Chapter 13: Cloud Forensics

Describe how the Forensic Open-Stack Tools (FROST) bypasses a virtual machine's hypervisor.

With FROST, collected data is placed in the cloud's management plane, which is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface. Because the hypervisor is bypassed, special malware can take control of the virtual session and deny or alter access. It can also prevent or interfere with forensic analysis and data collection.

At what offset is a prefetch file's create date and time located? a. 0x80 b. 0x88 c. 0x90 d. 0x98

a. 0x80

What document, issued by a judge, compels the recipient to do or not do something? a. A court order b. A subpoena c. A warrant d. A temporary restraining order

a. A court order

Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created. a. MAC b. ACL c. startup / access d. log event

a. MAC

In which cloud service level are applications delivered via the Internet? a. Software as a service b. Virtualization as a service c. Platform as a service d. Infrastructure as a service

a. Software as a service

Which Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system? a. filecache.dbx b. read_filejournal c. filetx.log d. filecache.dll

a. filecache.dbx

The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. a. True b. False

False

Which type of tool has application programming interfaces (APIs) that allow reconfiguring a cloud on the fly and is accessed through the application's Web interface? a. A programming editor b. A management plane c. A backdoor d. A configuration manager

b. A management plane

Where is the snapshot database created by Google Drive located in Windows? a. C:\Program Files\Google\Drive b. C:\Users\username\AppData\Local\Google\Drive\user_default c. C:\Users\username\Google\Google Drive d. C:\Google\Drive

b. C:\Users\username\AppData\Local\Google\Drive\user_default

Which folder is most likely to contain Dropbox files for a specific user? a. C:\Dropbox b. C:\Users\username\Dropbox c. C:\Users\Dropbox d. C:\Users\username\AppData\Dropbox

b. C:\Users\username\Dropbox

Which organization has developed resource documentation for cloud service providers and their staff and provides guidance for privacy agreements, security measures, and other issues? a. OpenStack Framework Alliance b. Cloud Security Alliance c. Cloud Architecture Group d. Cloud Security Advisory Panel

b. Cloud Security Alliance

Which tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack? a. OpenForensics b. FROST c. WinHex d. ARC

b. FROST

What files, created by Microsoft, contain the DLL pathnames and metadata used by applications and reduce the time it takes to start applications? a. Cache b. Prefetch c. Config d. Temp

b. Prefetch

With cloud systems running in a virtual environment, what can be used to give the investigator valuable information before, during, and after an incident? a. RAM analysis b. Snapshots c. Live acquisition d. Carving

b. Snapshots

Which Google Drive file contains a detailed list of a user's cloud transactions? a. loggedtransactions.log b. sync_log.log c. transact_user.db d. history.db

b. sync_log.log

At what offset are the application's last access date and time located in a prefetch file? a. 0x80 b. 0x88 c. 0x90 d. 0xD4

c. 0x90

Which type of order requires that the government offer specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation? a. A search warrant b. A subpoena c. A court order d. A subpoena with prior notice

c. A court order

What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing? a. IBM Cloud b. Amazon EC2 c. Salesforce d. HP Helion

c. Salesforce

What cloud service provides a freeware type 1 hypervisor used for public and private clouds? a. Cisco Cloud Computing b. Amazon EC2 c. XenServer and XenCenter Windows Management Console d. HP Helion

c. XenServer and XenCenter Windows Management Console

A government entity must show that there is probable cause to believe the contents of a wire communication, an electronic communication, or other records are relevant to an ongoing criminal investigation to obtain which type of order? a. A subpoena b. A TRO c. A court order with prior notice d. A search warrant

d. A search warrant

Which cloud forensics training program is limited to law enforcement personnel? a. (ISC)2 Certified Cyber Forensics Professional b. INFOSEC Institute c. Sans Cloud Forensics with F-Response d. National Institute of Justice Digital Forensics Training

d. National Institute of Justice Digital Forensics Training

What is Microsoft's SkyDrive now called? a. Teams b. Box c. MS Drive d. OneDrive

d. OneDrive

A search warrant can be used in any kind of case, either civil or criminal. a. True b. False

False

Magnet AXIOM Cloud can retrieve information from Skype, Instagram, Twitter, iCloud, but not from Facebook Messenger. a. True b. False

False

Remote acquisitions are often easier because you're usually dealing with large volumes of data. a. True b. False

False

Discuss the four different types of cloud deployment methods.

