CLOUD FORENSICS WITH F-RESPONSE

Similar documents
Your Mission: Use F-Response Cloud Connector to access Google Apps for Business Drive Cloud Storage

Best Practices: Implementing Large Scale Collections with F- Response

Using Microsoft RemoteFX USB Redirection to forward an F-Response Dongle

Contents Notice to Users

cloud functionality: advantages and Disadvantages

StoneGate Firewall/VPN How-To Evaluating StoneGate FW/VPN in VMware Workstation

How to Test Out Backup & Replication 6.5 for Hyper-V

Quest vworkspace Virtual Desktop Extensions for Linux

Veeam Task Manager for Hyper-V

How To Image A Single Vm For Forensic Analysis On Vmwarehouse.Com

NCTA Cloud Architecture

EMC ViPR Controller Add-in for Microsoft System Center Virtual Machine Manager

Web Remote Access. User Guide

Implementing and Managing Windows Server 2008 Hyper-V

Vblock Systems hybrid-cloud with Cisco Intercloud Fabric

Uptime Infrastructure Monitor. Installation Guide

Installing and Configuring vcenter Multi-Hypervisor Manager

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Ignify ecommerce. Item Requirements Notes

Your Mission: Use F-Response Now to connect to remote computers and devices over the Internet

NetIQ Privileged User Manager

Citrix XenApp Manager 1.0. Administrator s Guide. For Windows 8/RT. Published 10 December Edition 1.0.1

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

McAfee Public Cloud Server Security Suite

Windows Embedded Security and Surveillance Solutions

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

Training module 2 Installing VMware View

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

Design of Cloud Services for Cloud Based IT Education

Data Center Connector for OpenStack

APC Enterprise KVM Switches

Managing Multi-Hypervisor Environments with vcenter Server

Introduction to Virtual Datacenter

OVERVIEW. DIGIPASS Authentication for Office 365

LifeSize Transit Virtual Appliance Installation Guide June 2011

TFTP Firmware upgrade

Omniquad Exchange Archiving

Microsoft Hyper-V Server 2008 R2 Getting Started Guide

Protecting Data with a Unified Platform

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

FortiGate-AWS Deployment Guide

InfoPrint 4247 Serial Matrix Printers. Remote Printer Management Utility For InfoPrint Serial Matrix Printers

Google Cloud Print. Administrator's Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Utilizing LDAP for User Profile and Corporate Structure Integration

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Intel Storage System SSR212CC Enclosure Management Software Installation Guide For Red Hat* Enterprise Linux

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Building Blocks of the Private Cloud

Reference Architecture: Enterprise Security For The Cloud

WA2192 Introduction to Big Data and NoSQL. Classroom Setup Guide. Web Age Solutions Inc. Copyright Web Age Solutions Inc. 1

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Quick Start Guide For Ipswitch Failover v9.0

uh6 efolder BDR Guide for Veeam Page 1 of 36

MTP. MTP AirWatch Integration Guide. Release 1.0

VIPERVAULT STORAGECRAFT SHADOWPROTECT SETUP GUIDE

CA ARCserve Replication and High Availability Deployment Options for Hyper-V

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2


BDR for ShadowProtect Solution Guide and Best Practices

PARALLELS SERVER BARE METAL 5.0 README

Allscripts Professional EHR

EXTENSIBLE WIDE AREA NETWORKING

Management of VMware ESXi. on HP ProLiant Servers

USER CONFERENCE 2011 SAN FRANCISCO APRIL Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB

Mobile Secure Desktop Maximum Scalability, Security and Availability for View with F5 Networks HOW-TO GUIDE

How to Install the VMware ESXi Hypervisor on Physical Hardware

Verizon Remote Access User Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Web Sites, Virtual Machines, Service Management Portal and Service Management API Beta Installation Guide

Hyper-V Server 2008 Setup and Configuration Tool Guide

Statement of Work. LabTech Implementation Bronze. LabTech Software 4110 George Road Suite 200 Tampa, FL 33634

PHD Virtual Backup for Hyper-V

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

NetLeverage UK ThinPoint Solution Overview Version 2 Copyright 2012 NetLeverage UK

Microsoft Terminal Server and Citrix Presentation Server Deployment Environments

Zadara Storage Cloud A

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

VMware vcloud Air Security TECHNICAL WHITE PAPER

SierraVMI Sizing Guide

Deployment Options for Microsoft Hyper-V Server

DocAve for Office 365 Sustainable Adoption

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

XenClient Enterprise Synchronizer Installation Guide

Copyright 2012 Trend Micro Incorporated. All rights reserved.

