Forensic Enablement for IaaS Clouds

Forensic Enablement for IaaS Clouds

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

June 04, 2014
Tweet

Transcript

  1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise Forensic Enablement for IaaS Clouds Bryan D. Payne June 4, 2014
  2. © 2014 Nebula, Inc. All rights reserved. Today’s Talk • 

    Cloud •  Digital Forensics •  Cloud Forensics •  Discussion
  3. © 2014 Nebula, Inc. All rights reserved. My Background • 

    Focused on security my entire career •  Spent a few years in school
  4. © 2014 Nebula, Inc. All rights reserved. CLOUD

  5. © 2014 Nebula, Inc. All rights reserved. What  is  a

     Cloud?  
  6. © 2014 Nebula, Inc. All rights reserved.

  7. © 2014 Nebula, Inc. All rights reserved. Public   Private

     
  8. © 2014 Nebula, Inc. All rights reserved. Cloud   Internet

      Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   Clients  
  9. © 2014 Nebula, Inc. All rights reserved. DIGITAL FORENSICS

  10. © 2014 Nebula, Inc. All rights reserved. Forensics Use Cases

    •  Investigate security breaches •  Criminal investigations •  General systems understanding
  11. © 2014 Nebula, Inc. All rights reserved. Forensic Process

  12. © 2014 Nebula, Inc. All rights reserved. Traditional Forensics

  13. © 2014 Nebula, Inc. All rights reserved. Established Tools

  14. © 2014 Nebula, Inc. All rights reserved. Established Processes

  15. © 2014 Nebula, Inc. All rights reserved. CLOUD FORENSICS

  16. © 2014 Nebula, Inc. All rights reserved. Collection: Who collects?

  17. © 2014 Nebula, Inc. All rights reserved. Trust Issues • 

    Convenience versus Trust •  Legal authority •  Chain of custody J  Dykstra  and  AT  Sherman.  Acquiring  forensic  evidence  from  IaaS  cloud  compu6ng:  Exploring  and   evalua6ng  tools,  trust,  and  techniques.  Digital  InvesFgaFons  9  (2012).  
  18. © 2014 Nebula, Inc. All rights reserved. Collection: What to

    collect?
  19. © 2014 Nebula, Inc. All rights reserved. Scope Issues • 

    So much data –  Scattered around the world •  Where to stop: Instance, node, cloud, or ??
  20. © 2014 Nebula, Inc. All rights reserved. Collection: How to

    collect?
  21. © 2014 Nebula, Inc. All rights reserved. Tool Issues • 

    Standard tools aren’t “cloud ready” •  Specialist tools may be challenged in court •  Data integrity concerns
  22. © 2014 Nebula, Inc. All rights reserved. Examination: How to

    interpret data?
  23. © 2014 Nebula, Inc. All rights reserved. More Tool Issues

    •  Tools not tested or certified •  Recovery of deleted data –  Violation of CSP privacy policies –  More technically challenging (sometimes) •  Complex software à complex forensics
  24. © 2014 Nebula, Inc. All rights reserved. Examination: Decryption challenges?

  25. © 2014 Nebula, Inc. All rights reserved. Examination: Use the

    cloud?
  26. © 2014 Nebula, Inc. All rights reserved. Analysis / Reporting:

    Explain all of this?
  27. © 2014 Nebula, Inc. All rights reserved. LOOKING FORWARD

  28. © 2014 Nebula, Inc. All rights reserved. FROST •  Virtual

    disk images •  Host firewall logs •  API logs J  Dykstra  and  AT  Sherman.  Design  and  implementa6on  of  FROST:  Digital  forensic  tools  for  the   OpenStack  cloud  compu6ng  plaCorm.  Digital  InvesFgaFons  10  (2013).  
  29. © 2014 Nebula, Inc. All rights reserved. Volatility •  Extract

    information from RAM samples •  Extensible framework hNps://code.google.com/p/volaFlity/  
  30. © 2014 Nebula, Inc. All rights reserved. Actaeon •  Hypervisor-aware

    analysis from volatile memory dumps •  Volatility plugin hNp://www.s3.eurecom.fr/tools/actaeon/  
  31. © 2014 Nebula, Inc. All rights reserved. LibVMI •  Runtime

    memory analysis •  Create memory snapshots of VMs •  Interfaces with Volatility, via PyVMI hNps://github.com/bdpayne/libvmi  
  32. © 2014 Nebula, Inc. All rights reserved. Email:  bryan.payne@nebula.com  

    TwiNer:  @bdpsecurity