Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Forensic Enablement for IaaS Clouds

Forensic Enablement for IaaS Clouds

Bryan Payne

June 04, 2014
Tweet

More Decks by Bryan Payne

Other Decks in Technology

Transcript

  1. © 2014 Nebula, Inc. All rights reserved.
    (cloud) Computing for the Enterprise
    Forensic Enablement for IaaS Clouds
    Bryan D. Payne
    June 4, 2014

    View Slide

  2. © 2014 Nebula, Inc. All rights reserved.
    Today’s Talk
    •  Cloud
    •  Digital Forensics
    •  Cloud Forensics
    •  Discussion

    View Slide

  3. © 2014 Nebula, Inc. All rights reserved.
    My Background
    •  Focused on security my entire career
    •  Spent a few years in school

    View Slide

  4. © 2014 Nebula, Inc. All rights reserved.
    CLOUD

    View Slide

  5. © 2014 Nebula, Inc. All rights reserved.
    What  is  a  Cloud?  

    View Slide

  6. © 2014 Nebula, Inc. All rights reserved.

    View Slide

  7. © 2014 Nebula, Inc. All rights reserved.
    Public   Private  

    View Slide

  8. © 2014 Nebula, Inc. All rights reserved.
    Cloud  
    Internet  
    Storage  
    Email  
    LDAP  
    NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  
    Clients  

    View Slide

  9. © 2014 Nebula, Inc. All rights reserved.
    DIGITAL FORENSICS

    View Slide

  10. © 2014 Nebula, Inc. All rights reserved.
    Forensics Use Cases
    •  Investigate security breaches
    •  Criminal investigations
    •  General systems understanding

    View Slide

  11. © 2014 Nebula, Inc. All rights reserved.
    Forensic Process

    View Slide

  12. © 2014 Nebula, Inc. All rights reserved.
    Traditional Forensics

    View Slide

  13. © 2014 Nebula, Inc. All rights reserved.
    Established Tools

    View Slide

  14. © 2014 Nebula, Inc. All rights reserved.
    Established Processes

    View Slide

  15. © 2014 Nebula, Inc. All rights reserved.
    CLOUD FORENSICS

    View Slide

  16. © 2014 Nebula, Inc. All rights reserved.
    Collection: Who collects?

    View Slide

  17. © 2014 Nebula, Inc. All rights reserved.
    Trust Issues
    •  Convenience versus Trust
    •  Legal authority
    •  Chain of custody
    J  Dykstra  and  AT  Sherman.  Acquiring  forensic  evidence  from  IaaS  cloud  compu6ng:  Exploring  and  
    evalua6ng  tools,  trust,  and  techniques.  Digital  InvesFgaFons  9  (2012).  

    View Slide

  18. © 2014 Nebula, Inc. All rights reserved.
    Collection: What to collect?

    View Slide

  19. © 2014 Nebula, Inc. All rights reserved.
    Scope Issues
    •  So much data
    –  Scattered around the world
    •  Where to stop: Instance, node, cloud, or ??

    View Slide

  20. © 2014 Nebula, Inc. All rights reserved.
    Collection: How to collect?

    View Slide

  21. © 2014 Nebula, Inc. All rights reserved.
    Tool Issues
    •  Standard tools aren’t “cloud ready”
    •  Specialist tools may be challenged in court
    •  Data integrity concerns

    View Slide

  22. © 2014 Nebula, Inc. All rights reserved.
    Examination: How to interpret data?

    View Slide

  23. © 2014 Nebula, Inc. All rights reserved.
    More Tool Issues
    •  Tools not tested or certified
    •  Recovery of deleted data
    –  Violation of CSP privacy policies
    –  More technically challenging (sometimes)
    •  Complex software à complex forensics

    View Slide

  24. © 2014 Nebula, Inc. All rights reserved.
    Examination: Decryption challenges?

    View Slide

  25. © 2014 Nebula, Inc. All rights reserved.
    Examination: Use the cloud?

    View Slide

  26. © 2014 Nebula, Inc. All rights reserved.
    Analysis / Reporting: Explain all of this?

    View Slide

  27. © 2014 Nebula, Inc. All rights reserved.
    LOOKING FORWARD

    View Slide

  28. © 2014 Nebula, Inc. All rights reserved.
    FROST
    •  Virtual disk images
    •  Host firewall logs
    •  API logs
    J  Dykstra  and  AT  Sherman.  Design  and  implementa6on  of  FROST:  Digital  forensic  tools  for  the  
    OpenStack  cloud  compu6ng  plaCorm.  Digital  InvesFgaFons  10  (2013).  

    View Slide

  29. © 2014 Nebula, Inc. All rights reserved.
    Volatility
    •  Extract information
    from RAM samples
    •  Extensible framework
    hNps://code.google.com/p/volaFlity/  

    View Slide

  30. © 2014 Nebula, Inc. All rights reserved.
    Actaeon
    •  Hypervisor-aware
    analysis from volatile
    memory dumps
    •  Volatility plugin
    hNp://www.s3.eurecom.fr/tools/actaeon/  

    View Slide

  31. © 2014 Nebula, Inc. All rights reserved.
    LibVMI
    •  Runtime memory
    analysis
    •  Create memory
    snapshots of VMs
    •  Interfaces with
    Volatility, via PyVMI
    hNps://github.com/bdpayne/libvmi  

    View Slide

  32. © 2014 Nebula, Inc. All rights reserved.
    Email:  [email protected]  
    TwiNer:  @bdpsecurity  

    View Slide