1. The Trouble with Cloud Forensics
Sharique M. Rizvi
Head of IT Security & Forensic Investigations
2. Agenda
• Forensics
– Definitions & Models
• Cloud Forensics Challenges
– Evidence
– Collection
– Validation
– Preservation
• Cloud Forensics Strategy
• Network Forensics
• Cloud Forensics Process and Tools
The Trouble with Cloud Forensics
3. Cloud Forensics
Introduction
Digital Forensics:
•Digital Forensics is the application of science for the identification, examination, collection, and
analysis of data while preserving the information and maintaining a strict chain of custody for the
evidence.
•Digital Forensics is the application of investigation and analysis techniques to gather and preserve
evidence from a particular computing device in a way that is suitable for presentation in a court of law.
The Trouble with Cloud Forensics
4. Network Forensics
•Network forensics is a sub-branch of digital forensics involving the monitoring and
analysis of computer network traffic for the purpose of information gathering, legal
evidence, or intrusion detection. Network investigations deal with volatile and dynamic
information.
Cloud Forensics:
•Cloud forensics is the application of digital forensics in cloud computing as a subset of
network forensics. Basically, it is a cross-discipline between cloud computing and digital
forensics. (NIST: National Institute of Standards and Technology)
The Trouble with Cloud Forensics
Cloud Forensics
Introduction
5. Cloud Computing
Services Models
Software as a Service (SaaS)
•Client use software applications available from the cloud provider.
– Typically, users interact with SaaS applications using a web-browser.
– Example of SaaS is the Google App suite offered by Google.
• Clients can use this service to deploy an email and collaboration platform within their organizations, and make
use of Google Docs, Calendar, Gmail and other productivity applications. All data generated using the
applications is stored in the cloud.
The Trouble with Cloud Forensics
6. Service Models
Platform as a Service (PaaS)
•Provides an application programming interface (API) for clients to create and host
custom-built applications.
– Example of PaaS is the Google App Engine,
• Provides a platform for developers to create and host web-based applications.
• Also includes cloud providers offering database management systems such as Amazon SimpleDB
Infrastructure as a Service (IaaS)
•Leasing of virtualized computing resources such as processing power, volatile memory
and persistent storage space to host virtual machines.
– Example Amazon EC2, which allows clients to create and launch virtual machines running a variety of
operating systems.
– Can then be loaded with customer-specified applications
– The virtual machine image can be stored and re-deployed, according to the client's requirements
The Trouble with Cloud Forensics
7. Service Models
• The way services are deployed in a cloud can influence the evidence available to an investigator
and the way it is collected.
• Example
– IaaS platforms present an interface to a user that is indistinguishable from that of a remote physical server
– The data that represents an IaaS-based server is inherently more volatile.
– SaaS and PaaS models restrict the flexibility with which users can interact with a cloud platform
– By offering a restricted set of applications, or specifying the constraints within which new software can be
created.
– The storage of data on these services is not by the user, instead by the cloud owner.
The Trouble with Cloud Forensics
8. Deployment Models
Private Cloud
•Infrastructure is operated solely by the organization
•Cloud will likely be found within the same premises
•Within its administrative control, and include only organization’s data
Public Clouds
•Owned by a provider organization
•Cloud facilities in one or more corporate data centres
•The administrative control resides with the provider
•Consumers lease virtual storage and compute resources as required
•Contain data from more than one user.
Community Cloud
•Shared between several organizations
•Common organizational goal, or to pool IT resources.
•Located within one or more premises, administered by community
Hybrid Cloud
•Composition of two or more of the above deployment options.
•Used to provide load balancing to multiple clouds.
– Example, an organization may have exhausted the available resources within its private cloud, and so incorporate resources
available on lease from a public cloud.
The Trouble with Cloud Forensics
9. Consequences
• A consequence of these different organizational configurations may have an impact
on the way that data can be collected as evidence.
• The data held in a cloud may be physically stored in one or more geographically
distributed locations, making the determination of which legal framework and
procedures to apply to the evidence gathering process difficult.
• In summary, multiple deployment options and the variety of services offered to cloud
users introduce new challenges when conducting digital forensic investigations in
these environments.
The Trouble with Cloud Forensics
10. Cloud Forensics Challenges
Establishing forensic capabilities for cloud will be difficult without hurdling several enormous challenges.
The legal dimension
•No agreements among cloud organizations for collaborative investigation
•Majority of SLAs have no terms and conditions present
•No segregation of responsibilities between CSP and customers.
•Policies and Cyber laws from different regions are different
•Conflicts and issues arising from multi-jurisdiction investigations
Forensic Data Collection
•Cloud customer encounter issues with access to forensic data depending on the cloud model.
