This project was funded by the European Union’s Justice Programme (2014-2020).

Antonio Rodriguez

LIVE_FOR

Best practices in cloud forensics

2

3

Contents

BASIC CONCEPTSHow does the Internet work?

User / server definitionInformation exchange

Encryption basic conceptsLog definition and properties

MetadataDigital evidence DIGITAL FORENSICS TECHNIQUES

Computer forensics principlesLegal requirementsDead acquisition analysisLive forensicsVolatile data definition

ADVANCED DIGITAL FORENSICSPROCEDURES AND TECHNIQUES

Reverse engineeringComputer forensics tools

4

CLOUD ENVIRONMENT ANDCYBERCRIMERisks and benefits of Cloud ComputingCloud servicesCloud management technologies

CLOUD FORENSICS PRACTICALAPPROACHES

Cloud SaaS forensicsCloud IaaS forensics

Cloud PaaS forensicsPractical use case

COLLECTING CROSS BORDEREVIDENCE

BEST PRACTICES ON GATHERINGE-EVIDENCE ABROAD BY USINGTHE EIO

5

BASIC CONCEPTSHow does the Internet work?User / server definitionInformation exchangeEncryption basic conceptsLog definition and propertiesMetadataDigital evidence

6

Client / Server

7

Information Exchange

Every device identified by an uniqueaddress has to be able to communicatesimultaneously with variousapplications/services

This is achieved by using logical ports

Information exchange with each serviceis performed through one or more portsExample: Web servers use ports 80 and 443

There are 65536 ports

Ports

192.168.1.25

free port

80 free port

request response

8

DIGITAL FORENSICS TECHNIQUESComputer forensics principlesLegal requirementsDead acquisition analysisLive forensicsVolatile data definition

9

Is all information stored? Information always needs a physical support to exist

The wire when its transmitted The device memory when its processed The disk when its stored

All these supports have a cost Provisioning cost Operational cost

Companies want to maximize profit so:

NOT ALL INFORMATION IS STORED(1)

NOT ALL STORED INFORMATION IS DELETED(2)(1)

(1) Unless the law enforces it.(2) Deleting takes time and time is money.

10

Memory vs Hard Drives

Wire

Life time: milliseconds

Gets lost immediately

Memory

Life time:milliseconds-days

Gets lost when shutting down or rebooting

Disk drive

Life time:days-years

Permanent storage even without power

11

Acquisition methods

1. Live

2. Post-mortem

12

Live

When acquiring the information meanwhilethe system is still on, we have to take inaccount some points:

The acquisition of this informationalters the original evidence due to weneed to run tools on the machine This modifies memory and

overwrites possible evidence

It’s important to specify correctly thisaction.

13

Post-mortem

When acquiring evidence of a shut downsystem, the only option is to take asnapshot of the disk and the backups if theyexist

If done correctly this process does notmodify the contents in any way

After capturing the evidence andgenerating the hash sometimes it ispossible to emulate the real system fromthe image. This procedure has to be well

documented

14

ADVANCED DIGITAL FORENSICSPROCEDURES AND TECHNIQUESReverse engineeringComputer forensics tools

15

Cellebrite UFEDX-Ways Forensics

16

CLOUD ENVIRONMENT ANDCYBERCRIMECloud SaaS forensicsCloud IaaS forensicsCloud PaaS forensicsPractical use case

17

The Cloud

18

The CloudTypes of cloud

Who owns this?To whom serves this?

Depending on the property of theinfrastructure and the nature of its users wecan distinguish various cloud types. The mostcommon are the following: Public cloud: Typically a private

infrastructure providing service to thegeneral public. Examples: Amazon (AWS), Google

Cloud, Microsoft (Azure) Private cloud: Typically a private

infrastructure providing service to theowner organization.

Hybrid cloud: As maintaining a privatecloud, despite its advantages, is expensivesome organizations use two clouds: A private one to provide the

services working with sensitivedata.

A public one for less critical services.

19

The CloudTypes of cloud services

Client

Application

Platform

Infrastructure

Application

Platform

Infrastructure

Application

Platform

Infrastructure

Managed by cloud provider

IaaS PaaS SaaS

20

CLOUD FORENSICS PRACTICALAPPROACHESRisks and benefits of Cloud ComputingCloud servicesCloud management technologies

21

Is it possible to obtain physical

device?

Obtain the device and perform:

Traditional forensics looking for temporal

copies of the data

AND/OR

Obtain credentials and perform API based

forensics

Ask CSPs for the service data and perform the forensic analysis on it

yes no

22

KUMOD