Cloud Forensics

An Overview of Cloud Computing

History of the Cloud

  • The idea of cloud computing was created by Dr. J. C. R. Licklider, the director of the U.S. Department of Defense’s Advanced Research Projects Agency (ARPA), and Professor John McCarthy of MIT.
  • In 1961, McCarthy advocated offering software and computing resources to the public as a utility, much like how the public can use water, sewage, and electricity.
  • Dr. Licklider proposed connecting programs and data to share resources in 1963.
  • To design a method of sharing networked resources, the ARPA Program Plan No. 723 on Resource Sharing Computer Networks was launched in 1968.
    • It ultimately evolved into the Advanced Research Projects Agency Network (ARPANET), which later turned into the Internet.
  • In order to enable its business subscribers to do their own market research, Salesforce.com created a customer relationship management (CRM) Web service in 1999.
  • In 2002, Amazon developed Amazon Mechanical Turk, which offered storage, calculations, and human intelligence.
  • Then, in 2006, AMT launched its Elastic Compute Cloud (EC2), a Web service meant to aid small enterprises. It made it possible for individuals and small enterprises to lease processing time to run their own applications from a single source.

Cloud Service Levels and Deployment Methods

  • Cloud Computing: A computing storage system that provides on-demand network access for multiple users and can allocate storage to users to keep up with changes in their needs.
  • Software as a service (SaaS): Means applications are delivered via the Internet. A familiar one is Google Docs, which is similar to office suites such as Microsoft Office or LibreOffice. Data is stored in the cloud, and files can be accessed and shared with others.
  • Platform as a service (PaaS): Means an OS has been installed on a cloud server. Users can then install their own applications, settings, and tools in the cloud environment. The cloud provider maintains just the hardware for customers, who are responsible for their own system administration and application support.
  • Infrastructure as a service (IaaS): Means customers can rent hardware, such as servers and workstations, and install whatever OSs and applications they need.
  • Public Cloud: Cloud method that is accessible to anyone and the only identification required is an e-mail address.
  • Private Cloud: Cloud method wherein it can be accessed only by people who have the necessary credentials.
  • Community Cloud: Cloud method that brings people together for specific purposes.
  • Hybrid Cloud: Cloud method that enables a company to keep some information private and designate other files as public or community information.

Cloud Vendors

  • Cloud Service Providers (CSPs): Uses a variety of approaches and systems to build their cloud systems, such as servers using distributive processing methods with data farms for storage or mainframes running OSs as virtual machines.
  • The following are some CSPs and cloud applications:
    • Salesforce: Offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing.
    • IBM Cloud: Provides cloud development and mobile applications for several platforms.
    • Cisco Cloud Computing: Has cloud applications for a wide assortment of businesses, ranging from enterprise and mid-size businesses to resellers of cloud services.
    • Amazon EC2: Offers a Web service run from the cloud that allows scalability.
    • AT&T Synaptic: Provides onsite data storage and the capability of a hybrid cloud system.
    • Google Cloud Storage: Offers virtual machines with tools for analyzing large data sets.
    • HP Helion: Provides a hybrid cloud environment with a wide range of products that can integrate into a business’s storage needs.
    • Microsoft Azure: Offers tiered support for large organizations, including file, disk, blob, and archive.
    • XenServer and XenCenter Windows Management Console: Has a freeware type 1 hypervisor used for public and private clouds (commercial support provided by Citrix Systems, Inc.)
    • Atlantic.Net: Provides HIPAA-compliant storage and colocation, hybrid, and private hosting.
    • Digital Ocean: Offers cloud storage for developers and businesses as well as support for deploying Hadoop and other cloud-based services.
    • Rackspace: Provides private, hybrid, and multi-cloud solutions along with management options.
    • Oracle Cloud: Offers a variety of cloud platforms and more than 4000 vendor applications that integrate into its systems.

Basic Concepts of Cloud Forensics

  • Forensic data collection: Tools must be able to identify, label, record, and acquire data from the cloud.
  • Elastic, static, and live forensics: To meet the elastic nature of clouds, tools must be able to expand and contract their data storage capabilities as the demand for services changes.
  • Evidence segregation: Clouds are set up for multitenancy, meaning many different unrelated businesses and users share the same applications and storage space, so forensics tools must be able to separate each customer’s data.
  • Investigations in virtualized environments: Because cloud operations typically run in a virtual environment, forensics tools should have the capability to examine virtual systems.

Legal Challenges in Cloud Forensics

Service Level Agreement

  • Cloud service agreements (CSAs), also known as "master service agreements" or "service level agreements," are contracts that organizations that supply cloud services have with their clients.

  • A CSA is a contract outlining the services being offered and at what level between a CSP and the client. It should also include information about available support alternatives, fines for omitting services, system performance, costs, any offered software or hardware, and so on.

