Automating Google Workspace (GWS) & more with Apps Script
Study of Digital Forensics on Google Cloud Platform
1. Study of Digital Forensics on Google
Cloud Platform
Aaron Sanders
Casey Aniceto
Samuel Borthwick
Department of Computer and Information Technology, IUPUI
CIT 56200 - Mobile and Network Forensics
4. Intro to the cloud
Cloud Computing is a model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable computing
resources that can be rapidly provisioned and released with minimal
management effort or service provider interaction.
5. Cloud Forensics Process Timeline
• Incident is identified
• Agent contacts cloud service provider
(CSP) and makes the request for data
• Cloud technician returns data in
accordance to warrant
• examination of potential evidence
• Autopsy
• FTK
• Reports and presentation to a jury for
court decision
Challenges
• technical disconnect between judges and
lawyers
• establishing trust in the integrity of tools and
methods
• Maintaining chain of custody
• Hash verification
• Data collection
• location of data, CSP, encrypted data
• Accurate time synchronization for audit logs
6. Legal Challenges
When beginning an investigation on a
cloud service, these are questions that
must be answered:
Can you collect the data yourself?
Which jurisdiction applies?
Can you compel the disclosure of data?
What tools or techniques are available
for compelling information?
7. Case Study
1. A user has been identified to distribute malicious code to capture
and store users’ private credit card information
2. An IP address has been detected and was used to discover it’s
potentially running on the Google Cloud Platform in its Council
Bluffs, Iowa server
3. Law Enforcement Agent assigned to collect evidence and uncover if
illegal activity was performed through the use of Google Cloud and
present findings
8. Forensics Process
• With the IP Address handed over to
investigators, 23.251.149.22, and IP Look
is able to be conducted.
• Tool used:
https://www.iplocation.net/ip-lookup
• Here we can see our results have
provided some valuable info as to where
I suspect computer is possibly located.
9. Forensics Process
Tools we can use to potentially gain access
or collect data from the machine are the
following:
• Warrant
Request access to the machine
with the corresponding IP Address
with the information gathered
from IP-Lookup.
• Preservation Letters or Litigation Holds
Temporary suspend the
defendant's ability to delete
resources relating to suspect
machine.
10. Forensics Process
• GCP Compute Engine
• crdhost external IP of 23.251.149.22 was identified
• Identification of key features of the vm instance were found
11. Forensics Process
• GCP provided access to the vm instance log file
• JSON Log of the vm instance was collected
• Identified a google-sudoers group user aarsande
• identified email accounts to users of the vm instance
12. Forensics Process
• Created a file to store the vmdk image on the GCP to preserve the vm’s
data
• GCP charges the owner of the cloud resource a fee for the image service
• Ran the image process without taking the vm instance offline
• Was able to download the vmdk image
13. Forensics Process • Downloaded vmdk image was used on Autopsy
• Selected sources as a Disk Image or VM File
option
• Failed to add data source error
• Analysis of the vmdk image was unsuccessful
in current format
14. Forensics Process
• Changed vmdk image format to raw image
format using FTK Imager
• Data was unchanged and preserved in the
conversion
• MD5 Hash and SHA1 Hash verification was
a match
• The raw image was used in for the
forensics analysis
15. Forensics Process
• Analysis of the raw image found 2
pieces of evidence connected to the
case
• Data.csv file contained first and last
name, dob, address, credit card
information, and the pin to the
credit cards
• main.html text document had
fillable forms for First name, Last
name, Date of Birth, Address, Credit
Card Number, and 3 Digit Pin
16. Results
Tracked down the IP of the suspected system
Gained access to the suspected system’s GCP Compute Engine
Obtained host information
Created a vmdk image from the GCP
Created a raw image from the vmdk image using FTK Imager
Completed the forensic analysis of the suspected system using
Autopsy
Found evidence of stolen credit cards information and the
webpage used by the virtual machine
17. Conclusions
• Creating a vm instance on the GCP required intricate steps
• The GCP provided utilities to manage the vm instance
• Creating a vmdk image from the GCP vm instance will charge
the owner of the vm for the service - Beware
• A vmdk image from the GCP did not work for us on Autopsy
• FTK Imager can change the format of other image types
• Using the principles of the forensics process we were able
apply a similar approach to conducting cloud forensics
18. Future Work
● Cloud providers to create a ‘Forensics as a Service’
product for investigators
● Create an agreed upon guidelines and compliances for
cloud platforms.
● Create a Cloud Forensics Certification
19.
