Forensics and incident response in the cloud


Published on

Cloud Asia Singapore 15 May 2013

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Forensics and incident response in the cloud

  1. 1. Cloud Security AllianceAPAC Congress 2013 Conference, SingaporeForensics and Incident Response in the CloudDr Kim-Kwang Raymond ChooBen MartiniDarren QuickInformation Assurance Research GroupUniversity of South Australia
  2. 2. • What is Cloud Computing?• What is Digital Forensics?• Cloud Forensics (CF)– Our proposed CF framework– Cloud Storage as a Service (StaaS) experiments• Future WorkForensics and Incident Response in the CloudAgenda
  3. 3. • How do you define cloud computing?Geelan, J 2008, ‘Twenty one experts define cloud computing’, Virtualization, August 08,Electronic Magazine, article available at and Incident Response in the CloudDefinition of Cloud Computing
  4. 4. “ICT sourcing and delivery model for enablingconvenient, on-demand network access to ashared pool of configurable computingresources (e.g. networks, servers, storage,applications and services) that can be rapidlyprovisioned and released with minimalmanagement effort or service provider interaction”(AGIMO 2011)AGIMO 2011, Cloud Computing Strategic Direction Paper: Opportunities and applicabilityfor use by the Australian Government, Commonwealth of Australia, Canberra,<>.Forensics and Incident Response in the CloudDefinition of Cloud Computing
  5. 5. SaaS – Software as a ServicePaaS – Platform as a ServiceIaaS – Infrastructure as aServiceForensics and Incident Response in the CloudCloud Computing Architecture
  6. 6. • Public• Private• Hybrid• Community HybridPrivatePublicCommunityForensics and Incident Response in the CloudCloud Computing Deployment Model
  7. 7. “the process of identifying, preserving, analysing andpresenting digital evidence in a manner that is legallyacceptable”McKemmish’s KeyElements• Identification• Preservation• Analysis• PresentationNIST KeyElements• Collection• Examination• Analysis• ReportingMcKemmish, R 1999, What is Forensic Computing?, Trends & Issues in Crime and Criminal Justice, vol. 118, pp. 1 - 6. p.1Kent, K, Chevalier, S, Grance, T & Dang, H 2006, Guide to Integrating Forensic Techniques into Incident Response, U.S.Department of Commerce, <>.Forensics and Incident Response in the CloudWhat is Digital Forensics?
  8. 8. Identification• Defines the requirement for evidence management,knowing it is present, its location and its type and format.Preservation• Concerned with ensuring evidential data remainsunchanged or changed as little as possible.Analysis• Interprets and transforms the data collected intoevidence.Presentation• Presents evidence to thecourts in terms of providingexpert testimony on the analysisof the evidence.Forensics and Incident Response in the CloudWhat is Digital Forensics?