  • With the Practical Guide to Cloud Service Agreements, the Cloud Standards Customer Council has established guidelines to assist customers in understanding their rights and obligations.

  • It's critical that CSAs clearly outline the range of services the CSP offers and the obligations placed on the client, including the following:

    • Service hours
    • Restrictions applied to the customer by the CSP
    • Availability of the cloud to the customer
    • Levels of support for the customer
    • Response time for data transfers
    • Throughput limitations
    • Contingency plan for incident response
    • Business continuity and disaster recovery plan
    • Fees for the subscription to the cloud and fees for additional services as they occur
    • Security measures
    • Terminology of the cloud’s systems and applications

Accessing Evidence in the Cloud

Search Warrants

  • A search warrant must be requested by a law enforcement official who has proof of probable cause that a crime was committed and evidence of it can be discovered at the location mentioned in the warrant. Search warrants can only be used in criminal situations.
  • According to the legislation, search warrants must provide detailed descriptions of the objects to be seized. Unless the CSP is a suspect, the property to be seized for cloud environments often refers to data rather than actual hardware.
  • Other customers who share the suspect's equipment may also experience disruption as a result of the seizure.
  • A search warrant must also specify where the objects to be taken are. When describing physical locations, this phase is simple, but when dealing with online data since servers are frequently distributed across state or national borders, it is less evident.
  • In cloud forensics, the almost instantaneous provisioning and de-provisioning of services presents a significant legal hurdle.
  • Executing a warrant is unlikely to have any effects on the data owner unless actual machines are taken or virtual machines are disabled, but the possibility of spoliation is increased if the search is made public.
  • A search warrant must also specify how it will be executed. Federal search warrants must provide a date and time specification to reduce interruptions to persons and company operations.

Subpoenas and Court Orders

  • Government agency subpoenas: This type of subpoena is used to get information when it’s believed there’s a danger of death or serious physical injury or to get information for the National Center for Missing and Exploited Children.
  • Non-government and civil litigation subpoenas: These subpoenas are used to produce information from private parties for litigation.
  • Court orders: These are written by judges to compel someone to do or not do something, such as a CSP producing user logon activities.

Technical Challenges in Cloud Forensics

  • Architecture

    • Customers' data may be mixed together depending on the cloud architecture, making it challenging to comb through data to find what's pertinent to an investigation.
    • Because most CSPs keep these locations a secret for security reasons, locating data storage locations can also be challenging.
    • The provenance of data might be difficult to ascertain and the chain of evidence in an investigation can be complicated by variations in recording techniques or log keeping.

  • Analysis of Cloud Forensic Data

    • Verifying the data with other data and log records is necessary for the analysis of digital evidence gathered from a cloud.
    • If you want to know what truly happened during an incident, you may need to reconstruct the data. You may also need to examine network logs to verify sure the servers' internal clocks are synced.
    • Comparing the changed, last access, and create (MAC) dates and times for files can be done by looking at logs. To verify file accesses, it is also necessary to look through the affected files' metadata.
    • All of this data is put to use to create a timeline that demonstrates what took place when an incident occurred.

  • Anti-Forensics: Destroys potential evidences.

    • Both cloud settings and other network environments employ anti-forensics strategies.
    • By using the straightforward method of modifying file extensions, hackers can obscure or conceal damning information.
    • An investigation may take longer and vital evidence may be lost as a result of specialized malware designed to thwart evidence collection.

  • Incident First Responders

    • System and network administrators, who manage standard cloud support services, are among the staff members of CSPs who have been educated to respond to network events.
    • They act as initial responders to incidents involving network intrusions.
    • In the absence of an internal first responder team within a CSP, the forensics examiner should assign CSP workers to carry out these duties.

  • Role Management

    • Data owners, identity protection, users, access controls, and other topics are all covered by role management in the cloud.
    • You must gather this data as an investigator in order to find further victims or suspects.

  • Standards and Training

    • One organization that has created resource documentation for CSPs and their workers is the Cloud Security Alliance.

    • It offers guidelines for questionnaires, security measures, privacy agreements, and more.

Acquisitions in the Cloud

  • The techniques used to gather evidence in cloud investigations vary depending on the circumstances.
  • The conventional acquisition procedures, whether they be static or remote acquisitions, must be employed for e-discovery and investigations that require gathering particular files and recovering deleted artifacts.
  • Because you're usually working with big volumes of data and may be constrained by network speed, remote acquisitions are frequently more challenging.
  • To avoid scope creep, you might need to bargain with the CSP and the attorneys about limiting the collection to a certain set of files.
  • You can even create a separate cloud system specifically for the investigation, with access restricted to approved people.
  • Snapshots can provide you with important information before to, during, and after an incident with cloud systems operating in a virtual environment.
  • Investigators conducting forensic investigations should reconstruct distinct cloud servers from each snapshot, obtain a picture of each server, and generate an MD5 or SHA-1 hash for each file.