VMware View 4 with PCoIP I N F O R M AT I O N G U I D E

Provisioning ShareFile on Microsoft Azure Storage

Unisys Internet Remote Support

RackConnect User Guide

Overcoming Security Challenges to Virtualize Internet-facing Applications

WhitePaper. Private Cloud Computing Essentials

How A Connection Broker Simplifies Hosted Desktop Environments

Hyper-V Installation Guide for Snare Server

Transcription:

CLOUD FORENSICS WITH F-RESPONSE Leveraging F-Response, X-Ways, and USB-Over- Ethernet to provide Incident Response and Forensics Services on Cloud Hosted Servers F-Response is a Registered Trademark of Agile Risk Management LLC. For more information on F-Response, or any of part of the solution presented in this paper please contact us on the web at www.f-response.com. 8/19/2013

TABLE OF CONTENTS Table of Contents... 2 Challenge... 3 Solution... 4 Prerequisites... 5 Example... 6 Create the Cloud Server... 6 Deploy tools to the Cloud Server... 7 Connect to multiple Forensic Dongles with USB Over Ethernet... 8 Configure F-Response Networking... 9 Configure Target Cloud Server(s) Firewalls to allow Examiner access... 10 Install/Start F-Response on one or more Cloud Servers... 11 Perform analysis on one or more F-Response connected cloud servers... 12 Legal Notices... 13 Page 2 8/19/2013

CHALLENGE When it comes to performing Incident Response or Computer Forensics Services on Cloud Servers the traditional forensic collection and acquisition model is clearly unsuitable. Simply put, powering down and detaching the hard drive is just not viable with Cloud Servers. Why? Primarily because Cloud Servers aren t really physical servers, they are typically virtual servers allocated on demand using one of a dozen or more hypervisor 1 technologies. Secondly, the hardware these servers run on is typically shared by a number of customers, many of which would undoubtedly balk at the request to power down their server(s) and remove their shared disk resources. 1 A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.(http://en.wikipedia.org/wiki/hypervisor) Page 3 8/19/2013

SOLUTION Using existing software technologies and a single Cloud Server it is possible to deliver a complete onsite solution to virtually any cloud hosted server, anywhere in the world, on demand, and with minimal preparation. Dedicated Forensic/IR Cloud Server running F-Response and X-Ways N+ Cloud Servers with Internal Cloud Network Access Remote Analyst using RDP and USB- Over-Ethernet/RDP Cloud Server Provider The solution hinges on being able to leverage USB forwarding technology to shift your existing dongle based software licenses to a remote virtual machine running within the Cloud environment. In order to accomplish this we recommend using KernelPro s USB-Over-Ethernet ( USBoE ) software product. USBoE allows remote examiners (aka consultants) to forward their physical software license dongles to the Dedicated Forensic/IR Cloud Server hosted at the Cloud provider. Once connected to the dedicated server the remote examiner can then deploy F-Response to one or more remote targets, and begin leveraging one or more remotely installed computer forensics, e-discovery, or incident response applications. Additional storage may be configured through the individual cloud provider to handle collection needs, etc. Page 4 8/19/2013

PREREQUISITES Software Required: KernelPro (www.usb-over-ethernet.com) USB-Over-Ethernet USB-Over-Ethernet provides USB device forwarding to remote machines. In essence USB hardware dongles, such as those used by F-Response and other Computer Forensic software manufacturers can be forwarded to a remote virtual or physical workstation at the client location. F-Response (www.f-response.com) F-Response Enterprise or Consultant + Covert Edition F-Response Consultant + Covert or Enterprise provide direct, read-only access to remote computers at the client site. Using F-Response you can attach to remote machines from within the client environment and access physical disks, logical volumes, and physical memory in real-time. X-Ways (www.x-ways.com) X-Ways Forensic X-Ways Forensics is an advanced work environment for computer forensic examiners. Highly efficient and well conceived, X-Ways works well with F-Response and the two products together provide a compelling and cost effective solution. Page 5 8/19/2013