  9. 9. • Former SA DPP: “For the prosecutor, the challenge is tohave the data translated into a form that is acceptable asevidence to the courts …. Assuming that the fragile andelusive evidence can be gathered together, the prosecutormust keep in mind that he or she will one day need to beable to prove the chain of evidence. All processes will needto be appropriately documented in a way that can beunderstood by the layman and the prosecutor must beprepared if necessary to demonstrate that the ‘original’digital material has not been changed or tampered with inany way”Source: Pallaras S 2011. New technology: opportunities and challenges for prosecutors. Crime, Law andSocial Change 56(1): 71–89Forensics and Incident Response in the CloudDigital Forensics: Challenges
  10. 10. • Potentially more difficult to acquire and analyse digitalevidence to the same standards as that currently expectedfor traditional server-based systems, such as• An exact and verifiable digital copy of the users’ data must be made;• Identifying and copying the contents of the RAM of the virtualisedenvironment;• There must be provenance;• Evidence of intent must be proved;• Data must be analysed and processed in accordance with theprevailing rules of evidence; and• Evidence must be preserved and made available for examination bythe defendant’s legal team.Forensics and Incident Response in the CloudDigital Forensics: Challenges of Cloud Computing
  11. 11. “little guidance exists on how to acquire and conduct forensics in a cloud environment”(National Institute of Standards and Technology 2011, p.64)“[c]urrently, guidelines and best practice guides on gathering digital evidence are rare andoften outdated. There are no guidelines specific to evidence gathered in the cloud…”(Birk and Wegener 2011, p.9)“[m]ore research is required in the cyber domain, especially in cloud computing, to identifyand categorize the unique aspects of where and how digital evidence can be found. Endpoints such as mobile devices add complexity to this domain. Trace evidence can be foundon servers, switches, routers, cell phones, etc” by previous Director of US Department ofDefence Computer Forensics Laboratory and the previous Chief Scientist at US Air ForceResearch Laboratory Information Directorate (Zatyko & Bay 2012, p.15)Need for evidence-based digital forensic framework toguide investigations, which is• Flexible/generic enough to be able to work with future providersoffering new services, yet• Be able to step an investigation through a formalized process toensure information sources are identified and preserved.Forensics and Incident Response in the CloudDigital Forensics: Challenges of Cloud Computing
  12. 12. 1. Identification and PreservationIt is critical that preservation commences as soon as cloud computinguse is discovered in a case, as such it is combined with identification inthis model.2. CollectionThe potential difficulties in collection of cloud computing data dictatesthe requirement for collection to be represented as a separate step.3. Examination and AnalysisExamination of the collected data allows the investigator to locate theevidence in the data, analysis transforms this data into evidence.4. Reporting and PresentationThis step relates to reporting and presenting evidence to court. As suchthis step will remain mostly unchanged.IterativeForensics and Incident Response in the CloudOur Proposal Cloud Forensics Framework
  13. 13. Identification and Preservation• In a cloud computing environmentidentification is complicated by the remotephysical location of the data.• Traditional devices (PCs, phones, etc.) willbe used to identify cloud computing use.• What is the best method of identifying cloudcomputing use on a client device?• Preservation is also made difficult by thepotential for data to be hosted overseas.Forensics and Incident Response in the CloudOur Proposal Cloud Forensics Framework
  14. 14. Collection• Cloud computing complicates collection dueto the physical location of data both withinthe data center and internationally.• Chain of custody requirements must also bemet when collecting data.• The traditional approach of taking a bit for bitcopy of data from a powered off device is notfeasible nor necessarily the best method ofcollection for cloud computing environments.Forensics and Incident Response in the CloudOur Proposal Cloud Forensics Framework
  15. 15. Examination and Analysis• Examination and analysis using digital forensicstools such as Encase®, FTK™ and XRY™ willneed to be augmented by “translators” whichconvert popular cloud computing file formatsinto data files for processing.• Analysis can be aided by cloud meta-data.• What tools and training is required for lawenforcement to conduct cloud computing digitalforensics?Forensics and Incident Response in the CloudOur Proposal Cloud Forensics Framework
