Tony Godfrey presented on cloud computing. He defined cloud computing as networked hardware, software, and infrastructure services provided over the internet. Cloud computing provides on-demand services that are always available from anywhere using a utility-based pay-for-use model. Challenges of cloud computing include security, loss of control over data, and lack of standardization. Forensics in the cloud is complicated by issues around jurisdiction, data access, and coordination between cloud service providers and customers. ownCloud was demonstrated as an example of setting up a private cloud storage system. TestDisk software can potentially help recover deleted files from the ownCloud data directory.

1. Presentation on Cloud Computing
Ohio HTCIA 2015 Spring Conference
Salt Fork Lodge

2. Welcome to Salt Fork Lodge

3. Hello & Welcome
Tony Godfrey is the CEO / Linux Consultant of
Falconer Technologies (est 2003) specializing in Linux.
He has written several articles on the body of
knowledge of security administration, is a regular
contributor to a variety of Linux publications, and has
written technical content for Linux education nation-
wide at the college level.
He also teaches topics covering Linux, Network
Security, Cisco routers, Cybercrime and System
Forensics.

4. What is Cloud Computing?

5. Definition
Cloud Computing is a general term used to describe a
new class of network based computing that takes
place over the Internet…
basically a step on from Utility Computing
a collection/group of integrated and networked
hardware, software and Internet infrastructure
(called a platform).
Using the Internet for communication and
transport provides hardware, software and
networking services to clients

6. Utility Computing?
Utility Computing is a service provisioning model in
which a service provider makes computing resources
and infrastructure management available to the
customer as needed, and charges them for specific
usage rather than a flat rate.

7. Continued…
In addition, the platform provides on demand services,
that are always on, anywhere, anytime and any place.
Pay for use and as needed (elastic)
 scale up and down in capacity and functionalities
The hardware and software services are available to
 general public, enterprises, corporations and
businesses markets

8. Cloud computing is an umbrella term for…
A number of characteristics define cloud data,
applications services and infrastructure:
 Remotely hosted: Services or data are hosted on
remote infrastructure.
 Ubiquitous: Services or data are available from
anywhere.
 Commodified: The result is a utility computing
model similar to traditional that of traditional
utilities, like gas and electricity.

9. Characteristics
Common Characteristics:
Low Cost SoftwareLow Cost Software
VirtualizationVirtualization Service OrientationService Orientation
Advanced SecurityAdvanced Security
HomogeneityHomogeneity
Massive ScaleMassive Scale Resilient ComputingResilient Computing
Geographic DistributionGeographic Distribution
Essential Characteristics:
Resource PoolingResource Pooling
Broad Network AccessBroad Network Access Rapid ElasticityRapid Elasticity
Measured ServiceMeasured Service
On Demand Self-ServiceOn Demand Self-Service

10. Flavors – How used?
SaaS – Software as a Service
IaaS – Infrastructure as a
Service
PaaS – Platform as a Service
DaaS – Desktop as a Service

11. Different Cloud Platforms
Application Service
(SaaS)
Application Platform
Server Platform
Storage Platform Amazon S3, Dell, Apple, ...
3Tera, EC2, SliceHost,
GoGrid, RightScale, Linode
Google App Engine, Mosso,
Force.com, Engine Yard,
Facebook, Heroku, AWS
MS Live/ExchangeLabs, IBM,
Google Apps; Salesforce.com
Quicken Online, Zoho, Cisco

12. Deployment

13. Deployment
Public Cloud (off-site and remote) describes cloud
computing where resources are dynamically provisioned
on an on-demand, self-service basis over the Internet,
via web applications/web services, open API, from a
third-party provider who bills on a utility computing
basis.

14. Deployment
A Private Cloud environment is often the first step for
a corporation prior to adopting a public cloud initiative.
Corporations have discovered the benefits of
consolidating shared services on virtualized hardware
deployed from a primary datacenter to serve local and
remote users.

