Digital Forensics, Incident Response, and Cloud Computing. Troy Larson Azure MSRC Microsoft Corp.

Similar documents
Introduction to Windows Azure Cloud Computing Futures Group, Microsoft Research Roger Barga, Jared Jackson,Nelson Araujo, Dennis Gannon, Wei Lu, and

STeP-IN SUMMIT June 18 21, 2013 at Bangalore, INDIA. Performance Testing of an IAAS Cloud Software (A CloudStack Use Case)

Assignment # 1 (Cloud Computing Security)

Windows Server 2008 R2 Hyper V. Public FAQ

Bosch Video Management System High Availability with Hyper-V

Private cloud computing advances

Planning and Administering Windows Server 2008 Servers

Restricted Document. Pulsant Technical Specification

JOB ORIENTED VMWARE TRAINING INSTITUTE IN CHENNAI

Cloud Computing. Chapter 1 Introducing Cloud Computing

OpenStack Introduction. November 4, 2015

2) Xen Hypervisor 3) UEC

Managing and Maintaining Windows Server 2008 Servers (6430) Course length: 5 days

Windows Azure and private cloud

Demystifying Cloud Computing Graham McLean

Hardware/Software Guidelines

Building Secure Cloud Applications. On the Microsoft Windows Azure platform

Windows Azure Security

How Microsoft Designs its Cloud-Scale Servers

VMware vsphere: Install, Configure, Manage [V5.0]

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Ignify ecommerce. Item Requirements Notes

Enterprise Network Deployment, 10,000 25,000 Users

Cisco Unified Computing Remote Management Services

CHAPTER 2 THEORETICAL FOUNDATION

NCTA Cloud Architecture

Alfresco Enterprise on Azure: Reference Architecture. September 2014

Develop a process for applying updates to systems, including verifying properties of the update. Create File Systems

Web Sites, Virtual Machines, Service Management Portal and Service Management API Beta Installation Guide

Microsoft Hyper-V Powered by Rackspace & Microsoft Cloud Platform Powered by Rackspace Support Services Terms & Conditions

Securing Virtual Applications and Servers

WINDOWS AZURE EXECUTION MODELS

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Security and Billing for Azure Pack. Presented by 5nine Software and Cloud Cruiser

Microsoft Private Cloud

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

RED HAT ENTERPRISE VIRTUALIZATION

How to configure Failover Clustering for Hyper-V hosts on HP ProLiant c-class server blades with All-in-One SB600c storage blade

Index C, D. Background Intelligent Transfer Service (BITS), 174, 191

Virtualization Impact on Compliance and Audit

Very Large Enterprise Network Deployment, 25,000+ Users

Planning and Administering Windows Server 2008 Servers

You need to recommend a monitoring solution to ensure that an administrator can review the availability information of Service1. What should you do?

VMware vsphere 5.1 Advanced Administration

Cloud Computing. Chapter 1 Introducing Cloud Computing

Red Hat enterprise virtualization 3.0 feature comparison

IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Hyper-V Server Agent Version Fix Pack 2.

How To Use A Vmware View For A Patient Care System

Stephen Coty Director, Threat Research

IOS110. Virtualization 5/27/2014 1

Very Large Enterprise Network, Deployment, Users

Capability VMware Hyper-V

Making a Smooth Transition to a Hybrid Cloud with Microsoft Cloud OS

Contents UNIFIED COMPUTING DATA SHEET. Virtual Data Centre Support.

Cloud Computing. Chapter 1 Introducing Cloud Computing

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Introduction to Per Core Licensing and Basic Definitions

Dell High Availability Solutions Guide for Microsoft Hyper-V

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Best Practices for Installing and Configuring the Hyper-V Role on the LSI CTS2600 Storage System for Windows 2008

Cloud Optimize Your IT

VMware vsphere 5.0 Boot Camp

Analyzing HTTP/HTTPS Traffic Logs

Monitoring Agent for Citrix Virtual Desktop Infrastructure Version Reference IBM

TECHNOLOGY WHITE PAPER Jun 2012

TRAVERSE: VIRTUALIZATION AND PRIVATE CLOUD MONITORING

Khóa học dành cho các kỹ sư hệ thống, quản trị hệ thống, kỹ sư vận hành cho các hệ thống ảo hóa ESXi, ESX và vcenter Server

A Comparison of Clouds: Amazon Web Services, Windows Azure, Google Cloud Platform, VMWare and Others (Fall 2012)

Cloud Computing. Chapter 8 Virtualization

Workflow Templates Library

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

VMware vsphere-6.0 Administration Training

Virtual Machine Manager Domains

In addition to their professional experience, students who attend this training should have technical knowledge in the following areas.

Configuration Maximums

Desktop Virtualization for the Banking Industry. Resilient Desktop Virtualization for Bank Branches. A Briefing Paper

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

Lecture 02b Cloud Computing II

Parallels Server 4 Bare Metal

Microsoft Exam

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Windows Server 2008 R2 Essentials

Understand Troubleshooting Methodology

Load Balancing & High Availability

Infrastructure Provisioning with System Center Virtual Machine Manager

Server Virtualization with Windows Server Hyper-V and System Center

Installation Guide. Step-by-Step Guide for clustering Hyper-V virtual machines with Sanbolic s Kayo FS. Table of Contents

Securing the Service Desk in the Cloud

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Private Cloud in Educational Institutions: An Implementation using UEC

5nine Security for Hyper-V Datacenter Edition. Version 3.0 Plugin for Microsoft System Center 2012 Virtual Machine Manager

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Managed Hosting is a managed service provided by MN.IT. It is structured to help customers meet:

How To Run A Modern Business With Microsoft Arknow

GoGrid Implement.com Configuring a SQL Server 2012 AlwaysOn Cluster

Transcription:

Digital Forensics, Incident Response, and Cloud Computing Troy Larson Azure MSRC Microsoft Corp.

