Module 13 Cloud Forensics
NIST document SP 500-322 defines more than 75 cloud services, including which of the following?
- Backup as a service - Security as a service - Drupal as a service
Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider?
- Court orders -Search warrents - Subpoenas with prior notice
What capabilities should a forensics tool have to acquire data from a cloud?
- examine virtual systems - Expand and contract data storage capabilites as needed for service changes. - Identify and acquire data from the cloud.
hybrid cloud
A cloud deployment model that combines public, private, or community cloud services under one cloud. Segregation of data is used to protect private cloud storage and applications.
Platform as a service (PaaS)
A cloud is a service that provides a platform in the cloud that has only an OS. The customer can use the platform to load their own applications and data. The CSP is responsible only for the OS and hardware it runs on; the customer is responsible for everything else that they have loaded on to it.
private cloud
A cloud service dedicated to a single organization.
public cloud
A cloud service that's available to the general public.
multitenancy
A principle of software architecture in which a single installation of a program runs on a server accessed by multiple entities (tenants). When software is accessed by tenants in multiple jurisdictions, conflicts in copyright and licensing laws might result.
community cloud
A shared cloud service that provides access to common or shared data.
management plane
A tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly.
provisioning
Allocating cloud resources, such as additional disk space.
cloud service agreements (CSAs)
Contracts between a cloud service provider and a cloud customer. Any additions or changes to a CSA can be made through an addendum. See also cloud service providers (CSPs).
What are the two states of encrypted data in a secure cloud?
Data in motion and data at rest
deprovisioning
Deallocating cloud resources that were assigned to a user or an organization. See also provisioning.
spoliation
Destroying, altering, hiding, or failing to preserve evidence, whether it's intentional or a result of negligence.
Commingled data isn't a concern when acquiring cloud data.
False
In which cloud service level can customers rent hardware and install whatever OSs and applications they need?
IaaS
Which of the following cloud deployment methods typically offers no security?
Public cloud
Evidence of cloud access found on a smartphone usually means which cloud service level was in use?
SaaS
What are the three levels of cloud services defined by NIST?
SaaS, PaaS, and IaaS
A CSP's incident response team typically consists of system administrators, network administrators, and legal advisors.
True
A(n) CSA or cloud service agreement is a contract between a CSP and the customer that describes what services are being provided and at what level.
True
Amazon was an early provider of Web-based services that eventually developed into the cloud concept.
True
Public cloud services such as Dropbox and OneDrive use Sophos SafeGuard and Sophos Mobile Control as their encryption applications
True
The cloud services Dropbox, Google Drive, and OneDrive have Registry entries.
True
The multitenancy nature of cloud environments means conflicts in privacy laws can occur.
True
To see Google Drive synchronization files, you need a SQL viewer.
True
Updates to the EU Data Protection Rules will affect how data is moved during an investigation regardless of location.
True
cloud service providers (CSPs)
Vendors that provide on-demand network access to a shared pool of resources (typically remote data storage or Web applications).
When should a temporary restraining order be requested for cloud environments?
When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case
Infrastructure as a service (IaaS)
With this cloud service level, an organization supplies its own OS, applications, databases, and operations staff, and the cloud provider is responsible only for selling or leasing the hardware.
Software as a service (SaaS)
With this cloud service level, typically a Web hosting service provides applications for subscribers to use.
Cloud Service Providers have incident response teams that consist of all of the following, EXCEPT:
backup operators
All of the following pose challenges to cloud computing, EXCEPT:
cloud uptime
All of the following are considered cloud service levels, EXCEPT:
computer as a service
Which of the following contain metadata on the last date and time an application was run and how many times it has run since being installed?
prefetch files
All of the following are mechanisms that are used to collect digital evidence under the U.S. Electronic Communications Privacy Act (ECPA), EXCEPT:
subpoenas without prior notice to the subscriber or customer