15. Deployment
A Hybrid Cloud environment consists of some portion
of computing resources on-site (on premise) and off-site
(public cloud). By integrating public cloud services, users
can leverage cloud solutions for specific functions that
are too costly to maintain on-premise such as virtual
server disaster recovery, backups and test/development
environments.

16. Deployment
A Community Cloud is formed when several
organizations with similar requirements share common
infrastructure. Costs are spread over fewer users than a
public cloud but more than a single tenant.

17. Basic Cloud Characteristics
Cloud is transparent to users and applications, they can
be built in multiple ways such as:
 branded products, proprietary open source,
hardware or software, or just off-the-shelf PCs.
In general, they are built on clusters of PC servers and
off-the-shelf components plus Open Source software
combined with in-house applications and/or system
software.

18. Cloud and Virtualization
 Run O/S where the physical hardware is unavailable
 Easy to create new machines, backup machines, etc
 Software testing using “clean” installs of operating
systems and software
 Emulate more machines than are physically there
 Timeshare lightly loaded systems on one host
 Debug problems (suspend and resume the problem
machine)
 Run legacy systems!

19. Cloud Sourcing…Part #1
Why is it becoming a Big Deal:
 Using high-scale/low-cost providers,
 Any time/place access via web browser,
 Rapid scalability; incremental cost and load sharing,
 Can forget need to focus on local IT.

20. Cloud Sourcing…Part #2
Concerns:
 Performance, reliability, and SLAs,
 Control of data, and service parameters,
 Application features and choices,
 Interaction between Cloud providers,
 No standard API – mix of SOAP and REST!
 Application Program Interface
 Simple Object Access Protocol
 Representational State Transfer
 Privacy, security, compliance, trust…

21. Cloud Offerings

22. Taxonomy

23. Cloud Crime?
The definition of computer crime will be extended to
cloud crime, which is basically any crime that involves
cloud computing in the sense that cloud can be the
subject, object, or tool related to the crimes.
The cloud is considered the object when the target of
the crime is the cloud service provider and is directly
affected by the act, such as with Distributed Denial of
Service (DDOS) attacks that target sections of the cloud
or the cloud itself as a whole.

24. Challenges & Forensics

25. Challenges – Part 1
In parallel there has been backlash against cloud
computing:
 Use of cloud computing means dependence on others
and that could possibly limit flexibility and
innovation:
The others are likely become the bigger Internet
companies like Google and IBM, who may
monopolise the market.
Some argue that this use of supercomputers is a
return to the time of mainframe computing that
the PC was a reaction against.

26. Challenges – Part 2
 Security could prove to be a big issue:
It is still unclear how safe out-sourced data is and
when using these services ownership of data is
not always clear.
 There are also issues relating to policy and access:
If your data is stored abroad whose policy do you
adhere to?
What happens if the remote server goes down?
How will you then access files?
There have been cases of users being locked out
of accounts and losing access to data.

27. Cloud Forensics?
Is it possible?
Cloud forensics is the application of digital forensics in
cloud computing as a subset of network forensics.
Basically, it is a cross-discipline between cloud
computing and digital forensics. As per the official
definition of NIST:
“Digital Forensics is the application of science to the identification,
examination, collection, and analysis of data while preserving the
information and maintaining a strict chain of custody for the data.”

28. The Three Dimensions of Cloud Forensics
The Technical Dimension
The Organizational Dimension
Chain of Dependencies

29. The Three Dimensions of Cloud Forensics
The Technical Dimension – the technical dimension
involves a set of tools and procedures needed to carry
out the forensic process in cloud computing
environments. This includes forensic data collection,
elastic/static/live forensics, evidence segregation,
investigations in virtualized environments, and pro-
active preparations.

