TUTORIAL: Digital Forensics and Incident Response in the Cloud Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering. In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints. These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as: What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards? Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy? Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.

1. Digital Forensics and
Incident Response in the
Cloud
Dr. Michael Cohen
Velocidex Innovations.
https://www.velocidex.com/

2. Part 3: GRR and Velociraptor

3. ✘ Incident response tool developed by Google
✘ Agent based
✘ Written in Python
✘ Opensource
✘ Used internally by Google - battle tested
✗ Although not in quite the same configuration as
open source.
What is GRR?

4. Main GRR architecture
Frontend
Client
Worker
MySQL DB
Admin UI
Encrypted over HTTP

5. GRR Strengths
✘ Artifacts - a collaborative way of specifying
and sharing forensic artifacts
✘ Very easy to install
✘ Ability to do a “hunt” - collect the same data
across every node
✗ Can group hunts by label.
✘ Very good and intuitive UI
✗ This also has an external API surface.

6. GRR - Weaknesses
✘ Very intensive on DB
✗ Lots of traffic between components
✗ No clear data expiration path (policy is to collect
everything on all clients forever).
✘ Large files are stored in DB
✘ Building clients is hard due to Python.
✗ The GRR team has done lots of great work on
making this slightly easier but it’s hard to modify the
client.
✗ GRR client is inflexible but can run arbitrary code.

7. What is Velociraptor
✘ Still an immature project!
✘ The aim is to improve and build on GRR
✗ Client written in GO:
■ Makes it easier to deploy, package and rebuild.
✗ Supports VQL as the main mode of operation
■ Easier to adapt to changing requirements.
■ Very flexible.
✘ Open source, supported by Velocidex
Innovations.

8. What is OSQuery?
✘ A flexible tool that makes your OS look like a
database
✘ Use SQL SELECT queries to query the host OS

9. OSQuery
✘ Very flexible
✗ Can join 2 or more tables to make really powerful
queries.
"logged_in_users": {
"query" : "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu,
processes p where liu.pid = p.pid;",
"interval" : "3600",
"platform": "posix",
"version" : "1.4.5",
"description" : "Retrieves the list of all the currently logged in users in the target
system.",
"value" : "Useful for intrusion detection and incident response. Verify assumptions of
what accounts should be accessing what systems and identify machines accessed during a
compromise."

10. What is VQL?
✘ An extension of SQL based on EFilter:
✗ Instead of tables, provides plugins which can take
arguments.
✗ Has a more natural progression of joining outputs
into input of plugins.
Subselect result is
presented as a
plugin arg

13. THANKS!
Any questions?
You can find me at
✘ mike@velocidex.com
✘ https://www.velocidex.com