– IaaS users may easy access to all data required for forensic investigation
– SaaS customer may won’t be able to access the pertinent data they need.
•Lack of access to forensic data to cloud customer
– Where their data is physically located
– Only specify the location of their data at a higher level of abstraction, typically as a virtual object or container.
•CSP hide the physical location of the data
– To help data movement and replication.
The Trouble with Cloud Forensics
11. Cloud Forensics Challenges
• CSP avoid providing services or interfaces for gathering forensic data in the cloud.
– SaaS providers will not provide IP logs or clients accessing content
– IaaS providers will not provide copies of recent VM states and disk images.
• Cloud as it functions doesn’t provide end users
– Access to all the relevant log files and metadata
– Limits the ability to audit the operations of the network used by their provider
– Not to conduct real time monitoring on their own networks.
Time synchronization
• Time synchronization is vital for audit logs
– Used as source of evidence in the investigations.
– A cloud environment needs to synchronize timestamps consistent with different devices located all over different time zones,
between equipment, and remote web clients that include numerous end points.
Log Formats
• Consolidation of log formats is a issue in network forensics,
• Some providers intentionally create proprietary log formats
Ex
– Amazon’s AWS gives the right to change the original snapshot only to the AWS account that created the volume.
– Once the AWS account owner deletes data within the domain, the removal of the mapping starts immediately and is completed
within seconds. After that, there is no longer any way to access the deleted data remotely,
– Storage space once occupied by said data is made available for future write operations, and it is very likely that the storage space
will be overwritten by newly stored data.
– While some deleted data may still be recoverable from the snapshot even after deletion, the challenge is in recovering them,
identifying the ownership, and using the information as a means of plotting out what happened in the cloud.
The Trouble with Cloud Forensics
12. Cloud Forensics Challenges
Evidence Segregation
•The various instances of VMs running on the same physical machine are completely isolated from each other via hypervisor.
•The instances are treated as if they are on separate physical hosts
•No access to each other despite being hosted on the same machine.
Virtualized Environments
– Data and computing power redundancy by replicating and distributing resources.
– CSPs do this by using different instances of a cloud computer environment within a virtualized environment
– Each instance running as a standalone VM that is monitored by a hypervisor.
– Attackers can target the hypervisor, and successfully gives them free reign to all the machines being managed by it.
•Lack of policies, techniques, and procedures on the hypervisor that facilitate investigation.
•There are currently no tools, policies, procedures, or agreements that address cross-provider investigations.
Multi-Jurisdiction and Multi-Tenancy
•Legislations in all the countries and states that the cloud and its customers reside in differ vastly,
•Investigations can be hampered due to said differences in law and jurisdiction.
The Trouble with Cloud Forensics
13. Amazon EC2
PlayStation Network Attack
Case
•An attack that brought down Sony’s PlayStation Network
•Amazon’s Cloud services used to break-in
•Hackers signed for a legitimate server rentals on Amazon EC2 services
•Attackers were able to access within Sony’s network
•Sony noticed a batch of servers unexpectedly rebooted
•Investigation discovered that an intruder is in PlayStation Network
Observation
"The forensic teams confirm that intruders had used very sophisticated and aggressive techniques to obtain
unauthorized access, hide their presence from system administrators and escalate privileges inside the servers”
•The intruders deleted log files in order to hide the extent of their work and activity within the
network.
•Personal Data of 77 millions compromised
The Trouble with Cloud Forensics
14. DIGITAL FORENSICS IN CLOUD
First Step
Identification
•Identify that a potential criminal or improper act has taken place involving computer-based systems.
•These events may relate to traditional crimes or activity using IT, or IT-specific crimes.
– Example, complaints made by individuals, anomalies detected by IDS, monitoring and profiling or because of an audit of a
computer system.
– The identification phase is not just concerned with digital forensics, it does have an impact on how the investigation is conducted
as well as defining the purpose for conducting the investigation.
– The detection of suspicious events in a cloud will depend on the deployment model adopted and the form of cloud services (SaaS,
PaaS or IaaS) used.
Preservation and Collection
•Collecting data from computer-based systems as an evidence
•Crime or another illicit act has been committed
•Legal and forensic standards, require that forensic evidence be testable
•The methods used to produce evidence be repeatable.
•Ensure the integrity of data throughout the investigation life cycle
•Several aspects of the preservation phase are affected by the use of a cloud environment.
The Trouble with Cloud Forensics
15. DIGITAL FORENSICS IN CLOUD
Steps..