Encryption in the Cloud

  • You may better organize your research and data collection by being aware of how encryption is employed in cloud computing.

  • The same procedures are used to get any encrypted digital evidence, including the collection of encrypted data in the cloud.

  • If you come across encrypted data, you should ask the CSP what kind of encryption was applied and if anyone is knowledgeable about how to recover this encrypted data.

  • Some vendors that offer encryption services for cloud data are as follows:

    • Atalla Cloud Encryption from Micro Focus: Provides trusted key management and data layer encryption that can encrypt virtual disks, databases, files, and more.
    • Trend Micro SecureCloud: Combines encryption with key management based on an organization’s security policies. It can also wipe data after it’s deleted from cloud storage areas. Knowing about this feature is important when attempting to recover deleted data.
    • Sophos SafeGuard Encryption and Sophos Mobile Control: Provide automatic encryption and decryption for users’ uploads and downloads of data.

  • Blockchain technology: A way to trace your information while keeping it secure. It is defined as an incorruptible ledger of economical transactions.

Conducting a Cloud Investigation

Investigating Cloud Customers

  • Customers of CSPs can use a website, an app, or other methods to access CSPs from desktops and mobile devices including tablets and smartphones.
  • Evidence of a cloud customer may be found in a Web browser's cache file if the cloud customer doesn't have the CSP's application installed.
  • If the CSP application is set up, you can look for proof of file transfers in the program's folder, which is ordinarily located under the user's account folder, such as C:\Users\username.
  • The Windows Prefetch folder contains extra details regarding cloud application usage on a user's PC.

Understanding Prefetch Files

  • Microsoft has developed prefetch files that include the metadata and DLL pathnames used by a program.
  • They include the data and code accessed, together with a log of prefetcher events.
  • To speed up an application's startup time, the OS reads the corresponding prefetch file, which has a .pf extension, and puts its contents into memory.
  • The application's create date and time, modified date and time, last access date and time, and record date and time are all located in a prefetch file at offsets of 0x80, 0x88, 0x90, and 0x98, respectively.
  • At offset 0xD4, there is a counter that records how many times the program has been launched since the prefetch file was created.

Examining Stored Cloud Data on a PC

  • Data may be copied from and to Dropbox or Google Drive when they are installed on a PC since File Explorer displays them as independent folders.
  • Once a user activates their OneDrive account, OneDrive is already installed with Windows and appears as a folder in File Explorer.
  • When Internet connectivity is restored, these services update cloud-saved files depending on the user's stored files even if the user's PC is offline.
  • Updates to the original computer are made automatically when the Internet connection is resumed, regardless of whether the user accesses the cloud service through the Web on the same computer or a new machine.
  • Users must maintain control over access to their cloud accounts because security is such a crucial concern with regard to cloud storage.
  • If a user's cloud password is cracked, an unethical individual could utilize the Web to upload harmful or unlawful data to that user's cloud.

Tools for Cloud Forensics

  • Few tools specifically made for cloud forensics were available in the early days of the cloud, but various digital, network, and e-discovery tools were utilized to manage gathering and processing evidence from the cloud.

Forensic Open-Stack Tools

  • Forensic Open-Stack Tools (FROST): It integrates with OpenStack running in IaaS cloud environments and adds forensics response capabilities for a CSP.
  • OpenStack is an open-source computing platform intended for public and private cloud services.
  • FROST is the first known effort to provide a forensics response process for a cloud service.
  • A feature of FROST is that it bypasses a virtual machine’s hypervisor.
  • Management Plane: A tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it’s accessed through the application’s Web interface.

F-Response for the Cloud

  • F-Response for the Cloud is a forensic tool used to access and collect data from cloud-based storage.
  • It supports multiple cloud platforms, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
  • F-Response for the Cloud allows for live acquisition and analysis of cloud data, without the need for physical access to the storage device.
  • The tool provides a read-only view of the data, ensuring that the original evidence is not altered.
  • F-Response for the Cloud can be used in conjunction with other forensic tools, such as EnCase and FTK, to analyze cloud-based evidence.

Magnet AXIOM Cloud

  • Magnet AXIOM Cloud is a digital forensics tool for cloud investigations.
  • It supports multiple cloud services, including Google Drive, Dropbox, and Microsoft OneDrive.
  • AXIOM Cloud can collect and analyze data from cloud accounts, including deleted files and user activity logs.
  • The tool can also generate reports and timelines to aid in investigations.
  • AXIOM Cloud has a user-friendly interface and can be used by both technical and non-technical investigators.