By : Anupam Tiwari

The views expressed in this presentation

are Mere Apne. Reference to any
specific products, process, or service do
not necessarily constitute or imply
endorsement, recommendation, or
favoring by any Government

ALL FIGURES IN THE PPT ARE ONLY

FOR DEPICTION PURPOSE.

Not here
to

Basic Intro Cloud Computing, Digital

Forensics & Cloud Forensics.

Challenges in Cloud Forensics

Case Study

Existing Digital Forensics Tools in a

Cloud

Khatamm!!!!

If Ramayana gets over in one SHLOK..y cant I

complete covering CLOUD FORENSICS in 30 Min

Background knowledge of Cloud

Computing, Digital Forensics &
Cloud Forensics.

 SaaS
PaaS
IaaS

Service Models

Private
Public
Community
Hybrid

Deployment Models

Essential Services

On-demand self service

Broad network access
Resource pooling
Rapid elasticity
Measured service

The CLOUD
Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable
resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.

The Digital Forensics

The use of scientifically derived and proven methods toward the
Preservation, Collection, Validation, Identification, Analysis,
Interprtation and Documentation of digital evidence derived from
digital sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned operations.

CLOUD FORENSICS
Cloud forensics is the application of
digital forensics science in cloud
computing environments. Technically,
it consists of a hybrid forensic
approach (e.g., remote, virtual,
network, live, large-scale, thin-client,
thick-client) towards the generation of
digital evidence.

Challenges in Cloud
Forensics

Multiple Venues
and Geo-locations
Geo-location unknowns can impact the Chain of
Custody in finding evidence and identifying
resources that are required for access to the system.

RAPID
ELASTICITY
Capabilities can be Elastically Provisioned and released to
scale rapidly outward and inward commensurate with
demand. To the consumer, the capabilities available for
provisioning often appear to be unlimited and can be
appropriated in any quantity at any time

Deletion in the Cloud and

Attributing Deleted Data
to a specific user.
Deletion of nodes pointing to information in Virtual Instances.
Whether the deletion of the information has been fully
achieved needs to be assessed and proven. Likewise, CSP
offer variety and sufficiently sophisticated mechanisms for
access.

Volume of Data
and Users

CSP may not implement

sufficient methods for
retrieving information

Recovery of Deleted Data

before it may be
overwritten
Recovering deleted data overwritten by another user is a
challenge because in a shared virtual environment there may
not be a snapshot in time other record that contains an image
of the data before it was OVERWRITTEN

No Real
Time
snapshot

Evidence Correlation
across Multiple cloud
Providers
Correlation of Activities across Cloud Providers is a
challenge; interoperability is an issue

Synchronization of
Timestamps

Accurate Time Synchronization is made all the more

challenging in a cloud environment as timestamps must be
synchronized across multiple physical machines that are
spread across multiple geographical regions.

Unification of Log
Formats

Unification of Log formats Challenge is exacerbated in

the cloud because it is extremely difficult to unify log formats
& make them convertible to each other from the massive
resources available in the cloud. Furthermore, proprietary or
unusual log formats of one party can become major ISSUE.

Log formats

No standards with CSP

Use of MetaData

The use of metadata may be in peril since common fields

(such as creation date, last modified date, last accessed date,
etc.) may be changed as the data is migrated to and within
the cloud.
For all stakeholders, authenticating with
metadata within a cloud environment is a
challenge as the data may change or not be
preserved for e-discovery purposes.

Single Point
of Failure
There is no Single point of Failure allowing criminals to be
caught in a straightforward manner. A criminal organization
can choose one cloud provider as a storage solution (e.g.,
Dropbox), obtain compute services from a second cloud
provider (e.g., Amazon EC2), and route all of their
communications through a third (e.g., Gmail or Pastebin).

You are under ARREST

Errors in Cloud
Management Portal
Configurations
Vulnerabilities in management portal applications provided
by cloud Providers may be exploited by an unauthorized
individual to gain control, reconfigure, or delete another
cloud tenants resources or applications.

For the investigator/evidence collector, its challenging

because multiple individuals are simultaneously using the
same cloud management portal.

Lack of transparency
Triggers lack of trust and
difficulties of auditing
For the investigator/evidence collector, collecting accurate,
complete, traceable, audible and forensically sound evidence
is challenging because of multiple levels of computation
outsourcing and lack of transparency.

Outsourcing

No standards with CSP

Cloud Confiscation
and Resource
Seizure
For investigators, confiscation and seizure of cloud resources
to acquire evidence may pose a challenge because the
business continuity of other tenants may be adversely
affected.