  16. 16. • The initial focus of our research has been inthe area of Storage as a Service (StaaS).• Three popular public storage clients havebeen analysed across both PC and mobiledevices.• One of the preeminent open source cloudstorage products (ownCloud) has also beenanalysed. This analysis included both clientand server analysis.Forensics and Incident Response in the CloudOur Proposal Cloud Forensics Framework
  17. 17. System tray link RAM passwordcleartextDBANDropbox Yes Yes NoMicrosoft Skydrive Yes (but not fullaccess to anaccount)Yes NoGoogle Drive Yes Yes (and also on HDD) NoEraser/CCleaner Configuration files MobileDropbox Remnants Yes (Old) / Encrypted(New)BrowserMicrosoft Skydrive Remnants Yes BrowserGoogle Drive Remnants Yes BrowserForensics and Incident Response in the CloudCloud Storage Forensic Preservation: A Snapshot
  18. 18. • Whilst there are legal processes to enable data collection from aservice provider, this can be time consuming.• Some jurisdictions have legal power to secure data accessible atthe time of serving a warrant, such as 3LA Crimes Act 1914 (Cth)in Australia• There is no documented process for an investigator to collectdata from StaaS once identified• We undertook a process of collecting data from storage withDropbox, Microsoft SkyDrive, and Google Drive• We tested access via Browser and Client Software• There were no change to files uploaded, stored, and downloaded(Hash values were the same)• There were changes to the timestamp metadata, however someprocesses maintained the same timestamp as the original fileForensics and Incident Response in the CloudCloud Storage Forensic Preservation: A Snapshot
  19. 19. • ownCloud is a popular open-source cloudstorage product which is generally run in aprivate cloud configuration.• The ownCloud experiments were exploratoryin nature to determine a series of artefactson the client and server which could be usedby a forensic practitioner for evidentialpurposes.Forensics and Incident Response in the CloudCloud Storage Forensic Preservation: A Snapshot
  20. 20. • Client artefact summaryCategory ArtefactSync and file managementmetadataownCloud “folders”File metadataCached files Synced filesCloud service and authenticationdataowncloud.cfgBrowser artefactsURL parametersPage titlesMobile client artefactsAccessed filesDB.sqliteNetwork analysis HTTP/WebDAV artefactsForensics and Incident Response in the CloudCloud Storage Forensic Preservation: A Snapshot
  21. 21. • Server artefact summaryCategory ArtefactAdministrative and file managementmetadataSQL databaseStored files“datadirectory”File versioningEncryption metadata Blowfish encryptionCloud logging and authenticationdataWeb server logging dataForensics and Incident Response in the CloudCloud Storage Forensic Preservation: A Snapshot
  22. 22. • Identified software files for each service, e.g.– SyncDiagnostics.log – SkyDrive– Snapshot.db – Google Drive– Filecache.db – Dropbox– owncloud.cfg – OwnCloud client– SQL database – OwnCloud server• Identified OS remnants;– Prefetch, Link files, Registry• Identified Browser History remnants• No change to access and download files• Difference in timestamps for downloaded files• Process to boot image of a PC in a VMForensics and Incident Response in the CloudCloud Storage Forensic Preservation: A Snapshot
  23. 23. This presentation is based on the following:(Publications)1.Hooper C, Martini B & Choo KKR. Cloud computing and its implications forcybercrime investigations in Australia. Computer Law and Security Review 29(2):152–163, 20132.Martini B and Choo KKR. An integrated conceptual digital forensic framework forcloud computing. Digital Investigation 9(2): 71–80, 20123.Quick D & Choo KKR. Digital Droplets: Microsoft SkyDrive forensic dataremnants. Future Generation Computer Systems 29(6): 1378–1394, 20134.Quick D & Choo KKR. Dropbox Analysis: Data Remnants on User Machines.Digital Investigation [In press,](Manuscripts under review)1.Martini B & Choo KKR. Cloud Storage Forensics: ownCloud as a Case Study.2.Quick D & Choo KKR. Google Drive: Forensic Analysis of data remnants.3.Quick D & Choo KKR. Cloud forensics: How can we collect data from a cloudstorage account?.Forensics and Incident Response in the CloudReferences
  24. 24. • Examine other cloud StaaS to determine thebest practices for forensic extraction andanalysis on these platforms• Examine other cloud computing services todetermine the best practices for forensicextraction and analysis on these platformsas there will most certainly be variation in thecollection methods in each type of cloudplatform and deployment model• Etc …Forensics and Incident Response in the CloudFuture Work
  25. 25. Dr. Kim-Kwang Raymond Choo2009 Fulbright (DFAT Professional) ScholarSenior Lecturer, School of Information Technology & Mathematical Sciences,University of South AustraliaVisiting Researcher,ARC Centre of Excellence in Policing and Security (CEPS)Regulatory Institutions Network (RegNet), Australian National UniversityURL: and Incident Response in the Cloud