1 Digital Forensics for IaaS Cloud Computing June 26, 2012
2 The views expressed in this presentation are mine alone. Reference to any specific products, process, or service do not necessarily constitute or imply endorsement, recommendation, or favoring by the United States Government or the Department of Defense.
3 Outline Today Trust Tests Trouble Tomorrow What s the problem? Can you believe the data? Experiments in forensic acquisition Results and alternatives Future work
4 Bio Ph.D. candidate, Digital Forensics for Infrastructure-as-a-Service Cloud Computing 8 years in network security, malware analysis, intrusion detection, forensics Cloud Security Alliance, NIST Cloud Computing Security Working Group, IFIP Working Group 11.9 on Digital Forensics, American Academy of Forensic Sciences, ABA E-Discovery and Digital Evidence
5 First Cloud Crime?
6 An Investigator s View
7 x = 1 0
8 Truth or Fiction? Incident response and computer forensics in a cloud environment require fundamentally different tools, techniques, and training Challenging Security Requirements for US Government Cloud Computing Adoption (Draft), Version 1.6, 2012
9 NIST Definition Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. September 2011
10 That which we call a rose On-demand self-service Elastic Utility consumption Location independence Resource abstraction and pooling
11 Security Crime Forensics You are here
12 Conflicting Goals Cloud Location independence Rapid elasticity Data reliability (replication) Multi-tenancy General, abstract data structures Forensics Discovery of computational structure Legal jurisdiction Evidence preservation Data integrity Chain of custody Evidence integrity Attribution of data Chain of custody Best evidence Presentation/Visualization of evidence
13 Amazon S3 Q: Where is my data stored? Amazon S3 offers storage in the US Standard, US West (Oregon), US West (Northern California), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), South America (Sao Paulo), and AWS GovCloud (US) Regions. You specify a Region when you create your Amazon S3 bucket. Within that Region, your objects are redundantly stored on multiple devices across multiple facilities.
14 Microsoft Azure Location of Customer Data Microsoft may transfer Customer Data within a major geographic region (e.g., within Europe) for data redundancy or other purposes. For example, Windows Azure Storage geo-replication feature will replicate Windows Azure Blob and Table data, at no additional cost, between two sub-regions within the same major region for enhanced data durability in case of a major data center disaster. However, customers can choose to disable this feature.
15 No Tested Tools
16 No Case Law
17 Forensics Today
18 Resellers Dropsync Dropbox Amazon S3
20 Trust Guest Application Guest OS Virtualization Host OS Physical Hardware Network
21 Hypothetical Case Study Polly traffics in child pornography. He stores contraband images in the cloud. He uses a pre-paid credit card. His cloud-hosted website shares the images. Law enforcement discovers the website and wants to terminate the service and prosecute the criminal.
22 Cloud Crime Scene Webexposed crime scene Polly Internet Law Enforcement Forensic Investigator Cloud Service Provider Provider Technician
23 Key Issues in Cloud Forensics 1. Acquisition of data is more difficult. 2. Cooperation from cloud providers is paramount. 3. Cloud data may lack ley forensic attributes. 4. Current forensic tools are unprepared to process cloud data. 5. Chain of custody is more complex.
25 Experiments Experiment 1 (Guest OS) Launch and hack a virtual machine in EC2 Use EnCase and FTK agents to acquire disk images remotely Use Fastdump, FTK Imager, Memoryze to acquire memory images remotely Analyze data to determine success Experiment 2 (Virtualization) Launch and hack a virtual machine on a local cloud Use introspection to inject an EnCase agent to acquire disk image Create virtual machine snapshot and analyze live offline Analyze data to determine success Experiment 3 (Host OS) Launch and hack a virtual machine in EC2 Use AWS Export to obtain a disk image Analyze data to determine success Guest Application Guest OS Virtualization Host OS Physical Hardware Network
28 Trouble Forensic workstation online Security of remote agent Cost time and $$$ Changes to cloud environment Legal questions
29 Alternatives Root Trust in the Host/VM with TPMs Collection from Management Plane Forensics Support as a Service Contract and Legal Solutions
30 Management Plane
31 Potential Forensic Data Billing records Netflow, Packet Capture API/Management access logs Security logs (firewall, IDS, etc.) Physical drives Virtual drives Guest OS data Cloud data storage
32 Legal Considerations Expectation of privacy Possession, custody, control Data preservation Jurisdiction Seizing Data Defenses Complexity, production, Daubert, ripeness
33 Tomorrow: Future work Corroborate from multiple layers Live Forensics with Snapshots Parallel analysis of PaaS and SaaS Consumer-driven forensic capabilities Log retrieval, metadata (volume checksums), volume download Legal analysis How do you legally obtain cloud documents? Who legally owns the data/ip address/etc? Who s law applies to the data? To the forensics?
