Large Scale Cloud Forensics

Similar documents

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Overview of Computer Forensics

EC-Council Ethical Hacking and Countermeasures

1/26/15. Chapter 2 Crime Scene

Digital Forensics. Larry Daniel

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Digital Forensics for IaaS Cloud Computing

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

What is Digital Forensics?

Computer Forensics US-CERT

Trends in Application Recovery. Andreas Schwegmann, HP

Virtualization and Forensics

Digital Evidence Collection and Use. CS 585 Fall 2009

Hands-On How-To Computer Forensics Training

ISO IEC ( ) TRANSLATED INTO PLAIN ENGLISH

Overview. The TriTech Solution TriTech s Inform RMS is a proven, robust, multi-jurisdictional records management system.

Introduction to Cyber Security / Information Security

Information Technology Policy

CYBER FORENSICS (W/LAB) Course Syllabus

Solution Brief Availability and Recovery Options: Microsoft Exchange Solutions on VMware

Enabling Security Operations with RSA envision. August, 2009

Information Security Incident Management Guidelines

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics

This is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Fostering Incident Response and Digital Forensics Research

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Computer Forensics and Incident Response in the Cloud. Stephen Coty AlertLogic, AlertLogic_ACID

Control your corner of the cloud.

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

Computer Hacking Forensic Investigator v8

Certified Digital Forensics Examiner

STATE OF NEVADA Department of Administration Division of Human Resource Management CLASS SPECIFICATION

Crime and Science 1/11/2015. What is physical evidence? What is forensic science? What is the goal of forensic science?

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Getting Physical with the Digital Investigation Process

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

NEW IMPROVEMENT IN DIGITAL FORENSIC STANDARD OPERATING PROCEDURE (SOP)

Computer and Information Science

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

InfoSec Academy Forensics Track

Criminal Investigation CRJ141. Matthew McCarty

Cyber Forensic for Hadoop based Cloud System

Deploying Public, Private, and Hybrid Storage Clouds. Marty Stogsdill, Oracle

Managing Cloud Computing Risk

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

How To Solve A Violent Home Invasion With A United Force

Instant Recovery for VMware

VMware Virtual Desktop Manager User Authentication Guide

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, Symmetrix Management Console, and VMware vcenter Converter

ISACA Presentation. Cloud, Forensics and Cloud Forensics

The Facts About Forensic DNA Analysis and DNA Databases. dnasaves.org

Storage Virtualization

Procedure for Conducting Audits and Management Reviews

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

An overview of IT Security Forensics

Cloud Forensics: an Overview. Keyun Ruan Center for Cyber Crime Investigation University College Dublin

Security Information/Event Management Security Development Life Cycle Version 5

A Short Introduction to Digital and File System Forensics

GUIDANCE SOFTWARE EnCase Portable. EnCase Portable. A Data Collection and Triage Solution that Anyone can Use

FRD506. Financial investigation and Forensic Accounting - 30 hours. Objectives

CDFE Certified Digital Forensics Examiner (CFED Replacement)

How RSA has helped EMC to secure its Virtual Infrastructure

Learn the essentials of virtualization security

Index C, D. Background Intelligent Transfer Service (BITS), 174, 191

A Practical Approach for Evidence Gathering in Windows Environment

How To Get A Computer Hacking Program

Republic of Latvia State Police Forensic Service Department

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

WILLIAM OETTINGER PHONE (702)

Providing Self-Service, Life-cycle Management for Databases with VMware vfabric Data Director

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

GOT LAWYERS? THEY'VE GOT STORAGE AND ESI IN THE CROSS-HAIRS!

Computer Forensics Today

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity

Security & Cloud Services IAN KAYNE

Restoration Technologies. Mike Fishman / EMC Corp.

