Forensic Enablement for IaaS Clouds

Transcript

1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

   the Enterprise Forensic Enablement for IaaS Clouds Bryan D. Payne June 4, 2014

2. © 2014 Nebula, Inc. All rights reserved. Today’s Talk • 

   Cloud •  Digital Forensics •  Cloud Forensics •  Discussion

3. © 2014 Nebula, Inc. All rights reserved. My Background • 

   Focused on security my entire career •  Spent a few years in school

4. © 2014 Nebula, Inc. All rights reserved. CLOUD

5. © 2014 Nebula, Inc. All rights reserved. What  is  a

    Cloud?  

6. © 2014 Nebula, Inc. All rights reserved.

7. © 2014 Nebula, Inc. All rights reserved. Public   Private

    

8. © 2014 Nebula, Inc. All rights reserved. Cloud   Internet

     Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   Clients  

9. © 2014 Nebula, Inc. All rights reserved. DIGITAL FORENSICS

10. © 2014 Nebula, Inc. All rights reserved. Forensics Use Cases

    •  Investigate security breaches •  Criminal investigations •  General systems understanding

11. © 2014 Nebula, Inc. All rights reserved. Forensic Process

12. © 2014 Nebula, Inc. All rights reserved. Traditional Forensics

13. © 2014 Nebula, Inc. All rights reserved. Established Tools

14. © 2014 Nebula, Inc. All rights reserved. Established Processes

15. © 2014 Nebula, Inc. All rights reserved. CLOUD FORENSICS

16. © 2014 Nebula, Inc. All rights reserved. Collection: Who collects?

17. © 2014 Nebula, Inc. All rights reserved. Trust Issues • 

    Convenience versus Trust •  Legal authority •  Chain of custody J  Dykstra  and  AT  Sherman.  Acquiring  forensic  evidence  from  IaaS  cloud  compu6ng:  Exploring  and   evalua6ng  tools,  trust,  and  techniques.  Digital  InvesFgaFons  9  (2012).  

18. © 2014 Nebula, Inc. All rights reserved. Collection: What to

    collect?

19. © 2014 Nebula, Inc. All rights reserved. Scope Issues • 

    So much data –  Scattered around the world •  Where to stop: Instance, node, cloud, or ??

20. © 2014 Nebula, Inc. All rights reserved. Collection: How to

    collect?

21. © 2014 Nebula, Inc. All rights reserved. Tool Issues • 

    Standard tools aren’t “cloud ready” •  Specialist tools may be challenged in court •  Data integrity concerns

22. © 2014 Nebula, Inc. All rights reserved. Examination: How to

    interpret data?

23. © 2014 Nebula, Inc. All rights reserved. More Tool Issues

    •  Tools not tested or certified •  Recovery of deleted data –  Violation of CSP privacy policies –  More technically challenging (sometimes) •  Complex software à complex forensics

24. © 2014 Nebula, Inc. All rights reserved. Examination: Decryption challenges?

25. © 2014 Nebula, Inc. All rights reserved. Examination: Use the

    cloud?

26. © 2014 Nebula, Inc. All rights reserved. Analysis / Reporting:

    Explain all of this?

27. © 2014 Nebula, Inc. All rights reserved. LOOKING FORWARD

28. © 2014 Nebula, Inc. All rights reserved. FROST •  Virtual

    disk images •  Host firewall logs •  API logs J  Dykstra  and  AT  Sherman.  Design  and  implementa6on  of  FROST:  Digital  forensic  tools  for  the   OpenStack  cloud  compu6ng  plaCorm.  Digital  InvesFgaFons  10  (2013).  

29. © 2014 Nebula, Inc. All rights reserved. Volatility •  Extract

    information from RAM samples •  Extensible framework hNps://code.google.com/p/volaFlity/  

30. © 2014 Nebula, Inc. All rights reserved. Actaeon •  Hypervisor-aware

    analysis from volatile memory dumps •  Volatility plugin hNp://www.s3.eurecom.fr/tools/actaeon/  

31. © 2014 Nebula, Inc. All rights reserved. LibVMI •  Runtime

    memory analysis •  Create memory snapshots of VMs •  Interfaces with Volatility, via PyVMI hNps://github.com/bdpayne/libvmi  

32. © 2014 Nebula, Inc. All rights reserved. Email:  [email protected]  

    TwiNer:  @bdpsecurity