best practices in cloud forensics - live...
Post on 21-Sep-2020
5 Views
Preview:
TRANSCRIPT
This project was funded by the European Union’s Justice Programme (2014-2020).
Antonio Rodriguez
LIVE_FOR
Best practices in cloud forensics
2
3
Contents
BASIC CONCEPTSHow does the Internet work?
User / server definitionInformation exchange
Encryption basic conceptsLog definition and properties
MetadataDigital evidence DIGITAL FORENSICS TECHNIQUES
Computer forensics principlesLegal requirementsDead acquisition analysisLive forensicsVolatile data definition
ADVANCED DIGITAL FORENSICSPROCEDURES AND TECHNIQUES
Reverse engineeringComputer forensics tools
4
CLOUD ENVIRONMENT ANDCYBERCRIMERisks and benefits of Cloud ComputingCloud servicesCloud management technologies
CLOUD FORENSICS PRACTICALAPPROACHES
Cloud SaaS forensicsCloud IaaS forensics
Cloud PaaS forensicsPractical use case
COLLECTING CROSS BORDEREVIDENCE
BEST PRACTICES ON GATHERINGE-EVIDENCE ABROAD BY USINGTHE EIO
5
BASIC CONCEPTSHow does the Internet work?User / server definitionInformation exchangeEncryption basic conceptsLog definition and propertiesMetadataDigital evidence
6
Client / Server
7
Information Exchange
Every device identified by an uniqueaddress has to be able to communicatesimultaneously with variousapplications/services
This is achieved by using logical ports
Information exchange with each serviceis performed through one or more portsExample: Web servers use ports 80 and 443
There are 65536 ports
Ports
192.168.1.25
free port
80 free port
request response
8
DIGITAL FORENSICS TECHNIQUESComputer forensics principlesLegal requirementsDead acquisition analysisLive forensicsVolatile data definition
9
Is all information stored? Information always needs a physical support to exist
The wire when its transmitted The device memory when its processed The disk when its stored
All these supports have a cost Provisioning cost Operational cost
Companies want to maximize profit so:
NOT ALL INFORMATION IS STORED(1)
NOT ALL STORED INFORMATION IS DELETED(2)(1)
(1) Unless the law enforces it.(2) Deleting takes time and time is money.
10
Memory vs Hard Drives
Wire
Life time: milliseconds
Gets lost immediately
Memory
Life time:milliseconds-days
Gets lost when shutting down or rebooting
Disk drive
Life time:days-years
Permanent storage even without power
11
Acquisition methods
1. Live
2. Post-mortem
12
Live
When acquiring the information meanwhilethe system is still on, we have to take inaccount some points:
The acquisition of this informationalters the original evidence due to weneed to run tools on the machine This modifies memory and
overwrites possible evidence
It’s important to specify correctly thisaction.
13
Post-mortem
When acquiring evidence of a shut downsystem, the only option is to take asnapshot of the disk and the backups if theyexist
If done correctly this process does notmodify the contents in any way
After capturing the evidence andgenerating the hash sometimes it ispossible to emulate the real system fromthe image. This procedure has to be well
documented
14
ADVANCED DIGITAL FORENSICSPROCEDURES AND TECHNIQUESReverse engineeringComputer forensics tools
15
Cellebrite UFEDX-Ways Forensics
16
CLOUD ENVIRONMENT ANDCYBERCRIMECloud SaaS forensicsCloud IaaS forensicsCloud PaaS forensicsPractical use case
17
The Cloud
18
The CloudTypes of cloud
Who owns this?To whom serves this?
Depending on the property of theinfrastructure and the nature of its users wecan distinguish various cloud types. The mostcommon are the following: Public cloud: Typically a private
infrastructure providing service to thegeneral public. Examples: Amazon (AWS), Google
Cloud, Microsoft (Azure) Private cloud: Typically a private
infrastructure providing service to theowner organization.
Hybrid cloud: As maintaining a privatecloud, despite its advantages, is expensivesome organizations use two clouds: A private one to provide the
services working with sensitivedata.
A public one for less critical services.
19
The CloudTypes of cloud services
Client
Application
Platform
Infrastructure
Application
Platform
Infrastructure
Application
Platform
Infrastructure
Managed by cloud provider
IaaS PaaS SaaS
20
CLOUD FORENSICS PRACTICALAPPROACHESRisks and benefits of Cloud ComputingCloud servicesCloud management technologies
21
Is it possible to obtain physical
device?
Obtain the device and perform:
Traditional forensics looking for temporal
copies of the data
AND/OR
Obtain credentials and perform API based
forensics
Ask CSPs for the service data and perform the forensic analysis on it
yes no
22
KUMOD
top related