A public cloud is accessible to anyone, and typically, the only identification required is an e-mail address. This deployment method offers no security, but it's popular because of its ease of use. Next is a private cloud, which can be accessed only by people who have the necessary credentials, such as logon names and passwords; sometimes location is used as a way to restrict access, too. Most companies have private clouds. A community cloud is a way to bring people together for a specific purpose. For example, say a city wants all small businesses to have access to the same documents and templates. By creating a community cloud, the city can make these files accessible to those who have a current business license. A hybrid cloud enables a company to keep some information private and designate other files as public or community information.

Explain what a court order is, and describe how it is used.

Court orders are written by judges to compel someone to do or not do something, such as a CSP producing user logon activities. Under U.S. Code 18, court orders are available only to government agencies. In U.S. federal courts, it's interpreted as meaning that a court order can be issued by "any court that is a court of competent jurisdiction" only if the government agency "offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." When a state government agency is involved, a court order can't be issued if the laws of the state prohibit it.

Explain what "anti-forensics" is, and provide detail on some anti-forensics tactics.

Destroying ESI that's potential evidence is called "anti-forensics." Anti-forensics tactics are used in cloud environments as well as in other network environments. Hackers might obfuscate incriminating files or hide them by the simple technique of changing file extensions. Specialized malware for defeating evidence collection can add time to an investigation and result in the loss of valuable evidence. Additional methods for anti-forensics include inserting malware programs in other files, using encryption to obfuscate malware programs activated through other malware programs, and using data-hiding utilities that append malware to existing files. Other techniques affect file metadata by changing the modify and last access times. Changing file timestamps can make it difficult to develop a timeline of a hacker's activities.

Explain why digital forensics examiners should be most concerned with restrictions applied to customers and security measures.

Digital forensics examiners should be most concerned with restrictions applied to customers and security measures. These CSP components must state who is authorized to access data and what the limitations are in conducting acquisitions for an investigation. Because many cloud vendors spread data storage systems across multiple countries, the CSP should also address any multi-jurisdiction concerns and define how conflicts between laws of different countries will be resolved.

Match each item with a statement below a. Cloud service providers (CSPs) b. Community cloud c. Deprovisioning d. Hybrid cloud e. Infrastructure as a service (IaaS) f. Multitenancy g. Private cloud h. Cloud service agreements (CSAs) i. Public cloud j. Spoliation 1) A way to bring people together for a specific purpose, for example, to access to common files. 2) Also called "master service agreements." 3) Can only be accessed by people who have the necessary credentials. 4) Poses a serious legal challenge in cloud forensics. 5) 35. Customers can rent hardware, such as servers and workstations, and install whatever OSs and applications they need.

Match each item with a statement below a. Cloud service providers (CSPs) b. Community cloud c. Deprovisioning d. Hybrid cloud e. Infrastructure as a service (IaaS) f. Multitenancy g. Private cloud h. Cloud service agreements (CSAs) i. Public cloud j. Spoliation 1) A way to bring people together for a specific purpose, for example, to access to common files. - b 2) Also called "master service agreements." - h 3) Can only be accessed by people who have the necessary credentials. - g 4) Poses a serious legal challenge in cloud forensics. - c 5) 35. Customers can rent hardware, such as servers and workstations, and install whatever OSs and applications they need. - e

Match each item with a statement below a. Cloud service providers (CSPs) b. Community cloud c. Deprovisioning d. Hybrid cloud e. Infrastructure as a service (IaaS) f. Multitenancy g. Private cloud h. Cloud service agreements (CSAs) i. Public cloud j. Spoliation 6) Many different unrelated businesses and users share the same applications and storage space. 7) Use a variety of approaches and systems to build their cloud systems, such as servers using distributive processing methods with data farms for storage. 8) Failing to preserve evidence. 9) A cloud service that's available to the general public. 10) Enables a company to keep some information private and designate other files as public or community information

