Digital Forensics for IaaS Cloud Computing

Similar documents
With Eversync s cloud data tiering, the customer can tier data protection as follows:

Simple Storage Service (S3)

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Cloud Computing. Adam Barker

Chapter 11 Cloud Application Development

Research on Digital Forensics Based on Private Cloud Computing

Cloud Models and Platforms

Cloud Computing Technology

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Security Issues in Cloud Computing

Security & Trust in the Cloud

Cloud Computing. Chapter 1 Introducing Cloud Computing

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

Computer Forensics and Incident Response in the Cloud. Stephen Coty AlertLogic, AlertLogic_ACID

Amazon Web Services Yu Xiao

Cloud Computing. Chapter 1 Introducing Cloud Computing

Cloud Computing; What is it, How long has it been here, and Where is it going?

Amazon Web Services Primer. William Strickland COP 6938 Fall 2012 University of Central Florida

CHAPTER 8 CLOUD COMPUTING

Cloud 101. Mike Gangl, Caltech/JPL, 2015 California Institute of Technology. Government sponsorship acknowledged

White Paper on CLOUD COMPUTING

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

The Private Cloud Your Controlled Access Infrastructure

Cloud Courses Description

Introduction to Engineering Using Robotics Experiments Lecture 18 Cloud Computing

Why Private Cloud? Nenad BUNCIC VPSI 29-JUNE-2015 EPFL, SI-EXHEB


Best Practices for Using MySQL in the Cloud

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

AskAvanade: Answering the Burning Questions around Cloud Computing

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Using ArcGIS for Server in the Amazon Cloud

How To Image A Single Vm For Forensic Analysis On Vmwarehouse.Com

Cloud Computing. Chapter 1 Introducing Cloud Computing

TECHNOLOGY GUIDE THREE. Emerging Types of Enterprise Computing

Using ArcGIS for Server in the Amazon Cloud

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

An Introduction to Cloud Computing Concepts

The NIST Definition of Cloud Computing (Draft)

Scaling in the Cloud with AWS. By: Eli White (CTO & mojolive) eliw.com - mojolive.com

Cloud Courses Description

ArcGIS for Server: In the Cloud

Planning the Migration of Enterprise Applications to the Cloud

Information Technology: This Year s Hot Issue - Cloud Computing

Architectural Implications of Cloud Computing

Deploying a Geospatial Cloud

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

What is Cloud Computing? First, a little history. Demystifying Cloud Computing. Mainframe Era ( ) Workstation Era ( ) Xerox Star 1981!

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Chapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

AWS Storage: Minimizing Costs While Retaining Functionality

CompTIA Cloud+ 9318; 5 Days, Instructor-led

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

The NIST Definition of Cloud Computing

Private Cloud 201 How to Build a Private Cloud

Every Silver Lining Has a Vault in the Cloud

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Cloud computing: the state of the art and challenges. Jānis Kampars Riga Technical University

Session 3. the Cloud Stack, SaaS, PaaS, IaaS

CLOUD BASED SCADA. Removing Implementation and Deployment Barriers. Liam Kearns Open Systems International, Inc.

Amazon Elastic Beanstalk

International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May ISSN

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Virtualization and Cloud Computing

How To Understand Cloud Computing

How To Get A Warrant To Search And Seizure Of Cloud Data In The United States

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region

Top 10 Cloud Risks That Will Keep You Awake at Night

Cloud Computing. Chapter 1 Introducing Cloud Computing

IS PRIVATE CLOUD A UNICORN?

Amazon Web Services: Risk and Compliance July 2012

How To Manage Cloud Data Safely

Cloud Computing Architecture and Forensic Investigation Challenges

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Increased Security, Greater Agility, Lower Costs for AWS DELPHIX FOR AMAZON WEB SERVICES WHITE PAPER

Fundamental Concepts and Models

Service Organization Controls 3 Report

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

CLOUD COMPUTING. A Primer

Cloud computing: benefits, risks and recommendations for information security

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Transcription:

Digital Forensics for IaaS Cloud Computing June 26, 2012

The views expressed in this presentation are mine alone. Reference to any specific products, process, or service do not necessarily constitute or imply endorsement, recommendation, or favoring by the United States Government or the Department of Defense.

Outline Today Trust Tests Trouble Tomorrow What s the problem? Can you believe the data? Experiments in forensic acquisition Results and alternatives Future work

Bio Ph.D. candidate, Digital Forensics for Infrastructure-as-a-Service Cloud Computing 8 years in network security, malware analysis, intrusion detection, forensics Cloud Security Alliance, NIST Cloud Computing Security Working Group, IFIP Working Group 11.9 on Digital Forensics, American Academy of Forensic Sciences, ABA E-Discovery and Digital Evidence

First Cloud Crime?

