IN CLOUD Steps.. Digital Image Acquisition •Assuming investigator has gained control of the cloud service – It is necessary to obtain an accurate copy of the data held by the service for later analysis •Collection of evidence from a cloud environment is likely to pose a challenge to investigators. – Triage tools, volatile and persistent memory acquisition software, as used in conventional investigations, on a client computer may provide minimal data. •Virtualized data stored on a cloud may be spread between many different physical devices •To customers, data appears to be stored in a single location – Physically this is not the case. • GFS is a “multi-tenant distributed” file system which means that even if two users are within the same organization, their data could well reside in two or more different physical locations •Use of virtualization also affects the privacy of other users – Data may be inadvertently gathered during the investigation. – In some jurisdictions, inadvertent access of non-relevant data from a cloud environment may contravene local privacy and data protection legislation. The Trouble with Cloud Forensics
DIGITAL FORENSICS IN CLOUD Steps.. Live Acquisition •Live acquisitions and investigations are an alternative approach – Data is examined on the target computer while it is still powered up. – This approach enables investigators to gather data that might otherwise be lost if a computer is powered down, particularly: • Data stored in non-persistent memory, such as processes and information on active network connections. • Temporary data stored in persistent memory, such as application file locks, and web-browsing caches. •Live acquisition increase the amount of information extracted from a cloud client computer •Concerns about data confidentiality and integrity – CSPs are turning towards encryption offering as a security to their customers – CSPs have implemented a ‘zero knowledge system’ • All data is encrypted client-side before being transmitted and stored in the cloud, • The keys used to encrypt data are never stored in the cloud. The Trouble with Cloud Forensics
DIGITAL FORENSICS IN CLOUD Steps.. Deleted Data •The cloud could both assist and hamper investigators •Recover data that is deleted or otherwise deleted by the suspect. •HD or USB flash drive, can be physically destroyed – This is not the case with the cloud unless the suspect has the knowledge and administrative authority to delete or ‘destroy’ data, this evidence will remain available to the investigator. •The volatility and elasticity of cloud make the recovery of deleted data challenging. – Also cloud providers maintain that user privacy is a priority within their cloud environments. – Example, Google’s current policy regarding deleted data is such that once a user deletes their data from Google Services, that data is then deleted from both active and replication servers. Pointers to this data are also deleted, making tracing remnants of user deleted data extremely difficult. •EC is encouraging to implement the Data Retention Directive – Member states to ensure that communication providers shall retain certain information about its users, including the “userID”, “IP address allocated at the time of the communication” as well “the date and time of the log-in and log-off of the service” (European Union, May 2006). The Trouble with Cloud Forensics
DIGITAL FORENSICS IN CLOUD Steps.. Examination and Analysis •Dedicated forensic tool suites such as Forensic Tool Kit or Encase are popular commercial choices. •Sleuth Toolkit is an open source alternative. – These tool suites used to perform ‘pattern matching’ & ‘filtering’, which can involve either searching for specific filenames, file types, or content. •The significance of information artefacts as evidence is evaluated. •A narrative is developed, supported by the evidence and a timeline – To explain how a crime was committed. The Trouble with Cloud Forensics
DIGITAL FORENSICS IN CLOUD Steps.. Validation using Hashing Tools •Hashing tools are used to validate the integrity of data •Hash values can be computed for disk images, files or other data – to gain assurance that the evidence has not been changed by an analysis •Data stored in a cloud can also be subjected to hashing for integrity – Example, Amazon S3 and Web Services (AWS) have both implemented MD5 hashing checksums for objects stored in their services, Investigator can record these checksums to show that any evidence acquired has remained unchanged during the investigation. – The hashing tools implemented, deployed and controlled by cloud providers does raise some challenges. – The investigator has less opportunity to test and evaluate the hashing features in a cloud, compared with tools developed for use on conventional desktop PCs. – The investigator’s ability to validate the correctness of their tools is limited •Responsibility for assessing the reliability of testimony with the trial judge. •Principles of scientific method is to guide judgements of acceptability. – The conduct of forensic investigations in cloud environments in both the United States and United Kingdom will presumably be subject to the same tests, if the resulting evidence is to be admissible in court. • The Trouble with Cloud Forensics
Forensic Tools in Cloud Forensics Tools •Encase - Servlets •Access Data – FTK Agents •Fast Dump - HBGary •Memorysze – Mandial Using Forensics Tools in Cloud •Amazon stores – VHD, Elastic Block Storage EBS volumes in Simple Storage Services S3 not exposed to end users. •Two options to obtain data from entire volume 1. Create a snapshot from a drive being investigated, create a volume for that snapshot – attach as read only, create an ISO image 2. Detach the target volume form the host – use dd tool and download. •This activity may take many man hours •2TB of data could take 85 hours of processing time. •EnCase and Forensic Toolkit can analyse VMware data files but not snapshots which include suspended memory. The Trouble with Cloud Forensics
Summary • Traditional software tools of computer forensics are inadequate in cloud computing forensics due to inaccessibility of the physical devices. • Cloud forensics is challenging due to the rapidly evolving technology. • Forensic tools employs standard data sets but it is unclear how these could be developed for cloud forensic methods. – Empirical testing of forensic tools typically employs standard data sets • There is a clear need to develop a standard evaluation method and data set for cloud forensics • ...the court does not have a true universally accepted method to rely upon. To further complicate the problem, many self-proclaimed computer forensics experts take what they feel are the best aspects of several approaches and create their own methodology. The Trouble with Cloud Forensics
Reference.. 1. Cloud Forensics: Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie 2. Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics George Grispos, Tim Storer, William Bradley 1. Cloud Forensics: Anupam Tiwari Questions……. The Trouble with Cloud Forensics