MSRC Azure Security incident response investigations. Forensics @ Microsoft. Compromise Intrusion Breach. Forensics and incident response investigations for the cloud.

What is cloud computing? Insider s view of cloud computing: Technology overview. Policy. Forensics and Incident response. Practices. Challenges. Opportunities.

What is cloud computing?

What is cloud computing? Automated datacenter, where machines are Deployed by machine. Managed by machine. Monitored by machine. For services. For tenants.

Cloud Compute

Vacation Resources

Azure Technical Overview Collection of automated datacenters. Primary resources: Compute. Storage. Network.

Azure Technical Overview Datacenters. Clusters. Nodes (blades).

Azure Technical Overview Compute node (host server).

Azure Technical Overview Virtual machine, from the host. Host Memory Media GPA 1 GPA 2 VHD 1 VHD 2 VHD 1 VHD 2

Azure Technical Overview The persistent virtual hard drive.

Azure Technical Overview The virtual hard drive. To the host, a file. To the virtual machine, a physical disk. Partitioned and formatted to create volumes and file systems. Can be organized like physical hard drives: Single disks. Dynamic volumes volumes spanning virtual disks. RAID.

Azure Technical Overview Virtual machine memory. Page File on VHD

Azure Technical Overview Virtual machine, from within. Memory C:\ D:\

Azure Technical Overview Different viewpoints. On the host side of the hypervisor: Memory is guest physical address space. Disks are files. On the guest side of the hypervisor: Memory consists of virtual and physical address space. Disk appear as physical and logical media.

Policy

Policy Cloud administrators and security teams: Extremely limited visibility into what is happening with tenant VMs. Tenant administrators and security teams: Complete visibility into what is happening on their VMs. No visibility into what is happening on other tenant VMs or host or infrastructure. Security responsibility follows ownership.

Policy Security. Shared Security Model: Management. Ownership.

Policy Security incident. Network TOR TOR TOR TOR TOR

Evidence Acquisition of Cloud-Based Machines

Virtual machines, acquisition.

Host / VM Memory As GPA. As saved state file(s). Media As files. As blobs. Network From virtual switch. Guest / VM Memory Live. Media As physical or logical disks. As blobs. Network Live.

Host / VM Running or stopped. State can be frozen.* No collection artifacts.* Consistent memory and disk images.* Guest / VM Running. State is dynamic. Collection artifacts. Inconsistent memory and disk images. GPA VHD VHD C:\ D:\ Memory

Host / VM Guest / VM Cloud provider. Tenant.

Tenant evidence acquisition: Standard remote collection procedures and tools should work for acquiring cloud-based VMs.* Blob storage of virtual disks allows for quick acquisition or snapshots of virtual disks. Equivalent to, or better than, current enterprise remote evidence collection capability.*

Cloud infrastructure. Consists of hundreds of thousands of physical machines. Huge amounts of RAM.* Huge amounts of disk storage.* Novel disk storage technologies.* Under extremely heavy load.* Can exceed the capability of current forensics tools and practices.

Cloud infrastructure. Network is not a standard corporate network. No domain authentication. Segmented. Firewalled. Standard enterprise remote evidence tools and procedures often will not work.

Forensic Analysis Of Cloud-Based Machines

Cloud machines: Use standard operating systems. Common, well known file systems, file types, structures, and strings. Amenable to standard analytical tools and procedures. Subject to compromise, breach, and other common sport.

Security incident response and stateless virtual machines. PAAS designed to be stateless. Scalability and fault tolerance. Persistent data goes to storage. New instance starts clean. Remediation by command line. What is the point of doing forensics or other in-depth security incident investigation?

Cloud (virtual) machine advantages. From host: Fully consistent memory dumps. Fully consistent drive (volume) images. State files. By tenant: Fully consistent drive images from storage.*

Issues of scale and scalability. Cloud infrastructure is vast. Cloud environment is more vast. Virtual entities can be dynamic, and endpoints ephemeral. Tenant deployments can be vast and dynamic, too.

Cloud-ready incident response and forensics: Must be able to work at scale. Must be scalable monitoring, triage, log analysis, forensics.* Problem: DF/IR is dependent on subject matter expertise. Subject matter experts do not scale well.*

Research topics.

What is normal?* The analytical opportunities of scale. *Jesse Kornblum https://digital-forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-responsesummit-jesse-kornblum-computer-forensic-tool-panel.pdf

Cloud machines Roles n identical instances. Role instances: xyz-service-01_of_200 xyz-service-02_of_200 xyz-service-03_of_200... xyz-service-56_of_200

Role Instances: Same OS VHD. Same hardware and drivers. Same configuration settings. Same applications and services. Same processes and command lines. Same events.

Processes creation event (Sec Event ID 4688): New process name and path. Parent process. Command line. Account that launches the process. What processes run in exactly the same way, on all role instances?

Role-specific, event baselines: Identical 4688 events, across all instances (per role), show what runs, how, by what account. What is normal for any instance of that role. Usage: Compare individual to the herd. Detection and monitoring. Live analysis and triage (e.g., Kansa). Memory forensics. Disk forensics.

Role-specific, event baselines: Signal to noise: non-identical 4688 events. Unique for a role instance. Anomalous, may indicate security issue. Usage: What stands out against the herd. Detection and monitoring. Hunting.

What other herd behavior can indicate normal or highlight anomalies? Task scheduler and service events. Object access events? Logon, source IP address? Error and failure events? IPFIX? Prefetch? Amache.hve?

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information