EXAMPLE CREATE THE CLOUD SERVER The following example is presented using Rackspace Cloud Servers, the same process would largely apply to other Cloud Server providers (Amazon Web Services, Azure, HP Public Cloud, etc). The first step is to create a Forensic/IR server within the same region as your target server(s). In this example we created a basic Windows 2008 R2 Server and outfitted it with the minimum resources necessary to perform the basic example. Be sure to note the Administrative password set by the provider, you will need this password to access your machine via RDP. Rackspace Cloud Servers provides a number of options when deploying a server, be sure to pay close attention to the Region your server will be placed in as there is often no internal network access between regions. Page 6 8/19/2013

DEPLOY TOOLS TO THE CLOUD SERVER Once the remote Cloud Server is operational you will need to connect to that server using Remote Desktop and configure it with your Forensic Tools (F-Response, X-Ways, and USB-Over-Ethernet). In many cases the Windows servers are hardened to make it difficult to download files from remote sites, especially if those sites are SSL encrypted (as is the case with F-Response). As such you ll want to confirm the Security Setting in Internet Explorer (Advanced->Security->Do not save Encrypted pages to Disk) is unchecked. Many Windows Server configurations have additional controls configured which make it challenging to download files, the above setting must be disabled to allow F-Response to be downloaded. You will want to download and install the following applications: USB over Ethernet Client F-Response Enterprise X-Ways Forensics Specific details on configuring each individual product is outside the scope of this whitepaper, additional details on configuration and usage can be found on the F-Response Mission Guides and Documentation page on the F-Response Website (www.f-response.com/support/missionguides). Page 7 8/19/2013

CONNECT TO MULTIPLE FORENSIC DONGLES WITH USB OVER ETHERNET Using the USB Over Ethernet Client and Server we can share out and connect to multiple licensing dongles. The above screen capture shows connecting to a USB-Over-Ethernet hosted F-Response Enterprise dongle. Page 8 8/19/2013

CONFIGURE F-RESPONSE NETWORKING In our example, the newly deployed Cloud Server is configured with both an externally facing IP address and an internally facing IP address. We will be using the internal network interface to interact with other subject computers in the Cloud, as such we will want to configure the F-Response License Manager to bind to the internal network interface. F-Response License Manager bound to the internal network interface of the examiner cloud server. Page 9 8/19/2013

CONFIGURE TARGET CLOUD SERVER(S) FIREWALLS TO ALLOW EXAMINER ACCESS In order to access the target Cloud Server(s) we will make Windows Firewall exceptions to allow for remote access and deployment. The most efficient way to do this is by applying a Firewall rule allowing inbound access to the remote servers from your newly created forensic examiner server. The above screen capture shows the creation of a custom rule allowing access from the examiner cloud hosted server. Page 10 8/19/2013

INSTALL/START F-RESPONSE ON ONE OR MORE CLOUD SERVERS The following represents abbreviated steps from our F-Response Enterprise Mission Guides. You will find more detailed steps for different operating systems and configurations on the F-Response website (www.fresponse.com/support/missionguides). Using the supplied credentials for the remote server(s) we install/start F-Response on one or more Cloud Servers, then select one or more F-Response Targets and Login. The above screen capture shows an F-Response attached remote machine disk-0 attached to our examiner hosted forensic server as PhysicalDrive2. Page 11 8/19/2013

PERFORM ANALYSIS ON ONE OR MORE F-RESPONSE CONNECTED CLOUD SERVERS Using X-Ways Forensics it s now possible to perform imaging or analysis on the data residing on one or more subject Cloud Servers. The above screen capture shows X-Ways Forensics performing analysis live on the newly attached PhysicalDrive2. Page 12 8/19/2013

LEGAL NOTICES Copyright Copyright 2013 Agile Risk Management, LLC. All rights reserved. This document is protected by copyright with all rights reserved. Trademarks F-Response is a trademark of Agile Risk Management, LLC. All other product names or logos mentioned herein are used for identification purposes only, and are the trademarks of their respective owners. Statement of Rights Agile Risk Management, LLC products incorporate technology that is protected by U.S. patent and other intellectual property (IP) rights owned by Agile Risk Management LLC, and other rights owners. Disclaimer While Agile Risk Management LLC has committed its best efforts to providing accurate information in this document, we assume no responsibility for any inaccuracies that may be contained herein, and we reserve the right to make changes to this document without notice. Page 13 8/19/2013

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information