NIST Cloud Computing Forensic Science Working Group

Transcription

1 NIST Cloud Computing Forensic Science Working Group Dr. Martin Herman Information Technology Laboratory (ITL) National Institute of Standards and Technology

2 NIST Cloud Computing Forensic Science Working Group (NCC-FSWG): Who We are NIST Public Working Group -- Established in November 2012 Voluntary open membership (international) Active participants meet bi-weekly by conference call Cloud Forensics Practitioners Cloud Providers Academia US Government User Community International Participants NIST Leadership (Co-chairs Dr. Michaela Iorga and Eric Simmon, and Dr. Martin Herman, NIST Senior Advisor) About 190 members in mailing list, with about 10 bi-weekly participants Twiki Website: 4/15/ :59 PM 2

3 NCC-FSWG - Goals Gather inputs dealing with cloud forensic challenges Identify and aggregate published cloud forensic challenges Analyze challenges Prioritize the challenges Based on importance, urgency Based on whether solutions involve technology, standards, or measurement methods Choose the highest priority challenges and determine gaps in technology, standards and measurements to address these challenges Develop a roadmap to address these gaps 4/15/ :59 PM 3

4 NCC-FSWG Current Status Challenges spreadsheet aggregation of published challenges (~65) and analysis White paper describing preliminary analysis of cloud forensic challenges progress report NIST Cloud Computing Forensic Science Challenges First draft almost complete and will be released very shortly for public comments Authored collectively by NCC-FSWG bi-weekly participants 4/15/ :59 PM 4

5 Contributors to White Paper Michaela Iorga Martin Herman Eric Simmon Keyun Ruan Mike Salim Josiah Dykstra Kenneth Zatyko Bob Jackson Lon Gowen Ernesto Rojas Laura Taylor Scot Reemelin Ken Stavinoha Karla Holm Kristy Westphal Tony Rutkowski Fred Cohen Nancy Landreville Anil Karmel Pw Carey Mark Potter Ragib Hasan 4/15/ :59 PM 5

6 Cloud Computing Forensic Science Challenges Actor/Stakeholder identifies the stakeholder(s) who is affected by the challenge Action/Operation - identifies the activity that the stakeholder would like to perform Object of This Action identifies the specific item upon which the action is to be performed Reason identifies the primary challenges that the stakeholder faces in order to perform the specified action on the object 4/15/ :59 PM 6

7 Cloud Computing Forensic Science Challenges Each challenge needs to be relevant to the essential characteristics of the NIST Definition of Cloud Computing* Each challenge labeled with one or more relevant characteristic OD = On-demand self-service BNA = Broad network access RP = Resource pooling RE = Rapid elasticity MS = Measured service * Peter Mell, Timothy Grance, The NIST Definition of Cloud Computing. NIST SP , September /15/ :59 PM 7

8 Cloud Computing Forensic Science Challenges Patterns of aggregation (or categories ) emerged Challenges related to: Architecture Data collection Analysis of cloud forensic data Anti-forensics Incident first responders Role management Legal issues Standards Training 4/15/ :59 PM 8

9

10 Architecture Challenges Issues include diversity, complexity, provenance, multitenancy, data segregation, etc. Challenge examples Dealing with variability in cloud architectures between providers Tenant data compartmentalization and isolation during resource provisioning Proliferation of system, locations and endpoints that can store data Accurate and secure provenance for maintaining and preserving chain of custody Infrastructure to support seizure of cloud resources without disrupting other tenants 4/15/ :59 PM 10

11 Data Collection Challenges Issues include data integrity, data recovery, data location, imaging, etc. Challenge examples Locating forensic artifacts in large, distributed and dynamic systems Locating and collecting volatile data Data collection from virtual machines Data integrity in a multi-tenant environment where data are shared among multiple computers in multiple locations and accessible by multiple parties Inability to image all the forensic artifacts in the cloud Accessing the data of one tenant without breaching the confidentiality of other tenants Recovery of deleted data in a shared and distributed virtual environment 4/15/ :59 PM 11

12 Analysis Challenges Issues include correlation, reconstruction, time synchronization, logs, metadata, timelines, etc. Challenge examples Correlation of forensic artifacts across and within cloud providers Reconstruction of events from virtual images or storage Integrity of metadata Timeline analysis of log data including synchronization of timestamps 4/15/ :59 PM 12

13 Anti-forensics Challenges Issues include obfuscation, data hiding, malware, etc. Anti-forensics are a set of techniques used specifically to prevent or mislead forensic analysis Challenge examples The use of obfuscation, malware, data hiding, or other techniques to compromise the integrity of evidence Malware may circumvent virtual machine isolation methods 4/15/ :59 PM 13

14 Incident First Responder Challenges Issues include trustworthiness of cloud providers, response time, reconstruction, etc. Challenge examples Confidence, competence, and trustworthiness of the cloud providers to act as first-responders and perform data collection Difficulty in performing initial triage Processing a large volume of forensic artifacts collected 4/15/ :59 PM 14

15 Role Management Challenges Issues include data owners, identity management, users, access control, etc. Challenge examples Uniquely identifying the owner of an account Decoupling between cloud user credentials and physical users Ease of anonymity and creating fictitious identities online Determining exact ownership of data Authentication and access control 4/15/ :59 PM 15

16 Legal Challenges Issues include jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy, ethics, etc. Challenge examples Identifying and addressing issues of jurisdictions for legal access to data Lack of effective channels for international communication and cooperation during an investigation Data acquisition that relies on the cooperation of cloud providers, as well as their competence and trustworthiness Missing terms in contracts and service level agreements Issuing subpoenas without knowledge of the physical location of data Seizure and confiscation of cloud resources may interrupt business continuity of other tenants 4/15/ :59 PM 16

17 Standards Challenges Issues include standard operating procedures, interoperability, testing, validation, etc. Challenge examples Standards challenges in cloud forensics include lack of even minimum/basic SOPs, practices, and tools Lack of interoperability among cloud providers Lack of test and validation procedures 4/15/ :59 PM 17

18 Training Challenges Issues include forensic investigators, cloud providers, qualification, certification, etc. Challenge examples Misuse of digital forensic training materials that are not applicable to cloud forensics Lack of cloud forensic training and expertise for both investigators and instructors Limited knowledge by record-keeping personnel in cloud providers about evidence 4/15/ :59 PM 18

19 Cloud Computing Forensic Science Challenges Aggregation led to Mind Map Visual representation of Groups of challenges Relationships between challenges Categories and sub-categories of challenges E.g., Category: data collection Subcategories: Data Integrity and Data Recovery Primary and related categories Every challenge could be placed into a primary category Many challenges could also be placed in related categories 4/15/ :59 PM 19

20 Mindmap (PRIMARY) 4/15/ :59 PM 20

21 Mindmap (RELATED) 4/15/ :59 PM 21

22 Complete Mindmap 4/15/ :59 PM 22

23 Future WG Activity Publish White Paper draft very shortly for public comment Further analyze the cloud forensics challenges Prioritize the challenges Choose the highest priority challenges and determine gaps in technology, standards and measurements to address these challenges Develop a roadmap to address these gaps 4/15/ :59 PM 23

24 We welcome new members to the WG! Send me if interested. Dr. Martin Herman NIST Working Group Twiki web site: 4/15/ :59 PM 24