34 Summary Cloud challenges forensic acquisition Need to trust the data acquired Some tools work. Some are needed.
156 Chapter 7 Seizing Electronic Evidence from Cloud Computing Environments Josiah Dykstra University of Maryland, Baltimore County, USA ABSTRACT Despite a growing adoption of cloud computing, law enforcement
Special Publication 800-145 The NIST Definition of Cloud Computing Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication 800-145 The NIST
Kent State University s Cloud Strategy Table of Contents Item Page 1. From the CIO 3 2. Strategic Direction for Cloud Computing at Kent State 4 3. Cloud Computing at Kent State University 5 4. Methodology
Amazon Web Services: Overview of Security Processes May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 Amazon Web Services (AWS) delivers a scalable cloud computing
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
JANUARY 2013 REPORT OF THE DEFENSE SCIENCE BOARD TASK FORCE ON Cyber Security and Reliability in a Digital Cloud JANUARY 2013 Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
INFORMATION SECURITY IN CLOUD COMPUTING Lipi Akter 1, Prof. Dr. S M Monzurur Rahman 2 and Md. Hasan 3 1,2,3 Department of Computer Science & Engineering, United International University, Dhaka, Bangladesh.
1 October 2013 Cloud Security Whitepaper A Briefing on Cloud Security Challenges and Opportunities SINTEF ICT Software Engineering, Safety and Security Martin Gilje Jaatun, Per Håkon Meland, Karin Bernsmed
FRAUNHOFER RESEARCH INSTITUTION AISEC CLOUD COMPUTING SECURITY PROTECTION GOALS.TAXONOMY.MARKET REVIEW. DR. WERNER STREITBERGER, ANGELIKA RUPPEL 02/2010 Parkring 4 D-85748 Garching b. München Tel.: +49
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
FRAUNHOFER INSTITUTE FOR OPEN COMMUNICATION SYSTEMS Cloud Concepts for the Public Sector in Germany Use Cases Peter Deussen, Klaus-Peter Eckert, Linda Strick, Dorota Witaszek Fraunhofer Institute FOKUS
GOVERNANCE STRATEGIES New Requirements for Security and Compliance Auditing in the Cloud Cloud computing poses new challenges for IT security, compliance, and audit professionals who must protect corporate
November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the
CYBER SECURITY OPERATIONS CENTRE APRIL 2011, UPDATED SEPTEMBER 2012 Cloud Computing Security Considerations Table of Contents Cloud Computing Security Considerations... 3 Overview of Cloud Computing...
Hasso-Plattner-Institut University of Potsdam Internet Technology and Systems Group Scalability and Performance Management of Internet Applications in the Cloud A thesis submitted for the degree of "Doktors
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST
Investigation of IT Auditing and Checklist Generation Approach to Assure a Secure Cloud Computing Framework Rajni Maheshwari M.Tech (Computer) College of Engineering, Bharati Vidyapeeth Deemed University
AWS Security Best Practices Dob Todorov Yinal Ozkan November 2013 (Please consult http://aws.amazon.com/security for the latest version of this paper) Page 1 of 56 Table of Contents Abstract... 4 Overview...
Data Intensive Storage Services for Cloud Environments Dimosthenis Kyriazis National Technical University of Athens, Greece Athanasios Voulodimos National Technical University of Athens, Greece Spyridon