Storage Capacity
•A pre-requisite of evidence preservation is to have available sufficient secure storage capacity
•This increase imposes extra costs on investigators
– responsibility to store and curate the data
– increasing amount of investigator time required to examine it.
•Cloud environments exacerbate the problem of data storage.
– The elastic ability to dynamically scale a service’s storage capabilities per on-going requirements.
– Typical public IaaS cloud offer limitless data storage capability as and when required
– Investigators may face with gathering an extremely large amount of data
•Solution is to use of public clouds to store evidence to restore
– This too will bring its own challenges, from both a legal and technical perspective.
– Investigators will need to address the rules and regulations regarding data protection and privacy issues, and their impact on
evidence stored in the cloud.
The Trouble with Cloud Forensics
16. DIGITAL FORENSICS IN CLOUD
Steps..
Chain of Custody
•Conventional accepted practice is to maintain a CoC for evidence
•CoC provides the history for the lifetime of evidence discovered
•How the evidence was gathered and managed by whom and when
– In a conventional investigation, the chain of custody begins when an investigator assumes physical control of digital electronic
artefacts (and any incorporated storage devices) that is suspected to be pertinent to the investigation.
– There are two methods of preserving data on a PC
• Powering down the computer by a command to the OS causing a shutdown
• Removing the power source, causing an immediate halt.
• Storage devices can be removed from the computer and examined separately.
– The CoC documentation refer to these devices, which are isolated and disconnected from a power supply with little risk of loss of
evidence.
•Remote nature of cloud services, this assumption is not valid.
– Services can be accessed by any system with a network connection to the hosting cloud.
– Unless an investigator is able to gain control and disable a service, evidence could be destroyed relatively quickly,
either by a service user, or by the cloud provider.
– Practicality obtaining control of a cloud service during an on-going forensic investigation. (no work as such)
– Challenges include the speed with which an investigator can gain control of a service,
– The appropriate legal and regulatory framework that should be developed to enable this capability.
The Trouble with Cloud Forensics
17. DIGITAL FORENSICS IN CLOUD
Steps..
Digital Image Acquisition
•Assuming investigator has gained control of the cloud service
– It is necessary to obtain an accurate copy of the data held by the service for later analysis
•Collection of evidence from a cloud environment is likely to pose a challenge to investigators.
– Triage tools, volatile and persistent memory acquisition software, as used in conventional investigations, on a client computer may
provide minimal data.
•Virtualized data stored on a cloud may be spread between many different physical devices
•To customers, data appears to be stored in a single location
– Physically this is not the case.
• GFS is a “multi-tenant distributed” file system which means that even if two users are within the same organization, their
data could well reside in two or more different physical locations
•Use of virtualization also affects the privacy of other users
– Data may be inadvertently gathered during the investigation.
– In some jurisdictions, inadvertent access of non-relevant data from a cloud environment may contravene local privacy
and data protection legislation.
The Trouble with Cloud Forensics
18. DIGITAL FORENSICS IN CLOUD
Steps..
Live Acquisition
•Live acquisitions and investigations are an alternative approach
– Data is examined on the target computer while it is still powered up.
– This approach enables investigators to gather data that might otherwise be lost if a computer is powered down,
particularly:
• Data stored in non-persistent memory, such as processes and information on active network connections.
• Temporary data stored in persistent memory, such as application file locks, and web-browsing caches.
•Live acquisition increase the amount of information extracted from a cloud client computer
•Concerns about data confidentiality and integrity
– CSPs are turning towards encryption offering as a security to their customers
– CSPs have implemented a ‘zero knowledge system’
• All data is encrypted client-side before being transmitted and stored in the cloud,
• The keys used to encrypt data are never stored in the cloud.
The Trouble with Cloud Forensics
19. DIGITAL FORENSICS IN CLOUD
Steps..
Deleted Data
•The cloud could both assist and hamper investigators
•Recover data that is deleted or otherwise deleted by the suspect.
•HD or USB flash drive, can be physically destroyed
– This is not the case with the cloud unless the suspect has the knowledge and administrative authority to delete or
‘destroy’ data, this evidence will remain available to the investigator.
•The volatility and elasticity of cloud make the recovery of deleted data challenging.
– Also cloud providers maintain that user privacy is a priority within their cloud environments.
– Example, Google’s current policy regarding deleted data is such that once a user deletes their data from
Google Services, that data is then deleted from both active and replication servers. Pointers to this data are
also deleted, making tracing remnants of user deleted data extremely difficult.
•EC is encouraging to implement the Data Retention Directive
– Member states to ensure that communication providers shall retain certain information about its users, including the
“userID”, “IP address allocated at the time of the communication” as well “the date and time of the log-in and log-off of
the service” (European Union, May 2006).