Match each item with a statement below a. Cloud service providers (CSPs) b. Community cloud c. Deprovisioning d. Hybrid cloud e. Infrastructure as a service (IaaS) f. Multitenancy g. Private cloud h. Cloud service agreements (CSAs) i. Public cloud j. Spoliation 6) Many different unrelated businesses and users share the same applications and storage space. - f 7) Use a variety of approaches and systems to build their cloud systems, such as servers using distributive processing methods with data farms for storage. - a 8) Failing to preserve evidence. - j 9) A cloud service that's available to the general public. - i 10) Enables a company to keep some information private and designate other files as public or community information - d

Explain what non-government and civil litigation subpoenas are, and describe how they work.

Non-government and civil litigation subpoenas are used to produce information from private parties for litigation. An example of how they apply to a CSP can be seen in Flagg v. City of Detroit (252 F.R.D. 346, E.D. Mich., 2008). A CSP received a civil subpoena for the production of electronically stored information (ESI) in the cloud, including text messages sent or received by city employees who used mobile devices supplied by SkyTel. Although the court determined that this data could be subject to discovery under the Federal Rules of Civil Procedure, it denied the subpoena because the evidence could have been acquired more easily by making an ESI discovery request to the cloud users.

Explain what a service level agreement is.

Organizations that sell cloud services have cloud service agreements (CSAs) with their customers, which are also called "master service agreements" or "service legal agreements (SLAs)." A CSA is a contract between a CSP and the customer that describes what services are being provided and at what level. It should also specify support options, penalties for services not provided, system performance (periods of downtime and uptime, for example), fees, provided software or hardware, and so forth.

What capabilities should a forensic tool have to handle acquiring data from the cloud?

Tools must be able to identify, label, record, and acquire data from the cloud. To meet the elastic nature of clouds, tools must be able to expand and contract their data storage capabilities as the demand for services changes. Additionally, clouds are set up for multitenancy, meaning many different unrelated businesses and users share the same applications and storage space, so forensics tools must be able to separate each customer's data. Finally, because cloud operations typically run in a virtual environment, forensics tools should have the capability to examine virtual systems.

Homomorphic encryption uses an "ideal lattice" mathematical formula to encrypt data. a. True b. False

True

In 1999, Salesforce.com developed a customer relationship management (CRM) Web service that applied digital marketing research to business subscribers so that they could do their own market analysis; this service eventually led the way to the cloud. a. True b. False

True

In the United States, the Electronic Communications Privacy Act (ECPA) describes five mechanisms the government can use to get electronic information from a provider. a. True b. False

True

Specially trained system and network administrators are often a CSP's first responders. a. True b. False

True

The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET). a. True b. False

True

The platform as a service cloud service is most likely found on a desktop or a server, although it could also be found on a company network or the remote service provider's infrastructure. a. True b. False

True

Describe the role of incident first responders, and discuss some factors that should be addressed with first responders

Typically, CSPs have personnel trained to respond to network incidents, such as system and network administrators who handle normal support services for the cloud. When a network intrusion occurs, they become first responders to the incident. If a CSP doesn't have an internal first responder team, the forensics examiner should organize CSP staff to handle these tasks. Some factors to address include the following: • Will the CSP's operations staff be cooperative and follow directions, and will management issue orders stating that you're the leader of the investigation? • Do you need to brief staff about operations security? For example, you might need to explain that they should talk only to others who have a need to know about the incident and the investigation's activities. • Do you need to train staff in evidence collection procedures, including the chain of custody?

Explain what a government agency subpoena is, and describe how it is used.

U.S. Code 18 states that customer communications and records can't be knowingly divulged to any person or entity, although it allows specific exceptions to government agencies. This type of subpoena is used to get information when it's believed there's a danger of death or serious physical injury or to get information for the National Center for Missing and Exploited Children. U.S. federal courts interpret this as meaning that no Stored Communications Act provision permits disclosure for a civil discovery order unless the order comes from a government entity: "Subpoena may not be enforced consistent with the plain language of the Privacy Act because the exceptions enumerated in § 2702(b) do not include civil discovery subpoenas."