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Transcription:

Large Scale Cloud Forensics Edward L. Haletky AstroArch Consulting, Inc. Sam Curry RSA, The Security Division of EMC Session ID: STAR-302 Session Classification: Advanced

Happenstance Lo and Behold Sam and Edward sit on a train (January 2011) Edward Wrote a Book with Forensics as the last chapter (2009) Discussing an Idea for Better Large Scale Cloud Forensics 2

Problem Scenario The Economist reported on July 6 th, 2011, that arrests in Latvia triggered an FBI raid in Virginia Multiple Tenants Impacted Multiple Jurisdictions Involved Touched Upon Continuity of Business Legality Issues (Boundaries => Tenants) Law Enforcement s Civil Liability Effectiveness of Forensic Approach Sledgehammer to drive in a Thumbtack 3

Formal Problem Statement Given Large Scale Multi Tenant Cloud Required Acquire Data Perform Analysis Store Data Solution Must Include Modern Methodology Improved Technology and Tools Improved Legal Framework 4

Challenges Virtual Environment Audit + Gather Evidence Forensics Data Incident Response Court of Law Storage 5

Why Care? Business Saves Money Less Operational Risk Less Liability Risk Law Enforcement Saves Money over Time Faster and Less Disruptive Acquisition Faster Investigations Less Error Prone Methodology Forensic Scientists Advancing the State of the Art Less Time doing the Mundane 6

The State of Acquisition Today Acquisition of Physical Resources Acquisition of Virtual Law Enforcement Just Gets a Bigger Truck Using In VM Disk Grabbing Grab Everything Mentality Technologies (ala Encase) Language of Warrants lacking (target IP not Tenant) Using Disk Replication Methods (not proven forensically sound) Chain of Custody Issues no uniqueness among Clouds 7

State of Analysis Today Separate Forms of Analysis Disk Network Log (OS Logs) Memory (at least 1 service provider) Only Ask Simple Questions Non Uniform Answers are not fine grained No Preponderance of evidence Not a lot of multiply re enforcing evidence A contradiction violates the conclusion Little Data Tools Trying to Answer a Big Data Problem 8

First Principles Locard s Priniciple Whenever a crime is committed there is an exchange of evidence between the criminal and the crime scene. 20 th century this came to mean trace evidence In the Cloud, this implies electronic evidence Uniqueness (Chain of Custody) Require Uniqueness Among Clouds How you process the, data affects the chain of custody Improve Bagging and Tagging The Fourth Dimension (Time) Need a constant Time Source Can we find one outside the Target 9

Unique Identifier Uniqueness is a Quality of the Following Objects: Virtual Disks Configuration Files Run Time Files Log Files vnetwork Interfaces Uniqueness must be represented by an artifact that can be computed upon (search upon, quantify etc.) Eg Identification value Rules of Unique Identifier No two objects, regardless of time or location, should have the same artifact Artifact Can be and should be used to describe relationships among objects Must Survive migration Eg vmotion, Migration between clouds Ultimately Any of the Above objects without an ID is rogue 10

Time Common Time Source Cases Thrown Out if Time not correct Track Across Time Temporal Acquisition From Now til Whenever? Can we go back in Time? Big Data Problem 11

Tools Needed Requirements for Future Clouds Unique ID Mapping between Admin Users and low level action Other VMware SRQs Digital Forensic Kit <= Non Trivial Temporal Acquisition Wheel In and Go 12

Modern Forensic Lab (Analysis 2.0) Large Array of Storage Systematic Way to Do Large Scale Repeatable Data Mining (HADOOP) Knowing How to Inquire of the Data a Forensic Question regardless of Data Type 13

Conclusion Temporal Acquisition Uniqueness Treat like Big Data Large Scale Cloud Forensics 14

Research Needed Prototype the Kit Build Analysis Lab 2.0 Improve Hadoop tools to import varied data formats Use of Memory Images to Further Decryption Reduce reliance on Suspects to give keys Cryptography Format Preserving Encryption 15

What Can I Do? Architecture Preparation (Plan for Forensics) Modification (Change what you already have) Response (Improve Incident Response) Talk to Legal and/or Public Policy Officer Review Your Current Approach Develop Organizational Policy Resources Check Pressure on Vendors (eg. Bug RSA) Get Ready! 16

Open Q&A What are YOUR comments and questions? 17

What we will do next year! Take a train Please take a paper and send us feedback elh@astroarch.com sam.curry@rsa.com 18