Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Forensic Enablement for IaaS Clouds

Forensic Enablement for IaaS Clouds

Avatar for Bryan Payne

Bryan Payne

June 04, 2014
Tweet

More Decks by Bryan Payne

Other Decks in Technology

Transcript

  1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise Forensic Enablement for IaaS Clouds Bryan D. Payne June 4, 2014
  2. © 2014 Nebula, Inc. All rights reserved. Today’s Talk • 

    Cloud •  Digital Forensics •  Cloud Forensics •  Discussion
  3. © 2014 Nebula, Inc. All rights reserved. My Background • 

    Focused on security my entire career •  Spent a few years in school
  4. © 2014 Nebula, Inc. All rights reserved. Cloud   Internet

      Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   Clients  
  5. © 2014 Nebula, Inc. All rights reserved. Forensics Use Cases

    •  Investigate security breaches •  Criminal investigations •  General systems understanding
  6. © 2014 Nebula, Inc. All rights reserved. Trust Issues • 

    Convenience versus Trust •  Legal authority •  Chain of custody J  Dykstra  and  AT  Sherman.  Acquiring  forensic  evidence  from  IaaS  cloud  compu6ng:  Exploring  and   evalua6ng  tools,  trust,  and  techniques.  Digital  InvesFgaFons  9  (2012).  
  7. © 2014 Nebula, Inc. All rights reserved. Scope Issues • 

    So much data –  Scattered around the world •  Where to stop: Instance, node, cloud, or ??
  8. © 2014 Nebula, Inc. All rights reserved. Tool Issues • 

    Standard tools aren’t “cloud ready” •  Specialist tools may be challenged in court •  Data integrity concerns
  9. © 2014 Nebula, Inc. All rights reserved. More Tool Issues

    •  Tools not tested or certified •  Recovery of deleted data –  Violation of CSP privacy policies –  More technically challenging (sometimes) •  Complex software à complex forensics
  10. © 2014 Nebula, Inc. All rights reserved. FROST •  Virtual

    disk images •  Host firewall logs •  API logs J  Dykstra  and  AT  Sherman.  Design  and  implementa6on  of  FROST:  Digital  forensic  tools  for  the   OpenStack  cloud  compu6ng  plaCorm.  Digital  InvesFgaFons  10  (2013).  
  11. © 2014 Nebula, Inc. All rights reserved. Volatility •  Extract

    information from RAM samples •  Extensible framework hNps://code.google.com/p/volaFlity/  
  12. © 2014 Nebula, Inc. All rights reserved. Actaeon •  Hypervisor-aware

    analysis from volatile memory dumps •  Volatility plugin hNp://www.s3.eurecom.fr/tools/actaeon/  
  13. © 2014 Nebula, Inc. All rights reserved. LibVMI •  Runtime

    memory analysis •  Create memory snapshots of VMs •  Interfaces with Volatility, via PyVMI hNps://github.com/bdpayne/libvmi