![Page 1: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/1.jpg)
This project was funded by the European Union’s Justice Programme (2014-2020).
Antonio Rodriguez
LIVE_FOR
Best practices in cloud forensics
![Page 2: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/2.jpg)
2
![Page 3: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/3.jpg)
3
Contents
BASIC CONCEPTSHow does the Internet work?
User / server definitionInformation exchange
Encryption basic conceptsLog definition and properties
MetadataDigital evidence DIGITAL FORENSICS TECHNIQUES
Computer forensics principlesLegal requirementsDead acquisition analysisLive forensicsVolatile data definition
ADVANCED DIGITAL FORENSICSPROCEDURES AND TECHNIQUES
Reverse engineeringComputer forensics tools
![Page 4: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/4.jpg)
4
CLOUD ENVIRONMENT ANDCYBERCRIMERisks and benefits of Cloud ComputingCloud servicesCloud management technologies
CLOUD FORENSICS PRACTICALAPPROACHES
Cloud SaaS forensicsCloud IaaS forensics
Cloud PaaS forensicsPractical use case
COLLECTING CROSS BORDEREVIDENCE
BEST PRACTICES ON GATHERINGE-EVIDENCE ABROAD BY USINGTHE EIO
![Page 5: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/5.jpg)
5
BASIC CONCEPTSHow does the Internet work?User / server definitionInformation exchangeEncryption basic conceptsLog definition and propertiesMetadataDigital evidence
![Page 6: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/6.jpg)
6
Client / Server
![Page 7: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/7.jpg)
7
Information Exchange
Every device identified by an uniqueaddress has to be able to communicatesimultaneously with variousapplications/services
This is achieved by using logical ports
Information exchange with each serviceis performed through one or more portsExample: Web servers use ports 80 and 443
There are 65536 ports
Ports
192.168.1.25
free port
80 free port
request response
![Page 8: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/8.jpg)
8
DIGITAL FORENSICS TECHNIQUESComputer forensics principlesLegal requirementsDead acquisition analysisLive forensicsVolatile data definition
![Page 9: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/9.jpg)
9
Is all information stored? Information always needs a physical support to exist
The wire when its transmitted The device memory when its processed The disk when its stored
All these supports have a cost Provisioning cost Operational cost
Companies want to maximize profit so:
NOT ALL INFORMATION IS STORED(1)
NOT ALL STORED INFORMATION IS DELETED(2)(1)
(1) Unless the law enforces it.(2) Deleting takes time and time is money.
![Page 10: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/10.jpg)
10
Memory vs Hard Drives
Wire
Life time: milliseconds
Gets lost immediately
Memory
Life time:milliseconds-days
Gets lost when shutting down or rebooting
Disk drive
Life time:days-years
Permanent storage even without power
![Page 11: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/11.jpg)
11
Acquisition methods
1. Live
2. Post-mortem
![Page 12: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/12.jpg)
12
Live
When acquiring the information meanwhilethe system is still on, we have to take inaccount some points:
The acquisition of this informationalters the original evidence due to weneed to run tools on the machine This modifies memory and
overwrites possible evidence
It’s important to specify correctly thisaction.
![Page 13: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/13.jpg)
13
Post-mortem
When acquiring evidence of a shut downsystem, the only option is to take asnapshot of the disk and the backups if theyexist
If done correctly this process does notmodify the contents in any way
After capturing the evidence andgenerating the hash sometimes it ispossible to emulate the real system fromthe image. This procedure has to be well
documented
![Page 14: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/14.jpg)
14
ADVANCED DIGITAL FORENSICSPROCEDURES AND TECHNIQUESReverse engineeringComputer forensics tools
![Page 15: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/15.jpg)
15
Cellebrite UFEDX-Ways Forensics
![Page 16: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/16.jpg)
16
CLOUD ENVIRONMENT ANDCYBERCRIMECloud SaaS forensicsCloud IaaS forensicsCloud PaaS forensicsPractical use case
![Page 17: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/17.jpg)
17
The Cloud
![Page 18: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/18.jpg)
18
The CloudTypes of cloud
Who owns this?To whom serves this?
Depending on the property of theinfrastructure and the nature of its users wecan distinguish various cloud types. The mostcommon are the following: Public cloud: Typically a private
infrastructure providing service to thegeneral public. Examples: Amazon (AWS), Google
Cloud, Microsoft (Azure) Private cloud: Typically a private
infrastructure providing service to theowner organization.
Hybrid cloud: As maintaining a privatecloud, despite its advantages, is expensivesome organizations use two clouds: A private one to provide the
services working with sensitivedata.
A public one for less critical services.
![Page 19: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/19.jpg)
19
The CloudTypes of cloud services
Client
Application
Platform
Infrastructure
Application
Platform
Infrastructure
Application
Platform
Infrastructure
Managed by cloud provider
IaaS PaaS SaaS
![Page 20: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/20.jpg)
20
CLOUD FORENSICS PRACTICALAPPROACHESRisks and benefits of Cloud ComputingCloud servicesCloud management technologies
![Page 21: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/21.jpg)
21
Is it possible to obtain physical
device?
Obtain the device and perform:
Traditional forensics looking for temporal
copies of the data
AND/OR
Obtain credentials and perform API based
forensics
Ask CSPs for the service data and perform the forensic analysis on it
yes no
![Page 22: Best practices in cloud forensics - LIVE FORlive-for.eu/.../Best-practices-in-cloud-forensics.pdf · forensics. 2. 3 Contents BASIC CONCEPTS How does the Internet work? User / server](https://reader033.vdocument.in/reader033/viewer/2022051408/5ffd193ffc10595dc518df4e/html5/thumbnails/22.jpg)
22
KUMOD