Recommended

Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science David Sweigert
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Challenges of Cloud Forensics.pptx
Challenges of Cloud Forensics.pptxChallenges of Cloud Forensics.pptx
Challenges of Cloud Forensics.pptxShehanSanjula
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 

Recommended

Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science David Sweigert
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Challenges of Cloud Forensics.pptx
Challenges of Cloud Forensics.pptxChallenges of Cloud Forensics.pptx
Challenges of Cloud Forensics.pptxShehanSanjula
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityBharath Rao
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Amrit Chhetri
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security pptVenkatesh Chary
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Edureka!
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
cloudcomputing.pptx
cloudcomputing.pptxcloudcomputing.pptx
cloudcomputing.pptxahmedsamir339466
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data securityMohammed Fazuluddin
 

More Related Content

What's hot

The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityBharath Rao
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Amrit Chhetri
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Edureka!
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 

What's hot (20)

The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computing
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 

Similar to The Trouble with Cloud Forensics

Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data securityMohammed Fazuluddin
 
Cloud computing & security basics
Cloud computing & security basicsCloud computing & security basics
Cloud computing & security basicsRahul Gurnani
 
The wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxThe wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxOmSatpathy
 
Cloud Computing in Business and facts
Cloud Computing in Business and factsCloud Computing in Business and facts
Cloud Computing in Business and factsArun Ganesh
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing pptJagriti Rai
 
Introduction to Cloud Computing.pptx
Introduction to Cloud Computing.pptxIntroduction to Cloud Computing.pptx
Introduction to Cloud Computing.pptxsarahabbas40
 
Cloud Computing and Services | PPT
Cloud Computing and Services | PPTCloud Computing and Services | PPT
Cloud Computing and Services | PPTSeminar Links
 
CLOUD COMPUTING.ppt
CLOUD COMPUTING.pptCLOUD COMPUTING.ppt
CLOUD COMPUTING.pptDss
 
UNIT IV RESOURCE MANAGEMENT AND SECURITY
UNIT IV RESOURCE MANAGEMENT AND SECURITYUNIT IV RESOURCE MANAGEMENT AND SECURITY
UNIT IV RESOURCE MANAGEMENT AND SECURITYSheik Mohideen
 
Cloud Computing.pptx
Cloud Computing.pptxCloud Computing.pptx
Cloud Computing.pptxNikitaOG
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeAhmad Abdalla
 
An introduction to the cloud 11 v1
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1charan7575
 
Overview of Cloud Computing
Overview of Cloud ComputingOverview of Cloud Computing
Overview of Cloud ComputingNishant Munjal
 