20. References
● AccessData. (2020, 11 23). FTK Imager. Retrieved from AccessData: https://accessdata.com/products-services/forensic-toolkit-ftk/ftkimager
● ACT, U. P. (2001, 10 26). UNITING AND STRENGTHENING AMERICA BY PROVIDING APPROPRIATE TOOLS REQUIRED TO INTERCEPT AND OBSTRUCT TERRORISM (USA PATRIOT ACT) ACT OF 2001. Retrieved from
https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf
● Austin, D. (2019, 07 19). Cloud Data is Within Defendant’s Possession, Custody and Control, Court Rules: eDiscovery Case Law. Retrieved from EDiscovery Daily Blog, Cloudnine: www.ediscovery.co/ediscoverydaily/electronic-discovery/cloud-data-
within-defendants-possession-custody-control-court-rules-ediscovery-case-law/
● Autopsy Digital Forensics. (2020, 11 05). Autopsy. Retrieved from Autopsy: https://www.autopsy.com/
● Bill West, D. C. (2019, 06 20). How Are Cloud Computing and Data Centers Related? Retrieved from connectria.com: https://www.connectria.com/blog/how-are-cloud-computing-and-data-centers-related/
● Cauthen, J. (2014, October 07). Executing Search Warrants in the Cloud. Retrieved November 02, 2020, from https://leb.fbi.gov/articles/featured-articles/executing-search-warrants-in-the-cloud
● David Willson, A. a. (2013). Legal Issues of Cloud Forensics. Retrieved from Global Knowledge: http://www.mcrinc.com/Documents/Newsletters/201402_Legal_Issues_of_Cloud_Forensics.pdf
● David Lillis, Brett A. Becker, Tadhg O’Sullivan and Mark Scanlon(2016). Current Challenges and Future Research Areas for Digital Forensic Investigation. In CDFSL Proceedings 2016
Retrieved from: https://markscanlon.co/papers/CurrentChallengesAndFutureResearchAreas.pdf
● Debian. (2020, 11 23). Debian. Retrieved from Debian: https://www.debian.org/
● Dykstra, J., & Sherman, A. (2012, August 02). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Retrieved November 02, 2020, from
https://www.sciencedirect.com/science/article/pii/S1742287612000266
● Federal Bureau of Investigation. (2020, 11 23). Cyber Crime. Retrieved from FBI: https://www.fbi.gov/inv0estigate/cyber
● Google. (2020, 11 01). Google Cloud. Retrieved from Google Cloud: https://cloud.google.com/gcp/?utm_source=google&utm_medium=cpc&utm_campaign=na-US-all-en-dr-bkws-all-all-trial-e-dr-1009135&utm_content=text-ad-lpsitelinkCCexp2-any-
DEV_c-CRE_133492393327-ADGP_Hybrid%20%7C%20AW%20SEM%20%7C%20BKWS%20%7C%20US%20%7C%20en%20%
● James, M., & Szewczyk, a. P. (2017). Jurisdictional Issues in Cloud Forensics . Retrieved from https://www.cscan.org/openaccess/?id=362
● Keyun Ruan, J. C. (2013). Cloud Computing Reference Architecture and Its Forensics Implications: A Preliminary Analysis. Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 1-21.
● Location, I. (2018, December 20). How accurate is IP-based Geolocation Lookup? Retrieved from iplocation.net: https://www.iplocation.net/geolocation-accuracy
● Miller, R. (2019, 12 03). Google Building More Data Centers for Massive Future Clouds. Retrieved from datacenterfrontier.com: https://datacenterfrontier.com/google-building-more-data-centers-for-massive-future-
clouds/#:~:text=The%20search%20leader%20is%20expanding,and%20one%20in%20South%20America.
● Miyachi, C. (2018). What is “Cloud”? It is time to update the NIST definition? IEEE Cloud Computing, 1-6.
● National Institute of Standards and Technology. (2011, September 28). SP 800-145 The NIST Definition of Cloud Computing. Retrieved from NIST: https://csrc.nist.gov/publications/detail/sp/800-145/final#pubs-abstract-header
● Paul Henry, Jacob Williams, and Benjamin Wright. The sans survey of digital forensics and incident response. In Tech Rep, July 2013.
● Remy, J. (n.d.). White Paper: Cloud-Based Data Collection & Analysis: A NW3C Best Practices Guide. Retrieved November 02, 2020, from https://www.magnetforensics.com/resources/cloud-data-collection-analysis-nw3c/
● Saurav, N., & Raymond, H. (2016). Forensics as a Service: Three-tier Architecture forCloud based Forensic Analysis. Retrieved from academia.edu: https://www.academia.edu/27421815/Forensics_as_a_Service_Three_tier_Architecture_for_Cloud_based_Forensic_Analysis?auto=download
● Search and Seizure Warrant. (2013). Retrieved November 24, 2020, from https://www.uscourts.gov/forms/law-enforcement-grand-jury-and-prosecution-forms/search-and-seizure-warrant
● Simou, S., Kalloniatis, C., Gritzalis, S., & Mouratidis, H. (2016, 11 08). A survey on cloud forensics challenges and solutions. Retrieved from Wiley Online Library: https://onlinelibrary.wiley.com/doi/full/10.1002/sec.1688
● Spectre Intelligence. (2019, 12 23). Federal Rules of Evidence and How it Applies to Cloud Forensics Examinations. Retrieved from Spectre Intelligence: https://www.spectreintel.com/federal-rules-of-evidence-and-how-it-applies-to-cloud-forensics/
● Weiwei Kong, Y. L. (2018). Data security and privacy information challenges in cloud computing. International Journal of Computational Science and Engineering, 215-218. Retrieved from International Journal of Computational Science and Engineering.