Secure
Provenance
For law enforcement, ensuring proper chain of
custody and security of data, metadata, and possibly
hardware is a challenge because it may be difficult to
determine ownership, custody, or accurate location.

Chain of Custody of
Data
Because of the distributed, multi-layered nature of cloud
computing, the chain of custody of data may be impossible to
verify, to determine exactly where the data was stored, who
had access, and whether leakage or contamination of data
was possible.
If data is stored in a cloud where multiple users and cloud
Providers potentially have access, associating the data to the
suspect beyond a reasonable doubt is a challenge.

Chain of dependencies in
Multiple cloud systems
Cloud Providers often have dependencies on other cloud
Providers. For example, a cloud Provider that provides an
email application (SaaS) may depend on a third-party provider
to host log files (i.e., PaaS), which in turn may rely on a
partner who provides the infrastructure to store log files
(IaaS).

Data Mirroring and

Tracking the
Movement of data
Data mirroring over multiple machines in different
jurisdictions, as well as the lack of transparent, realtime information about data locations introduces
difficulties in forensic investigations.

Data Available for a

Limited time
No research has been conducted on determining what data is
associated with removed VM instances. If a new VM instance
is created and either compromised or used to attack,
evidential traces may be available in the VM. If the VM
instance is then de-allocated, investigators currently do not
know whether evidential traces or the entire VM instance
could be recovered.

Dynamic Storage
Some cloud Providers dynamically allocate storage based on
the current needs of the user. As data is deleted from the
system, the storage is re-allocated to optimize data reads and
storage use.

For all stakeholders, data collection of evidence is a challenge

because of the dynamic allocation of storage, and systems
that scavenge storage after an item is deleted.

Imaging the CLOUD

For forensics examiners, law enforcement, and the courts,

imaging evidence in the cloud is a challenge because imaging
all evidence in the cloud is impractical while partial imaging
may have legal implication in the presentation to the court.

No standards with CSP

Ambiguous
Trust
Boundaries
For investigators/evidence
collectors, obtaining noncorrupted, complete set of
data for forensic evidence
poses a challenge in multitenant cloud environments
because not all vendors
implement vertical isolation
for consumers' data

MULTI TENANCY
In cloud computing, multiple VM can share the same
physical infrastructure, i.e., data for multiple customers
may be co-located. This nature of clouds is different from
the traditional single owner computer system.

Issues can arise.

MULTI TENANCY
How to prove that data were not
comingled with other users data ?
First,

Secondly, How to preserve the privacy of other

tenants while performing an investigation ?

Both of these issues also brings the Side-Channel

Attacks that are difficult to investigate.

.researchers at UC San Diego demonstrated that it

was possible to locate a particular virtual machine
(VM)in Amazon Elastic Compute Cloud (EC2) and
mount side-channel attacks by co-locating a new VM
withthe target

VOLATILE DATA

Volatile data cannot sustain without power. When we turn

off a Virtual Machine (VM), all the data will be lost if we do
not have the image of the instance.

Polly is a
criminal who
traffics in
Child
Pornography

He has set up a Service in the cloud

to store a large collection of
contraband images and video.

The website allows

users to upload and
download this content
anonymously.

He pays for his cloud services with a

pre-paid credit card purchased with
cash.

Polly encrypts his data in cloud storage,

and he reverts his virtual web server to
a clean state daily.

Law Enforcement is tipped off to the website

and wishes both to Terminate the Service and
Prosecute the criminal

Law enforcement first contacts the cloud provider with a

temporary restraining order to suspend the offending service
and account, and a preservation letter to preserve evidence
pending a warrant.

Onus on the Forensic Examiner to piece together

a circumstantial case based on the data available.

The examiner has no way to image the virtual machine

remotely since the cloud provider does not expose that
functionality, and in doing so would alter the state of the
machine anyway.

Deploying a remote forensic agent, such as EnCase Enterprise,

would require the suspect's credentials, and functionality of
this remote technique within the cloud is unknown.

With no case law or standard methodology on the

matter, the typical investigator may be tempted to
attempt standard practices in digital evidence
collection.

Proper recording and documentation, accesses the offending

website and takes snapshots or videotaping the collection of
the evidence, and saving the web pages locally.

Viewing the target website is

enough to confirm that the
content is illegal, but it tells
us nothing about who put it
there!!!!

..and No guarantee can yet be made that the

target webserver has not been compromised
by an attacker.

Credit Card Payment

Information
Cloud Subscriber
Information
Cloud Provider
Access Logs
Cloud Provider
NetFlow logs
Web Server virtual
machine
Cloud Storage data

Law enforcement can issue a search

warrant to the cloud provider, which
is adequate to compel the provider to
provide any of this information that
they possess.