30. The Three Dimensions of Cloud Forensics
The Organizational Dimension – when it comes to
forensic investigations in cloud computing
environments, two parties are always involved: the
cloud consumer and the CSP. When the CSP outsources
services to other parties, there is a tendency for the
scope of the investigation to widen. When establishing
the capacity of an organization to investigate cloud
anomalies, each cloud organization need to create a
department, permanent or ad hoc that would be in
charged of internal and external matters.
 CSP – Cloud Service Provider

31. The Three Dimensions of Cloud Forensics
Chain of Dependencies – CSP and majority of cloud apps
tend to have dependencies on other CSPs. These
dependencies can be highly dynamic, which means
investigation in such a situation will depend on the
investigations of each link in the chain, as well as the
level of complexity of the dependencies. Problems can
arise from interruption or corruption in any of the
numerous links in the chain or even due to lack of
coordination between all the parties involved.

32. Who needs to be involved?
The chain of Cloud Service Providers, Cloud Customers,
with the chain of dependencies between them taken
into account, has to collaborate and coordinate with
the following parties in order to achieve effective and
efficient forensic activities:
Law Enforcement
Third Parties
Academia

33. Legal Dimension?
First, the multi-jurisdiction and multi-tenancy
challenges which are considered as top level concerns
among digital forensic experts.
Second, regulations and agreements must be secured in
the legal dimension of cloud forensics in order to
ensure that the investigations will not violate any laws
or regulations in the area where the data is physically
stored.

34. Legal Dimension?
Third, measures must also be taken to ensure that the
privacy of other individuals or organization sharing the
infrastructure will not be compromised or violated
throughout the forensic activity.
Forth, the Service Level Agreement or SLA, which
defines the terms of use between the cloud customer
and the cloud service provider.

35. Challenges to Cloud Forensics
The forensic capabilities for cloud organizations in
these three dimensions will be difficult without
hurdling several enormous challenges….
 The legal dimension currently has no agreements among
cloud organizations when it comes to collaborative
investigation
 The majority of SLAs have no terms and conditions
present when it comes to segregation of responsibilities
between the cloud service provider and customer.

36. Challenges to Cloud Forensics
The forensic capabilities for cloud organizations in
these three dimensions will be difficult without
hurdling several enormous challenges….
 Policies and Cyber laws from different regions must also
do their part in order to resolve conflicts and issues
arising from multi-jurisdiction investigations.

37. Challenges to Cloud Forensics
The cloud customer tends to encounter issues with
decreased access to forensic data depending on the
cloud model.
For instance, IaaS (Infrastructure as a Service) users
may enjoy straightforward and easy access to all data
required for forensic investigation, but SaaS (Software
as a Service) customers may won’t be able to access
the pertinent data they need.

38. Challenges to Cloud Forensics
Lack of access to forensic data means that the cloud
customer will be in the dark as to where their data is
physically located, and will only be able to specify the
location of their data at a higher level of abstraction,
typically as a virtual object (“container”).
This is because cloud service providers normally hide
the actual physical location of the data in order to help
data movement and replication.

39. Challenges to Cloud Forensics
The sheer number of endpoints, particularly mobile
ones, is one of the biggest challenges for data discovery
and evidence collation.
The sheer number of resources connected to the cloud
has a tendency to make the impact of crimes and the
workload of investigation even larger.

40. Challenges to Cloud Forensics
Time synchronization itself is vital when it comes to the
audit logs used as source of evidence in the
investigations. Accurate time synchronization is one of
the major issues during network forensics.
The biggest problem is the fact that a cloud
environment needs to synchronize timestamps that is
consistent with different devices located over many
different time zones, between equipment, and remote
web clients that include numerous end points.

41. Challenges to Cloud Forensics
The consolidation of log formats is a traditional issue in
network forensics which is made worse by the scale
issues inherent in the cloud. This makes it even more
difficult to consolidate the log formats or make them
cross-compatible with each other due to the massive
resources present in the cloud.
Some providers intentionally create proprietary log
formats, which introduce major roadblocks in joint
investigations.

