Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Forensic Enablement for IaaS Clouds

Bryan Payne
June 04, 2014
Technology
0
76

Forensic Enablement for IaaS Clouds

Bryan Payne

June 04, 2014
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
220
BLESS: Better Security and Ops for SSH Access
bdpayne
3
680
Securing Containers the Netflix Way
bdpayne
1
2.1k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
810
Platform Security Jobs at Netflix
bdpayne
0
840
Improving Cloud Security with Attacker Profiling
bdpayne
2
810
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.6k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
190
Platform Security at Netflix: Securing Microservices from the Ground Up
bdpayne
0
5.6k

Other Decks in Technology

See All in Technology
分散トレーシングとOpenTelemetryのススメ 超入門編
k6s4i53rx
4
890
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
7
1.3k
Virtual Threads - 導入の背景と、効果的な使い方 -
skrb
2
340
バクラクのAI-OCR機能の体験を支える良質なデータセット作成の仕組み / data-centric-ai-bakuraku-dataset
yuya4
1
550
Spotify API を使ったアイマス楽曲の楽しみ方
takemikami
0
150
Evolving ML Platform with OSS Upstream Community
y_iwai
0
270
Watson Assistant チャットボットと連携するアプリ開発体験 (会話フロー作成・API会話編)
teruterubohz_ibm
0
100
microCMS AI
microcms
0
600
Predictive back transition Animation on Android 14
line_developers
PRO
1
560
フィンテックとは何か / What is FinTech?
ks91
PRO
0
130
Blueskyの「今」がわかる!Bot
lamrongol
0
170
GO TechTalk #19 タクシーアプリ『GO』事業成長を支えるデータ分析基盤の継続的改善!
mot_techtalk
2
1.1k

Featured

See All Featured
For a Future-Friendly Web
brad_frost
166
8k
Designing for Performance
lara
601
65k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
351
21k
The Invisible Side of Design
smashingmag
292
49k
Building Flexible Design Systems
yeseniaperezcruz
315
35k
Raft: Consensus for Rubyists
vanstee
130
5.8k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
Teambox: Starting and Learning
jrom
124
8k
Why Our Code Smells
bkeepers
PRO
327
55k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Writing Fast Ruby
sferik
613
58k

Transcript

  1. © 2014 Nebula, Inc. All rights reserved.
    (cloud) Computing for the Enterprise
    Forensic Enablement for IaaS Clouds
    Bryan D. Payne
    June 4, 2014

    View Slide

  2. © 2014 Nebula, Inc. All rights reserved.
    Today’s Talk
    •  Cloud
    •  Digital Forensics
    •  Cloud Forensics
    •  Discussion

    View Slide

  3. © 2014 Nebula, Inc. All rights reserved.
    My Background
    •  Focused on security my entire career
    •  Spent a few years in school

    View Slide

  4. © 2014 Nebula, Inc. All rights reserved.
    CLOUD

    View Slide

  5. © 2014 Nebula, Inc. All rights reserved.
    What  is  a  Cloud?  

    View Slide

  6. © 2014 Nebula, Inc. All rights reserved.

    View Slide

  7. © 2014 Nebula, Inc. All rights reserved.
    Public   Private  

    View Slide

  8. © 2014 Nebula, Inc. All rights reserved.
    Cloud  
    Internet  
    Storage  
    Email  
    LDAP  
    NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  
    Clients  

    View Slide

  9. © 2014 Nebula, Inc. All rights reserved.
    DIGITAL FORENSICS

    View Slide

  10. © 2014 Nebula, Inc. All rights reserved.
    Forensics Use Cases
    •  Investigate security breaches
    •  Criminal investigations
    •  General systems understanding

    View Slide

  11. © 2014 Nebula, Inc. All rights reserved.
    Forensic Process

    View Slide

  12. © 2014 Nebula, Inc. All rights reserved.
    Traditional Forensics

    View Slide

  13. © 2014 Nebula, Inc. All rights reserved.
    Established Tools

    View Slide

  14. © 2014 Nebula, Inc. All rights reserved.
    Established Processes

    View Slide

  15. © 2014 Nebula, Inc. All rights reserved.
    CLOUD FORENSICS

    View Slide

  16. © 2014 Nebula, Inc. All rights reserved.
    Collection: Who collects?

    View Slide

  17. © 2014 Nebula, Inc. All rights reserved.
    Trust Issues
    •  Convenience versus Trust
    •  Legal authority
    •  Chain of custody
    J  Dykstra  and  AT  Sherman.  Acquiring  forensic  evidence  from  IaaS  cloud  compu6ng:  Exploring  and  
    evalua6ng  tools,  trust,  and  techniques.  Digital  InvesFgaFons  9  (2012).  

    View Slide

  18. © 2014 Nebula, Inc. All rights reserved.
    Collection: What to collect?

    View Slide

  19. © 2014 Nebula, Inc. All rights reserved.
    Scope Issues
    •  So much data
    –  Scattered around the world
    •  Where to stop: Instance, node, cloud, or ??

    View Slide

  20. © 2014 Nebula, Inc. All rights reserved.
    Collection: How to collect?

    View Slide

  21. © 2014 Nebula, Inc. All rights reserved.
    Tool Issues
    •  Standard tools aren’t “cloud ready”
    •  Specialist tools may be challenged in court
    •  Data integrity concerns

    View Slide

  22. © 2014 Nebula, Inc. All rights reserved.
    Examination: How to interpret data?

    View Slide

  23. © 2014 Nebula, Inc. All rights reserved.
    More Tool Issues
    •  Tools not tested or certified
    •  Recovery of deleted data
    –  Violation of CSP privacy policies
    –  More technically challenging (sometimes)
    •  Complex software à complex forensics

    View Slide

  24. © 2014 Nebula, Inc. All rights reserved.
    Examination: Decryption challenges?

    View Slide

  25. © 2014 Nebula, Inc. All rights reserved.
    Examination: Use the cloud?

    View Slide

  26. © 2014 Nebula, Inc. All rights reserved.
    Analysis / Reporting: Explain all of this?

    View Slide

  27. © 2014 Nebula, Inc. All rights reserved.
    LOOKING FORWARD

    View Slide

  28. © 2014 Nebula, Inc. All rights reserved.
    FROST
    •  Virtual disk images
    •  Host firewall logs
    •  API logs
    J  Dykstra  and  AT  Sherman.  Design  and  implementa6on  of  FROST:  Digital  forensic  tools  for  the  
    OpenStack  cloud  compu6ng  plaCorm.  Digital  InvesFgaFons  10  (2013).  

    View Slide

  29. © 2014 Nebula, Inc. All rights reserved.
    Volatility
    •  Extract information
    from RAM samples
    •  Extensible framework
    hNps://code.google.com/p/volaFlity/  

    View Slide

  30. © 2014 Nebula, Inc. All rights reserved.
    Actaeon
    •  Hypervisor-aware
    analysis from volatile
    memory dumps
    •  Volatility plugin
    hNp://www.s3.eurecom.fr/tools/actaeon/  

    View Slide

  31. © 2014 Nebula, Inc. All rights reserved.
    LibVMI
    •  Runtime memory
    analysis
    •  Create memory
    snapshots of VMs
    •  Interfaces with
    Volatility, via PyVMI
    hNps://github.com/bdpayne/libvmi  

    View Slide

  32. © 2014 Nebula, Inc. All rights reserved.
    Email:  [email protected]  
    TwiNer:  @bdpsecurity  

    View Slide