The warrant specifies that the data returned be an

Exact Duplicate,
A technician at the provider executes the search
order from his or her workstation, copying data
from the provider's infrastructure and verifying
data integrity with hashes of the files.
Distributed files across many physical machines
are reassembled automatically as the technician
accesses them.

Without no implicit guarantees of trust

in the technician nor in the technician's
computer or tools nonetheless, the
provider completes the request.

Two Terabytes of stored data identified of Polly.

To transfer that quantity of data, the

provider saves it to an external hard drive
and delivers it to law enforcement by mail
CSP is able to produce account information
including :
10MB of access logs,
100MB of NetFlow records
20GB Virtual Machine Snapshot

After validating the integrity of the data, the forensic

examiner is now tasked with analysis.

Understand how the web service

works, especially how it
encrypts/decrypts data from storage

Find keys to decrypt storage data,

and use them to decrypt the data
Confirm the presence of child
pornography
Analyze logs to identify possible IP
addresses of the criminal.

Forensic Toolkit (FTK)

product took 38.25
hours on a low-end
workstation to dig the
dump.
At that rate, 2TB of data
could take 85 hours of
processing time

Though with Extra Payment

customers can get persistent
storage, this is not common
for small or medium scale
business organizations.

Persistence in computer science refers

to the characteristic of state that
outlives the process that created it.
Without this capability, state would
only exist in RAM, and would be lost
when this RAM loses power, such as a
computer shutdown

EXTRACTING DATA FROM AMAZON EC2

Due to the Distributed and Elastic

characteristic of Cloud Computing, the
available Forensic Tools cannot cope up
with this environment.

> answerdena.py

BUILDING A TRUST MODEL

LOGGING
When to log, What to log and
How to log.

CLOUD MANAGEMENT PLANE

An Exhaustive
web Based
Management
console like AWS
management
console.

VIRTUAL MACHINE INTROSPECTION

Virtual Machine
Introspection (VMI) is the
process of externally
monitoring the runtime
state of VM from either the
Virtual Machine Monitor
(VMM), or from some virtual
machine other than the one
being examined.
Allows a live forensic
analysis of the system,
while keeping the target
system unchanged.

CONTINUOUS SYNCHRONIZATION

ISOLATING A CLOUD INSTANCE

A Cloud Instance must be
isolated if any incident
take place on that
instance. Isolation is
necessary because it
helps to protect evidence
from contamination.
However, as multiple
instances can be located
in one node, this task
becomes challenging.

Provenance in Clouds
Cloud provenance can be
Data provenance: Who created, modified,
deleted data stored in a cloud (external
entities change data)
Process provenance: What happened to
data once it was inside the cloud (internal
entities change data)

Cybercrime and Cloud Forensics: Applications for Investigation

Processes, IGI Global
Cloud Forensic Reference Architecture (CFRA)
Cloud Forensic Maturity Model (CFMM)

UCD CCI: Cloud Forensic Capability and Requirement Study for EU

Law Enforcement
NIST Cloud Computing Forensic Science Working Group
CSA Cloud Forensics and Incident Management Working Group

CAN YOU PREPARE FOR CLOUD FORENSICS?

The key to avoiding much of this pain is being
prepared before an incident occurs.
Once you become a CUSTOMER, you have lost much
of your LEVERAGE..

The provider will notify you immediately if

there is any type of breach on the providers
system since it may impact your data.

The provider will allow you to access to the

servers or system so you can self-collect.

Determine what type of data the provider

collects, how long the provider holds it, and
if the provider will store this data for you for
a longer period of time.

Determine if the provider actually owns and

controls the servers.

Determine wherein what state, states, or

countryyour data will be stored so you can
determine which laws may apply.

Some of the things you

should consider
negotiating:

I m at
- anupam605@gmail.com
- anupam.tiwari@nic.in

SIDE-CHANNEL ATTACKS
Using the Amazon EC2 service as a case study, we show that
it is possible to map the internal cloud infrastructure, identify
where a particular target VM is likely to reside, and then
instantiate new VMs until one is placed co-resident with the
target. We explore how such placement can then be used to
mount cross-VM side-channel attacks to extract information
from a target VM on the same machine.

Source : http://cloudsecurity.org/blog/2009/08/31/cloud-cartography-sidechannel-attacks.html

SLAs in Reference Architecture for a Cloud Forensic Readiness System

Communicate each other via dedicated Open Virtualization Format (OVF) channels

Microsoft and Amazon declined to comment

about their compliance abilities in this situation