Speaker Presention by Irena Bojanova of the University of Maryland University...
Speaker Presention by Irena Bojanova of the University of Maryland University...Speaker Presention by Irena Bojanova of the University of Maryland University...
Speaker Presention by Irena Bojanova of the University of Maryland University...Tim Harvey
 
Cloud Storage and Cloud Computing.pptx
Cloud Storage and Cloud Computing.pptxCloud Storage and Cloud Computing.pptx
Cloud Storage and Cloud Computing.pptxANALEESUAREZ2
 

Similar to The Trouble with Cloud Forensics (20)

cloudcomputing.pptx
cloudcomputing.pptxcloudcomputing.pptx
cloudcomputing.pptx
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data security
 
Cloud computing & security basics
Cloud computing & security basicsCloud computing & security basics
Cloud computing & security basics
 
The wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxThe wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptx
 
Cloud Computing in Business and facts
Cloud Computing in Business and factsCloud Computing in Business and facts
Cloud Computing in Business and facts
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 
Introduction to Cloud Computing.pptx
Introduction to Cloud Computing.pptxIntroduction to Cloud Computing.pptx
Introduction to Cloud Computing.pptx
 
Cloud Computing and Services | PPT
Cloud Computing and Services | PPTCloud Computing and Services | PPT
Cloud Computing and Services | PPT
 
CLOUD COMPUTING.ppt
CLOUD COMPUTING.pptCLOUD COMPUTING.ppt
CLOUD COMPUTING.ppt
 
Cloud Computing.pptx
Cloud Computing.pptxCloud Computing.pptx
Cloud Computing.pptx
 
UNIT IV RESOURCE MANAGEMENT AND SECURITY
UNIT IV RESOURCE MANAGEMENT AND SECURITYUNIT IV RESOURCE MANAGEMENT AND SECURITY
UNIT IV RESOURCE MANAGEMENT AND SECURITY
 
Cloud Computing.pptx
Cloud Computing.pptxCloud Computing.pptx
Cloud Computing.pptx
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
 
unit3.ppt
unit3.pptunit3.ppt
unit3.ppt
 
An introduction to the cloud 11 v1
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1
 
Overview of Cloud Computing
Overview of Cloud ComputingOverview of Cloud Computing
Overview of Cloud Computing
 
Speaker Presention by Irena Bojanova of the University of Maryland University...
Speaker Presention by Irena Bojanova of the University of Maryland University...Speaker Presention by Irena Bojanova of the University of Maryland University...
Speaker Presention by Irena Bojanova of the University of Maryland University...
 
Cloud presentation NELA
Cloud presentation NELACloud presentation NELA
Cloud presentation NELA
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Storage and Cloud Computing.pptx
Cloud Storage and Cloud Computing.pptxCloud Storage and Cloud Computing.pptx
Cloud Storage and Cloud Computing.pptx
 

Recently uploaded

VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...nirzagarg
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubaikojalkojal131
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...SUHANI PANDEY
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋nirzagarg
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...SUHANI PANDEY
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...SUHANI PANDEY
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...SUHANI PANDEY
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 

Recently uploaded (20)

VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 

The Trouble with Cloud Forensics

  • 1. The Trouble with Cloud Forensics Sharique M. Rizvi Head of IT Security & Forensic Investigations
  • 2. Agenda • Forensics – Definitions & Models • Cloud Forensics Challenges – Evidence – Collection – Validation – Preservation • Cloud Forensics Strategy • Network Forensics • Cloud Forensics Process and Tools The Trouble with Cloud Forensics
  • 3. Cloud Forensics Introduction Digital Forensics: •Digital Forensics is the application of science for the identification, examination, collection, and analysis of data while preserving the information and maintaining a strict chain of custody for the evidence. •Digital Forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The Trouble with Cloud Forensics
  • 4. Network Forensics •Network forensics is a sub-branch of digital forensics involving the monitoring and analysis of computer network traffic for the purpose of information gathering, legal evidence, or intrusion detection. Network investigations deal with volatile and dynamic information. Cloud Forensics: •Cloud forensics is the application of digital forensics in cloud computing as a subset of network forensics. Basically, it is a cross-discipline between cloud computing and digital forensics. (NIST: National Institute of Standards and Technology) The Trouble with Cloud Forensics Cloud Forensics Introduction
  • 5. Cloud Computing Services Models Software as a Service (SaaS) •Client use software applications available from the cloud provider. – Typically, users interact with SaaS applications using a web-browser. – Example of SaaS is the Google App suite offered by Google. • Clients can use this service to deploy an email and collaboration platform within their organizations, and make use of Google Docs, Calendar, Gmail and other productivity applications. All data generated using the applications is stored in the cloud. The Trouble with Cloud Forensics
  • 6. Service Models Platform as a Service (PaaS) •Provides an application programming interface (API) for clients to create and host custom-built applications. – Example of PaaS is the Google App Engine, • Provides a platform for developers to create and host web-based applications. • Also includes cloud providers offering database management systems such as Amazon SimpleDB Infrastructure as a Service (IaaS) •Leasing of virtualized computing resources such as processing power, volatile memory and persistent storage space to host virtual machines. – Example Amazon EC2, which allows clients to create and launch virtual machines running a variety of operating systems. – Can then be loaded with customer-specified applications – The virtual machine image can be stored and re-deployed, according to the client's requirements The Trouble with Cloud Forensics
  • 7. Service Models • The way services are deployed in a cloud can influence the evidence available to an investigator and the way it is collected. • Example – IaaS platforms present an interface to a user that is indistinguishable from that of a remote physical server – The data that represents an IaaS-based server is inherently more volatile. – SaaS and PaaS models restrict the flexibility with which users can interact with a cloud platform – By offering a restricted set of applications, or specifying the constraints within which new software can be created. – The storage of data on these services is not by the user, instead by the cloud owner. The Trouble with Cloud Forensics
  • 8. Deployment Models Private Cloud •Infrastructure is operated solely by the organization •Cloud will likely be found within the same premises •Within its administrative control, and include only organization’s data Public Clouds •Owned by a provider organization •Cloud facilities in one or more corporate data centres •The administrative control resides with the provider •Consumers lease virtual storage and compute resources as required •Contain data from more than one user. Community Cloud •Shared between several organizations •Common organizational goal, or to pool IT resources. •Located within one or more premises, administered by community Hybrid Cloud •Composition of two or more of the above deployment options. •Used to provide load balancing to multiple clouds. – Example, an organization may have exhausted the available resources within its private cloud, and so incorporate resources available on lease from a public cloud. The Trouble with Cloud Forensics
  • 9. Consequences • A consequence of these different organizational configurations may have an impact on the way that data can be collected as evidence. • The data held in a cloud may be physically stored in one or more geographically distributed locations, making the determination of which legal framework and procedures to apply to the evidence gathering process difficult. • In summary, multiple deployment options and the variety of services offered to cloud users introduce new challenges when conducting digital forensic investigations in these environments. The Trouble with Cloud Forensics
