Digital Forensics Cloud Forensics 13
Block chain technology,
"an incorruptible ledger of economical transactions"
Cloud Forensics Capability Maturity Model
(developed by the Cloud Security Alliance) explores the needs, processes, and responsibilities of customers and the CSP during an incident response to a VM compromised in a cloud environment.
In a prefetch file, the application's create date and time are at offset ____, the modified date and time are at offset ____, the last access date and time are at offset ____, and the record date and time are at offset ____. The counter listing the number of times the application has run since creating the prefetch file is at offset ______,
0x80, 0x88, 0x90, 0x98, 0xD4
community cloud
A cloud that is open only to specific organizations that have common concerns.
hybrid cloud
A combination of public and private clouds.
capabilities forensics tools should have to handle acquiring data from a cloud:
Forensic data collection (identify, label, record, and acquire data) Elastic, static, and live forensics (expand and contract their data storage capabilities as the demand for services changes) Evidence segregation (separate each customer's data) Investigations in virtualized environments
Which of the following cloud deployment methods typically offers no security?
Public cloud
cloud has three basic service levels:
SaaS, PaaS, IaaS
T or F The burden of proof (reasonable grounds) to get a court order is lower than the probable cause required for a search warrant.
T
Cloud Computing Goals
To take advantage of shared resources To balance the workload/capability among thin clients and powerful servers
Technical challenges in cloud forensics involve
cloud architecture, data collection, analysis of cloud forensic data, anti-forensics, incident first responders, role management, legal issues, and standards and training.
Cloud forensics v Network forensics
cloud computing is considered a subset of network forensics
Government agency subpoenas
customer communications and records can't be knowingly divulged to any person or entity but allows exception to government agencies.
Infrastructure as a service (IaaS)
customers can rent hardware, such as servers and workstations, and install whatever OSs and applications they need
Encrypted data in the cloud is in two states:
data at rest: written to disk data in motion: being transmitted (also data in use / in RAM)
Role management
defines the duties of CSP staff and customers A digital forensics examiner needs this information to determine where data is stored and the impact of its loss to the CSP and customers.
ARPA Program Plan No. 723, Resource Sharing Computer Networks
engineer a solution of sharing networked resources that developed into the Advanced Research Projects Agency Network (ARPANET), which later became the Internet
Procedures for acquiring cloud evidence include
examining network and firewall logs, performing disk acquisitions of a cloud system's OS, and examining data storage devices.
spoliation
failing to preserve evidence; comes into play with advance notice acquisitions
Forensic Open-Stack Tools (FROST)
integrates with OpenStack running in IaaS cloud environments and adds forensics response capabilities for a CSP. A feature of FROST is that it bypasses a virtual machine's hypervisor. Because the hypervisor is bypassed, special malware can take control of the virtual session and deny or alter access. It can also prevent or interfere with forensic analysis and data collection.
F-Response
is a remote access tool that can be applied to cloud forensics
data breach
is an incident in which sensitive, protected, or confidential information is released, viewed, stolen, or used by an individual who is not authorized
Software as a service (SaaS)
means applications are delivered via the Internet
cloud forensics as having three dimensions:
organizational (structure), legal (service agreements), and technical (procedures and applications).
prefetch files .pf
reduces the time it takes to start Microsoft applications and contain the DLL pathnames and metadata used by an application. ( OS can handle other tasks)
Five mechanisms are used to collect digital evidence under the U.S. Electronic Communications Privacy Act (ECPA):
search warrants subpoenas subpoenas with prior notice court orders court orders with prior notice
Homomorphic encryption
uses an "ideal lattice" mathematical formula to encrypt data.
cloud architecture is constructed of
virtual machines
public cloud
accessible to anyone with an e-mail address
Anti-forensics
an effort to alter log records as well as date and time values of important system files and install malware to hide hackers' activities.
management plane
A tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly.
What are the two states of encrypted data in a secure cloud?
Data in motion and data at rest
Platform as a service (PaaS)
OS has been installed on a cloud server and users can then install their own applications, settings, and tools in the cloud environment
Policies v Standards for CSPs
Policies are detailed rules for a CSP's internal operation. Standards give guidance to staff for their obligations in daily operations and security of the CSP's environment.
Cloud Computing originated from:
Professor John McCarthy of MIT and Dr. J. C. R. Licklider, director at the U.S. Department of Defense Advanced Research Projects Agency (ARPA).
Multitenant model
Provides a predefined environment for the cloud subscriber that is shared with other tenants (data tagging)
Multi-instance model
Provides a unique Database Management System (DBMS) running on a VM instance for each cloud subscriber and gives complete control over administrative tasks related to security
Public cloud services such as Dropbox and OneDrive use Sophos SafeGuard and Sophos Mobile Control as their encryption applications
True
When should a temporary restraining order be requested for cloud environments?
When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case
If a prefetch file is deleted,
Windows re-creates one that resets the MAC times and the counter.
"The NIST Definition of Cloud Computing"
a computing storage system that provides on-demand network access for multiple users and can allocate storage to users to keep up with changes in their needs.
You can collect prefetch file artifacts with
a disk editor or forensics tool.
private cloud
accessed by authorized users with credentials