An Investigator s View

x = 1 0

Truth or Fiction? Incident response and computer forensics in a cloud environment require fundamentally different tools, techniques, and training Challenging Security Requirements for US Government Cloud Computing Adoption (Draft), Version 1.6, 2012

NIST Definition Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909616 September 2011

That which we call a rose On-demand self-service Elastic Utility consumption Location independence Resource abstraction and pooling

Security Crime Forensics You are here

Conflicting Goals Cloud Location independence Rapid elasticity Data reliability (replication) Multi-tenancy General, abstract data structures Forensics Discovery of computational structure Legal jurisdiction Evidence preservation Data integrity Chain of custody Evidence integrity Attribution of data Chain of custody Best evidence Presentation/Visualization of evidence

Amazon S3 Q: Where is my data stored? Amazon S3 offers storage in the US Standard, US West (Oregon), US West (Northern California), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), South America (Sao Paulo), and AWS GovCloud (US) Regions. You specify a Region when you create your Amazon S3 bucket. Within that Region, your objects are redundantly stored on multiple devices across multiple facilities. http://aws.amazon.com/s3/faqs/#where_is_my_data_stored

Microsoft Azure Location of Customer Data Microsoft may transfer Customer Data within a major geographic region (e.g., within Europe) for data redundancy or other purposes. For example, Windows Azure Storage geo-replication feature will replicate Windows Azure Blob and Table data, at no additional cost, between two sub-regions within the same major region for enhanced data durability in case of a major data center disaster. However, customers can choose to disable this feature. http://www.windowsazure.com/en-us/support/trust-center/privacy/

No Tested Tools

No Case Law

Forensics Today

Resellers Dropsync Dropbox Amazon S3

?!

Trust Guest Application Guest OS Virtualization Host OS Physical Hardware Network http://www.katescomment.com/iaas-paas-saas-definition/

Hypothetical Case Study Polly traffics in child pornography. He stores contraband images in the cloud. He uses a pre-paid credit card. His cloud-hosted website shares the images. Law enforcement discovers the website and wants to terminate the service and prosecute the criminal.

Cloud Crime Scene Webexposed crime scene Polly Internet Law Enforcement Forensic Investigator Cloud Service Provider Provider Technician

Key Issues in Cloud Forensics 1. Acquisition of data is more difficult. 2. Cooperation from cloud providers is paramount. 3. Cloud data may lack ley forensic attributes. 4. Current forensic tools are unprepared to process cloud data. 5. Chain of custody is more complex.

Trust Layer Cloud Layer Acquisition Method Cloud Trust required 6 Guest applications/data Depends on data OS, HV, Host, Hardware, Network Guest Application 5 Guest OS Remote forensic software OS, HV, Host, Hardware, Network Guest OS 4 Virtualization Introspection HV, Host, Hardware, Network Virtualization 3 Host OS Access virtual disk Host, Hardware, Network Host OS 2 Physical hardware Access physical disks Hardware, Network Physical Hardware 1 Network Packet capture Network Network

Experiments Experiment 1 (Guest OS) Launch and hack a virtual machine in EC2 Use EnCase and FTK agents to acquire disk images remotely Use Fastdump, FTK Imager, Memoryze to acquire memory images remotely Analyze data to determine success Experiment 2 (Virtualization) Launch and hack a virtual machine on a local cloud Use introspection to inject an EnCase agent to acquire disk image Create virtual machine snapshot and analyze live offline Analyze data to determine success Experiment 3 (Host OS) Launch and hack a virtual machine in EC2 Use AWS Export to obtain a disk image Analyze data to determine success Guest Application Guest OS Virtualization Host OS Physical Hardware Network

Experiments

Results Experiment Tool Evidence Collected Time Trust Required (Hrs) 1 EnCase Success 12 OS, HV, Host, Hardware, Network 1 FTK Success 12 OS, HV, Host, Hardware, Network 1 FTK Imager (disk) Success 12 OS, HV, Host, Hardware, Network 1 Fastdump Success 2 OS, HV, Host, Hardware, Network 1 Memoryze Success 2 OS, HV, Host, Hardware, Network 1 FTK Imager (memory) Success 2 OS, HV, Host, Hardware, Network 1 Volume block copy (dd) Success 14 OS*, HV, Host, Hardware, Network 2 Agent Injection Success 1 HV, Host, Hardware, Network 3 AWS Export Success 120 AWS Technician, Technician s Host, Hardware & Software, AWS Hardware, AWS Network

Trouble Forensic workstation online Security of remote agent Cost time and $$$ Changes to cloud environment Legal questions

Alternatives Root Trust in the Host/VM with TPMs Collection from Management Plane Forensics Support as a Service Contract and Legal Solutions

Management Plane

Potential Forensic Data Billing records Netflow, Packet Capture API/Management access logs Security logs (firewall, IDS, etc.) Physical drives Virtual drives Guest OS data Cloud data storage

Legal Considerations Expectation of privacy Possession, custody, control Data preservation Jurisdiction Seizing Data Defenses Complexity, production, Daubert, ripeness

Tomorrow: Future work Corroborate from multiple layers Live Forensics with Snapshots Parallel analysis of PaaS and SaaS Consumer-driven forensic capabilities Log retrieval, metadata (volume checksums), volume download Legal analysis How do you legally obtain cloud documents? Who legally owns the data/ip address/etc? Who s law applies to the data? To the forensics?

Summary Cloud challenges forensic acquisition Need to trust the data acquired Some tools work. Some are needed.

Questions dykstra@umbc.edu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information