  • 10. Cloud Forensics Challenges Establishing forensic capabilities for cloud will be difficult without hurdling several enormous challenges. The legal dimension •No agreements among cloud organizations for collaborative investigation •Majority of SLAs have no terms and conditions present •No segregation of responsibilities between CSP and customers. •Policies and Cyber laws from different regions are different •Conflicts and issues arising from multi-jurisdiction investigations Forensic Data Collection •Cloud customer encounter issues with access to forensic data depending on the cloud model. – IaaS users may easy access to all data required for forensic investigation – SaaS customer may won’t be able to access the pertinent data they need. •Lack of access to forensic data to cloud customer – Where their data is physically located – Only specify the location of their data at a higher level of abstraction, typically as a virtual object or container. •CSP hide the physical location of the data – To help data movement and replication. The Trouble with Cloud Forensics
  • 11. Cloud Forensics Challenges • CSP avoid providing services or interfaces for gathering forensic data in the cloud. – SaaS providers will not provide IP logs or clients accessing content – IaaS providers will not provide copies of recent VM states and disk images. • Cloud as it functions doesn’t provide end users – Access to all the relevant log files and metadata – Limits the ability to audit the operations of the network used by their provider – Not to conduct real time monitoring on their own networks. Time synchronization • Time synchronization is vital for audit logs – Used as source of evidence in the investigations. – A cloud environment needs to synchronize timestamps consistent with different devices located all over different time zones, between equipment, and remote web clients that include numerous end points. Log Formats • Consolidation of log formats is a issue in network forensics, • Some providers intentionally create proprietary log formats Ex – Amazon’s AWS gives the right to change the original snapshot only to the AWS account that created the volume. – Once the AWS account owner deletes data within the domain, the removal of the mapping starts immediately and is completed within seconds. After that, there is no longer any way to access the deleted data remotely, – Storage space once occupied by said data is made available for future write operations, and it is very likely that the storage space will be overwritten by newly stored data. – While some deleted data may still be recoverable from the snapshot even after deletion, the challenge is in recovering them, identifying the ownership, and using the information as a means of plotting out what happened in the cloud. The Trouble with Cloud Forensics
  • 12. Cloud Forensics Challenges Evidence Segregation •The various instances of VMs running on the same physical machine are completely isolated from each other via hypervisor. •The instances are treated as if they are on separate physical hosts •No access to each other despite being hosted on the same machine. Virtualized Environments – Data and computing power redundancy by replicating and distributing resources. – CSPs do this by using different instances of a cloud computer environment within a virtualized environment – Each instance running as a standalone VM that is monitored by a hypervisor. – Attackers can target the hypervisor, and successfully gives them free reign to all the machines being managed by it. •Lack of policies, techniques, and procedures on the hypervisor that facilitate investigation. •There are currently no tools, policies, procedures, or agreements that address cross-provider investigations. Multi-Jurisdiction and Multi-Tenancy •Legislations in all the countries and states that the cloud and its customers reside in differ vastly, •Investigations can be hampered due to said differences in law and jurisdiction. The Trouble with Cloud Forensics
  • 13. Amazon EC2 PlayStation Network Attack Case •An attack that brought down Sony’s PlayStation Network •Amazon’s Cloud services used to break-in •Hackers signed for a legitimate server rentals on Amazon EC2 services •Attackers were able to access within Sony’s network •Sony noticed a batch of servers unexpectedly rebooted •Investigation discovered that an intruder is in PlayStation Network Observation "The forensic teams confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators and escalate privileges inside the servers” •The intruders deleted log files in order to hide the extent of their work and activity within the network. •Personal Data of 77 millions compromised The Trouble with Cloud Forensics
  • 14. DIGITAL FORENSICS IN CLOUD First Step Identification •Identify that a potential criminal or improper act has taken place involving computer-based systems. •These events may relate to traditional crimes or activity using IT, or IT-specific crimes. – Example, complaints made by individuals, anomalies detected by IDS, monitoring and profiling or because of an audit of a computer system. – The identification phase is not just concerned with digital forensics, it does have an impact on how the investigation is conducted as well as defining the purpose for conducting the investigation. – The detection of suspicious events in a cloud will depend on the deployment model adopted and the form of cloud services (SaaS, PaaS or IaaS) used. Preservation and Collection •Collecting data from computer-based systems as an evidence •Crime or another illicit act has been committed •Legal and forensic standards, require that forensic evidence be testable •The methods used to produce evidence be repeatable. •Ensure the integrity of data throughout the investigation life cycle •Several aspects of the preservation phase are affected by the use of a cloud environment. The Trouble with Cloud Forensics