42. Challenges to Cloud Forensics
Similar to other technical forensics, removed data in
the cloud is considered as a vital piece of evidence.
For instance, Amazon’s AWS gives the right to change
the original snapshot only to the AWS account that
created the volume. Once the AWS account owner
deletes data within the domain, the removal of the
mapping starts immediately and is completed within
seconds.

43. Challenges to Cloud Forensics
After that, there is no longer any way to access the
deleted data remotely, and the storage space once
occupied by said data is made available for future write
operations, and it is very likely that the storage space
will be overwritten by newly stored data. While some
deleted data may still be recoverable from the
snapshot even after deletion, the challenge is in
recovering them, identifying the ownership, and using
the information as a means of plotting out what
happened in the cloud.

44. FaaS – Forensics as a Service?
Time synchronization itself is vital when it comes to the
audit logs used as source of evidence in the
investigations. Accurate time synchronization is one of
the major issues during network forensics.
The biggest problem is the fact that a cloud
environment needs to synchronize timestamps that is
consistent with different devices located over many
different time zones, between equipment, and remote
web clients that include numerous end points.

45. Our Example: ownCloud

46. ownCloud
ownCloud is free and open source software that
operates as a very simple way to set up your own
syncing, Dropbox-like cloud storage system on your own
server or web site. It's also quick and easy to set up,
and doesn't require advanced technical knowledge.
OwnCloud is about as powerful as Dropbox, but it also
allows people to make and share their own apps that
run on ownCloud including text editors, task lists, and
more. That means you can get a little more out of it
then just file syncing if you want.

47. ownCloud
OwnCloud
LifeHacker
SuSE Studio

48. ownCloud – VMware Settings

49. ownCloud – Startup Screen

50. ownCloud – root / linux

51. ownCloud – ifconfig

52. ownCloud – service apache2 status

53. ownCloud - /srv/www/htdocs/owncloud

54. ownCloud – /srv/www/htdocs/owncloud/config

55. ownCloud – config.php

56. ownCloud – data files

57. ownCloud – data files

58. ownCloud – deleted files

59. ownCloud
Demo
Web interface
Setting up users
Adding applications to your ‘cloud’
 https://apps.owncloud.com/
Access via laptop, tablet

60. Welcome Back…

61. ownCloud – restore data using TestDisk
Take a look at  TestDisk
From  http://cgsecurity.org

62. TestDisk
TestDisk is powerful free data recovery software! It was
primarily designed to help recover lost partitions
and/or make non-booting disks bootable again when
these symptoms are caused by faulty software: certain
types of viruses or human error (such as accidentally
deleting a Partition Table). Partition table recovery
using TestDisk is really easy.

63. TestDisk
TestDisk can…
 Fix partition table, recover deleted partition
 Recover FAT32 boot sector from its backup
 Rebuild FAT12/FAT16/FAT32 boot sector
 Fix FAT tables
 Rebuild NTFS boot sector
 Recover NTFS boot sector from its backup
 Fix MFT using MFT mirror
 Locate ext2/ext3/ext4 Backup SuperBlock

64. TestDisk
TestDisk can also…
 Undelete files from FAT, exFAT, NTFS and ext2
filesystem
 Copy files from deleted FAT, exFAT, NTFS and
ext2/ext3/ext4 partitions.

65. TestDisk
TestDisk has features for both novices and experts. For
those who know little or nothing about data recovery
techniques, TestDisk can be used to collect detailed
information about a non-booting drive which can then
be sent to a tech for further analysis. Those more
familiar with such procedures should find TestDisk a
handy tool in performing onsite recovery.

66. TestDisk – after the install

67. TestDisk – run against a disk / volume

68. TestDisk – Select a Partition Type

69. TestDisk – Disk Geometry

70. TestDisk – Partition Structure

71. TestDisk – Partition Analyzing

72. Presentation on Cloud Computing

73. Contact Info
TonyGodfrey@FalconerTechnologies.com
(216) 282-4TUX / (216) 282-4889