Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Cloud Forensics - Bsides Colombia 2015
Search
ShieldNow
September 05, 2015
Technology
0
530
Cloud Forensics - Bsides Colombia 2015
ShieldNow
September 05, 2015
Tweet
Share
More Decks by ShieldNow
See All by ShieldNow
GPG
shieldnow
0
590
Guía TCPDump
shieldnow
0
570
Netcat
shieldnow
0
510
Other Decks in Technology
See All in Technology
Oracle Audit Vault and Database Firewall 20 概要
oracle4engineer
PRO
3
1.7k
PHP開発者のためのSOLID原則再入門 #phpcon / PHP Conference Japan 2025
shogogg
4
920
AIとともに進化するエンジニアリング / Engineering-Evolving-with-AI_final.pdf
lycorptech_jp
PRO
0
140
Node-RED × MCP 勉強会 vol.1
1ftseabass
PRO
0
170
Should Our Project Join the CNCF? (Japanese Recap)
whywaita
PRO
0
290
より良いプロダクトの開発を目指して - 情報を中心としたプロダクト開発 #phpcon #phpcon2025
bengo4com
1
3.2k
Liquid Glass革新とSwiftUI/UIKit進化
fumiyasac0921
0
300
Understanding_Thread_Tuning_for_Inference_Servers_of_Deep_Models.pdf
lycorptech_jp
PRO
0
150
Connect 100+を支える技術
kanyamaguc
0
140
データプラットフォーム技術におけるメダリオンアーキテクチャという考え方/DataPlatformWithMedallionArchitecture
smdmts
5
670
WordPressから ヘッドレスCMSへ! Storyblokへの移行プロセス
nyata
0
320
SpringBoot x TestContainerで実現するポータブル自動結合テスト
demaecan
0
110
Featured
See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Rails Girls Zürich Keynote
gr2m
94
14k
Facilitating Awesome Meetings
lara
54
6.4k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.8k
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Testing 201, or: Great Expectations
jmmastey
42
7.6k
Thoughts on Productivity
jonyablonski
69
4.7k
RailsConf 2023
tenderlove
30
1.1k
What's in a price? How to price your products and services
michaelherold
246
12k
Transcript
Open Source Cloud Forensics B-Sides | Septiembre 2015
Methodology Collection Examination Analysis Reporting
Problem 1 • Physical Access • Host Contamination • Response
Time • Technical Expertise
Problem 2 • Size of Resources • Chain of custody
• Tools • Technical Expertise
Problem 3 Rackspace • Where is the data stored? •
Acquisition - Size of Resources • Chain of custody? • Live Forensics? • Legal Considerations?
Traditional Way Snapshot of VM Snapshot of storage volumes http://blogs.msdn.com/b/azuresecurity/archive/2015/08/14/azure-forensics-for-the-security-responder-how-i-learned-to-stop-worrying-and-love-the-cloud.aspx
Puppet The Master
The Master /etc/puppet/manifests/site.pp
The Master allowscp chrootpath = /home/ user=strigoi:033:000110: /etc/rssh.conf
Strigois (Puppet-Nodes) /etc/puppet/puppet.conf
Strigois (Puppet-Nodes) /etc/puppet/puppet.conf
The Master artefacto-worm1-105233.tar.xz artefacto-worm2-11.tar.xz artefacto-worm3-2846.tar.xz artefacto-worm4-106736.tar.xz artefacto-worm5-5413.tar.xz /home/strigoi/
The Master 2cf0de7966fcc238b12f42df621a6beee55dba17b39be620cd147295afebc0c9a6bd58a0270cfb160edd16fbf46e253 793e5eed943d57a2db1881d72e0c9d5c4 /tmp/artefacto/auth.log d13254e9a6d6d12af1765b099d14e3c8742b731c98993ded94783883946a84a3b7c46f2e587a58ab6965c313125d 77e039ec05e80c51e803a11d5d456005ed8c /tmp/artefacto/dataw 582939b8399b80852ea83500dd1ac244b2a3332212085777207e8166e0673f19b00623c903edb91f729626491f52 7e575b9f7b6157e07d2473da07a46952bff5
/tmp/artefacto/swap.swap 3f73d4a9591f5ba47c65a739ec8c0bf0c3a8f41bef778479374b4588af7e7009ba12a4405d9937925b7825e6f51974 ac28f628f6bfcfea58bf1994aa04f5d785 /tmp/artefacto/memorydump.lime 06f9deb3034b5cf649c7aa3e07430417a868e64e80930564a29f52d64d1d3e6a9edf651698f97f204c1777bc748e9b 653d39c7fd1c9521592332019c04a67cad /tmp/artefacto/messages 37ec32ee176380e81a2ce7e25eb30f662b5097d7a2fcd54af0960d29a14e01a03aac63202c906db0192a8c8cd4f6d f2a033d11c0c3879b8b4d3a8b85512babdc /tmp/artefacto/netdump.pcap /home/strigoi/artefacto-strigoiname-uptimeinsec.tar.xz
The Master auth.log: Auth OS log dataw: arp, netstat (udp/tcp),
ps, host info swap.swap: Swap Memory Dump memorydump.lime: Physical Memory Dump messages: Message OS Log netdump.pcap: 1000 network packets hash-f: Integrity hash (SHA512) /home/strigoi/artefacto-strigoiname-uptimeinsec.tar.xz
Incident Response Team ShieldNow Cloud VM VM VM Public Cloud
Host Info Network Packets Network Info OS/APP Logs Memory Dump Integrity Hash Forensic Analysis Solution
Solution VM VM VM Public / Private / Hybrid Cloud
Linux VM • Open Source Puppet • Volatility • Yara • Snort • The Sleuth Kit® (TSK) • log2timeline • Wireshark • Cryptcat • dc3dd • Foremost • netcat
Future Work Public / Private / Hybrid Cloud • Windows
Forensics Puppet + Sysinternals + PowerShell • Timestamping (thanks to Fernando Quintero @nonroot) • Automated Analysis • Web Front-End • Digital Chain of Custody • Automated Report
Learn Forensics Public / Private / Hybrid Cloud
Learn Forensics Public / Private / Hybrid Cloud • Windows
Forensics Puppet + Sysinternals + PowerShell • Automated Analysis • Web Front-End • Digital Chain of Custody • Automated Report
Learn Puppet Public / Private / Hybrid Cloud • Windows
Forensics Puppet + Sysinternals + PowerShell • Automated Analysis • Web Front-End • Digital Chain of Custody • Automated Report
Obey the Master!!! Thanks for your attention
shieldnow
oracle4engineer
shogogg
lycorptech_jp
1ftseabass
whywaita
bengo4com
fumiyasac0921
kanyamaguc
smdmts
nyata
demaecan
pedronauck
marcelosomers
gr2m
lara
zakiyama
addyosmani
morganepeng
jmmastey
jonyablonski
tenderlove
michaelherold