  • 15. DIGITAL FORENSICS IN CLOUD Steps.. Storage Capacity •A pre-requisite of evidence preservation is to have available sufficient secure storage capacity •This increase imposes extra costs on investigators – responsibility to store and curate the data – increasing amount of investigator time required to examine it. •Cloud environments exacerbate the problem of data storage. – The elastic ability to dynamically scale a service’s storage capabilities per on-going requirements. – Typical public IaaS cloud offer limitless data storage capability as and when required – Investigators may face with gathering an extremely large amount of data •Solution is to use of public clouds to store evidence to restore – This too will bring its own challenges, from both a legal and technical perspective. – Investigators will need to address the rules and regulations regarding data protection and privacy issues, and their impact on evidence stored in the cloud. The Trouble with Cloud Forensics
  • 16. DIGITAL FORENSICS IN CLOUD Steps.. Chain of Custody •Conventional accepted practice is to maintain a CoC for evidence •CoC provides the history for the lifetime of evidence discovered •How the evidence was gathered and managed by whom and when – In a conventional investigation, the chain of custody begins when an investigator assumes physical control of digital electronic artefacts (and any incorporated storage devices) that is suspected to be pertinent to the investigation. – There are two methods of preserving data on a PC • Powering down the computer by a command to the OS causing a shutdown • Removing the power source, causing an immediate halt. • Storage devices can be removed from the computer and examined separately. – The CoC documentation refer to these devices, which are isolated and disconnected from a power supply with little risk of loss of evidence. •Remote nature of cloud services, this assumption is not valid. – Services can be accessed by any system with a network connection to the hosting cloud. – Unless an investigator is able to gain control and disable a service, evidence could be destroyed relatively quickly, either by a service user, or by the cloud provider. – Practicality obtaining control of a cloud service during an on-going forensic investigation. (no work as such) – Challenges include the speed with which an investigator can gain control of a service, – The appropriate legal and regulatory framework that should be developed to enable this capability. The Trouble with Cloud Forensics
  • 17. DIGITAL FORENSICS IN CLOUD Steps.. Digital Image Acquisition •Assuming investigator has gained control of the cloud service – It is necessary to obtain an accurate copy of the data held by the service for later analysis •Collection of evidence from a cloud environment is likely to pose a challenge to investigators. – Triage tools, volatile and persistent memory acquisition software, as used in conventional investigations, on a client computer may provide minimal data. •Virtualized data stored on a cloud may be spread between many different physical devices •To customers, data appears to be stored in a single location – Physically this is not the case. • GFS is a “multi-tenant distributed” file system which means that even if two users are within the same organization, their data could well reside in two or more different physical locations •Use of virtualization also affects the privacy of other users – Data may be inadvertently gathered during the investigation. – In some jurisdictions, inadvertent access of non-relevant data from a cloud environment may contravene local privacy and data protection legislation. The Trouble with Cloud Forensics
  • 18. DIGITAL FORENSICS IN CLOUD Steps.. Live Acquisition •Live acquisitions and investigations are an alternative approach – Data is examined on the target computer while it is still powered up. – This approach enables investigators to gather data that might otherwise be lost if a computer is powered down, particularly: • Data stored in non-persistent memory, such as processes and information on active network connections. • Temporary data stored in persistent memory, such as application file locks, and web-browsing caches. •Live acquisition increase the amount of information extracted from a cloud client computer •Concerns about data confidentiality and integrity – CSPs are turning towards encryption offering as a security to their customers – CSPs have implemented a ‘zero knowledge system’ • All data is encrypted client-side before being transmitted and stored in the cloud, • The keys used to encrypt data are never stored in the cloud. The Trouble with Cloud Forensics
  • 19. DIGITAL FORENSICS IN CLOUD Steps.. Deleted Data •The cloud could both assist and hamper investigators •Recover data that is deleted or otherwise deleted by the suspect. •HD or USB flash drive, can be physically destroyed – This is not the case with the cloud unless the suspect has the knowledge and administrative authority to delete or ‘destroy’ data, this evidence will remain available to the investigator. •The volatility and elasticity of cloud make the recovery of deleted data challenging. – Also cloud providers maintain that user privacy is a priority within their cloud environments. – Example, Google’s current policy regarding deleted data is such that once a user deletes their data from Google Services, that data is then deleted from both active and replication servers. Pointers to this data are also deleted, making tracing remnants of user deleted data extremely difficult. •EC is encouraging to implement the Data Retention Directive – Member states to ensure that communication providers shall retain certain information about its users, including the “userID”, “IP address allocated at the time of the communication” as well “the date and time of the log-in and log-off of the service” (European Union, May 2006). The Trouble with Cloud Forensics