The Trouble with Cloud Forensics
20. DIGITAL FORENSICS IN CLOUD
Steps..
Examination and Analysis
•Dedicated forensic tool suites such as Forensic Tool Kit or Encase are popular commercial choices.
•Sleuth Toolkit is an open source alternative.
– These tool suites used to perform ‘pattern matching’ & ‘filtering’, which can involve either searching for specific
filenames, file types, or content.
•The significance of information artefacts as evidence is evaluated.
•A narrative is developed, supported by the evidence and a timeline
– To explain how a crime was committed.
The Trouble with Cloud Forensics
21. DIGITAL FORENSICS IN CLOUD
Steps..
Validation using Hashing Tools
•Hashing tools are used to validate the integrity of data
•Hash values can be computed for disk images, files or other data
– to gain assurance that the evidence has not been changed by an analysis
•Data stored in a cloud can also be subjected to hashing for integrity
– Example, Amazon S3 and Web Services (AWS) have both implemented MD5 hashing checksums for objects stored
in their services, Investigator can record these checksums to show that any evidence acquired has remained
unchanged during the investigation.
– The hashing tools implemented, deployed and controlled by cloud providers does raise some challenges.
– The investigator has less opportunity to test and evaluate the hashing features in a cloud, compared with tools
developed for use on conventional desktop PCs.
– The investigator’s ability to validate the correctness of their tools is limited
•Responsibility for assessing the reliability of testimony with the trial judge.
•Principles of scientific method is to guide judgements of acceptability.
– The conduct of forensic investigations in cloud environments in both the United States and United Kingdom
will presumably be subject to the same tests, if the resulting evidence is to be admissible in court.
•
The Trouble with Cloud Forensics
22. Forensic Tools in Cloud
Forensics Tools
•Encase - Servlets
•Access Data – FTK Agents
•Fast Dump - HBGary
•Memorysze – Mandial
Using Forensics Tools in Cloud
•Amazon stores – VHD, Elastic Block Storage EBS volumes in Simple Storage Services S3 not
exposed to end users.
•Two options to obtain data from entire volume
1. Create a snapshot from a drive being investigated, create a volume for that snapshot – attach as read only,
create an ISO image
2. Detach the target volume form the host – use dd tool and download.
•This activity may take many man hours
•2TB of data could take 85 hours of processing time.
•EnCase and Forensic Toolkit can analyse VMware data files but not snapshots which include
suspended memory.
The Trouble with Cloud Forensics
23. Summary
• Traditional software tools of computer forensics are inadequate in cloud computing forensics due to inaccessibility
of the physical devices.
• Cloud forensics is challenging due to the rapidly evolving technology.
• Forensic tools employs standard data sets but it is unclear how these could be developed for cloud forensic
methods.
– Empirical testing of forensic tools typically employs standard data sets
• There is a clear need to develop a standard evaluation method and data set for cloud forensics
• ...the court does not have a true universally accepted method to rely upon. To further complicate the problem,
many self-proclaimed computer forensics experts take what they feel are the best aspects of several approaches
and create their own methodology.
The Trouble with Cloud Forensics
24. Reference..
1. Cloud Forensics: Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie
2. Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics
George Grispos, Tim Storer, William Bradley
1. Cloud Forensics: Anupam Tiwari
Questions…….
The Trouble with Cloud Forensics
Editor's Notes
Google App Engine (often referred to as GAE or simply App Engine) is a platform as a service (PaaS) cloud computing platform for developing and hosting web applications in Google-managed data centers. Applications are sandboxed and run across multiple servers.[1] App Engine offers automatic scaling for web applications—as the number of requests increases for an application, App Engine automatically allocates more resources for the web application to handle the additional demand
Amazon Web Services AWS
Elastic Cloud
Assuming investigator has gained control of the cloud service
It is necessary to obtain an accurate copy of the data held by the service for later analysis
Typically, a storage device is connected to an investigator’s own computer via a write-blocker a byte-for-byte copy of the entire device (an image) is then made using a software tool such as AccessData’s FTK Imager or the open-source tool dd.
If multiple copies of the image are taken, digital hashes of each image can be taken to check whether the source image has been changed.
Collection of evidence from a cloud environment is likely to pose a challenge to investigators.
Triage tools, volatile and persistent memory acquisition software, as used in conventional investigations, on a client computer may provide minimal data.
In the United States and the United Kingdom (UK), expert scientific testimony in trials is largely guided by the Daubert standard. The UK Law Commission interprets the four Daubert principles as (The Law Commission, 2009):