Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Cloud Forensics - Bsides Colombia 2015
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
ShieldNow
September 05, 2015
Technology
0
540
Cloud Forensics - Bsides Colombia 2015
ShieldNow
September 05, 2015
Tweet
Share
More Decks by ShieldNow
See All by ShieldNow
GPG
shieldnow
0
600
Guía TCPDump
shieldnow
0
580
Netcat
shieldnow
0
520
Other Decks in Technology
See All in Technology
Frontier Agents (Kiro autonomous agent / AWS Security Agent / AWS DevOps Agent) の紹介
msysh
3
170
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
470
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
910
コスト削減から「セキュリティと利便性」を担うプラットフォームへ
sansantech
PRO
3
1.5k
Context Engineeringの取り組み
nutslove
0
340
AI駆動PjMの理想像 と現在地 -実践例を添えて-
masahiro_okamura
1
110
Bill One急成長の舞台裏 開発組織が直面した失敗と教訓
sansantech
PRO
2
380
予期せぬコストの急増を障害のように扱う――「コスト版ポストモーテム」の導入とその後の改善
muziyoshiz
1
1.9k
インフラエンジニア必見!Kubernetesを用いたクラウドネイティブ設計ポイント大全
daitak
1
360
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
soudai
PRO
12
5.4k
10Xにおける品質保証活動の全体像と改善 #no_more_wait_for_test
nihonbuson
PRO
2
270
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
oracle4engineer
PRO
2
14k
Featured
See All Featured
Paper Plane (Part 1)
katiecoart
PRO
0
4.2k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
220
Google's AI Overviews - The New Search
badams
0
910
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
100
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
66
37k
GitHub's CSS Performance
jonrohan
1032
470k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
How STYLIGHT went responsive
nonsquared
100
6k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
750
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.7k
The Curse of the Amulet
leimatthew05
1
8.5k
Transcript
Open Source Cloud Forensics B-Sides | Septiembre 2015
Methodology Collection Examination Analysis Reporting
Problem 1 • Physical Access • Host Contamination • Response
Time • Technical Expertise
Problem 2 • Size of Resources • Chain of custody
• Tools • Technical Expertise
Problem 3 Rackspace • Where is the data stored? •
Acquisition - Size of Resources • Chain of custody? • Live Forensics? • Legal Considerations?
Traditional Way Snapshot of VM Snapshot of storage volumes http://blogs.msdn.com/b/azuresecurity/archive/2015/08/14/azure-forensics-for-the-security-responder-how-i-learned-to-stop-worrying-and-love-the-cloud.aspx
Puppet The Master
The Master /etc/puppet/manifests/site.pp
The Master allowscp chrootpath = /home/ user=strigoi:033:000110: /etc/rssh.conf
Strigois (Puppet-Nodes) /etc/puppet/puppet.conf
Strigois (Puppet-Nodes) /etc/puppet/puppet.conf
The Master artefacto-worm1-105233.tar.xz artefacto-worm2-11.tar.xz artefacto-worm3-2846.tar.xz artefacto-worm4-106736.tar.xz artefacto-worm5-5413.tar.xz /home/strigoi/
The Master 2cf0de7966fcc238b12f42df621a6beee55dba17b39be620cd147295afebc0c9a6bd58a0270cfb160edd16fbf46e253 793e5eed943d57a2db1881d72e0c9d5c4 /tmp/artefacto/auth.log d13254e9a6d6d12af1765b099d14e3c8742b731c98993ded94783883946a84a3b7c46f2e587a58ab6965c313125d 77e039ec05e80c51e803a11d5d456005ed8c /tmp/artefacto/dataw 582939b8399b80852ea83500dd1ac244b2a3332212085777207e8166e0673f19b00623c903edb91f729626491f52 7e575b9f7b6157e07d2473da07a46952bff5
/tmp/artefacto/swap.swap 3f73d4a9591f5ba47c65a739ec8c0bf0c3a8f41bef778479374b4588af7e7009ba12a4405d9937925b7825e6f51974 ac28f628f6bfcfea58bf1994aa04f5d785 /tmp/artefacto/memorydump.lime 06f9deb3034b5cf649c7aa3e07430417a868e64e80930564a29f52d64d1d3e6a9edf651698f97f204c1777bc748e9b 653d39c7fd1c9521592332019c04a67cad /tmp/artefacto/messages 37ec32ee176380e81a2ce7e25eb30f662b5097d7a2fcd54af0960d29a14e01a03aac63202c906db0192a8c8cd4f6d f2a033d11c0c3879b8b4d3a8b85512babdc /tmp/artefacto/netdump.pcap /home/strigoi/artefacto-strigoiname-uptimeinsec.tar.xz
The Master auth.log: Auth OS log dataw: arp, netstat (udp/tcp),
ps, host info swap.swap: Swap Memory Dump memorydump.lime: Physical Memory Dump messages: Message OS Log netdump.pcap: 1000 network packets hash-f: Integrity hash (SHA512) /home/strigoi/artefacto-strigoiname-uptimeinsec.tar.xz
Incident Response Team ShieldNow Cloud VM VM VM Public Cloud
Host Info Network Packets Network Info OS/APP Logs Memory Dump Integrity Hash Forensic Analysis Solution
Solution VM VM VM Public / Private / Hybrid Cloud
Linux VM • Open Source Puppet • Volatility • Yara • Snort • The Sleuth Kit® (TSK) • log2timeline • Wireshark • Cryptcat • dc3dd • Foremost • netcat
Future Work Public / Private / Hybrid Cloud • Windows
Forensics Puppet + Sysinternals + PowerShell • Timestamping (thanks to Fernando Quintero @nonroot) • Automated Analysis • Web Front-End • Digital Chain of Custody • Automated Report
Learn Forensics Public / Private / Hybrid Cloud
Learn Forensics Public / Private / Hybrid Cloud • Windows
Forensics Puppet + Sysinternals + PowerShell • Automated Analysis • Web Front-End • Digital Chain of Custody • Automated Report
Learn Puppet Public / Private / Hybrid Cloud • Windows
Forensics Puppet + Sysinternals + PowerShell • Automated Analysis • Web Front-End • Digital Chain of Custody • Automated Report
Obey the Master!!! Thanks for your attention
shieldnow
msysh
torounit
0gm
sansantech
nutslove
masahiro_okamura
muziyoshiz
daitak
soudai
nihonbuson
oracle4engineer
katiecoart
baasie
badams
chriscoyier
cargoodrich
akihiro_kokubo
jonrohan
nonsquared
bluesmoon
marktimemedia
leimatthew05