  • 20. DIGITAL FORENSICS IN CLOUD Steps.. Examination and Analysis •Dedicated forensic tool suites such as Forensic Tool Kit or Encase are popular commercial choices. •Sleuth Toolkit is an open source alternative. – These tool suites used to perform ‘pattern matching’ & ‘filtering’, which can involve either searching for specific filenames, file types, or content. •The significance of information artefacts as evidence is evaluated. •A narrative is developed, supported by the evidence and a timeline – To explain how a crime was committed. The Trouble with Cloud Forensics
  • 21. DIGITAL FORENSICS IN CLOUD Steps.. Validation using Hashing Tools •Hashing tools are used to validate the integrity of data •Hash values can be computed for disk images, files or other data – to gain assurance that the evidence has not been changed by an analysis •Data stored in a cloud can also be subjected to hashing for integrity – Example, Amazon S3 and Web Services (AWS) have both implemented MD5 hashing checksums for objects stored in their services, Investigator can record these checksums to show that any evidence acquired has remained unchanged during the investigation. – The hashing tools implemented, deployed and controlled by cloud providers does raise some challenges. – The investigator has less opportunity to test and evaluate the hashing features in a cloud, compared with tools developed for use on conventional desktop PCs. – The investigator’s ability to validate the correctness of their tools is limited •Responsibility for assessing the reliability of testimony with the trial judge. •Principles of scientific method is to guide judgements of acceptability. – The conduct of forensic investigations in cloud environments in both the United States and United Kingdom will presumably be subject to the same tests, if the resulting evidence is to be admissible in court. • The Trouble with Cloud Forensics
  • 22. Forensic Tools in Cloud Forensics Tools •Encase - Servlets •Access Data – FTK Agents •Fast Dump - HBGary •Memorysze – Mandial Using Forensics Tools in Cloud •Amazon stores – VHD, Elastic Block Storage EBS volumes in Simple Storage Services S3 not exposed to end users. •Two options to obtain data from entire volume 1. Create a snapshot from a drive being investigated, create a volume for that snapshot – attach as read only, create an ISO image 2. Detach the target volume form the host – use dd tool and download. •This activity may take many man hours •2TB of data could take 85 hours of processing time. •EnCase and Forensic Toolkit can analyse VMware data files but not snapshots which include suspended memory. The Trouble with Cloud Forensics
  • 23. Summary • Traditional software tools of computer forensics are inadequate in cloud computing forensics due to inaccessibility of the physical devices. • Cloud forensics is challenging due to the rapidly evolving technology. • Forensic tools employs standard data sets but it is unclear how these could be developed for cloud forensic methods. – Empirical testing of forensic tools typically employs standard data sets • There is a clear need to develop a standard evaluation method and data set for cloud forensics • ...the court does not have a true universally accepted method to rely upon. To further complicate the problem, many self-proclaimed computer forensics experts take what they feel are the best aspects of several approaches and create their own methodology. The Trouble with Cloud Forensics
  • 24. Reference.. 1. Cloud Forensics: Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie 2. Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics George Grispos, Tim Storer, William Bradley 1. Cloud Forensics: Anupam Tiwari Questions……. The Trouble with Cloud Forensics

Editor's Notes

  1. Google App Engine (often referred to as GAE or simply App Engine) is a platform as a service (PaaS) cloud computing platform for developing and hosting web applications in Google-managed data centers. Applications are sandboxed and run across multiple servers.[1] App Engine offers automatic scaling for web applications—as the number of requests increases for an application, App Engine automatically allocates more resources for the web application to handle the additional demand
  2. Amazon Web Services AWS
  3. Elastic Cloud
  4. Assuming investigator has gained control of the cloud service It is necessary to obtain an accurate copy of the data held by the service for later analysis Typically, a storage device is connected to an investigator’s own computer via a write-blocker a byte-for-byte copy of the entire device (an image) is then made using a software tool such as AccessData’s FTK Imager or the open-source tool dd. If multiple copies of the image are taken, digital hashes of each image can be taken to check whether the source image has been changed. Collection of evidence from a cloud environment is likely to pose a challenge to investigators. Triage tools, volatile and persistent memory acquisition software, as used in conventional investigations, on a client computer may provide minimal data.
  5. In the United States and the United Kingdom (UK), expert scientific testimony in trials is largely guided by the Daubert standard. The UK Law Commission interprets the four Daubert principles as (The Law Commission, 2009):