1

www.cloudsec.com | #CLOUDSEC

The challenges of ‘the cloud’ for a digital forensic

investigator … and how to overcome them

Nick Klein

Certified DFIR Instructor, SANS Institute

@sansforensics

#CLOUDSEC

Who am I?

• Nick Klein, digital forensic examiner.

• Provide digital forensic investigations and

incident response services to organisations internationally.

• SANS Certified Instructor, teaching

Windows In-Depth Forensic Analysis (FOR408)

Advanced Forensics & Incident Response (FOR508).

#CLOUDSEC

Today’s data collection challenges

• Solid evidence requires completeness and accuracy.

• But today we’re faced with:

• Increased size, complexity and distribution of data

• Pressure on time and cost, which impacts on quality

• Forensic examiners must learnskills and

methods to addressthese challenges.

#CLOUDSEC

Agenda

• Google accounts

• Social media

• Dropbox

• Office365

• Mobile devices

• Networked computers.

#CLOUDSEC

Google accounts

• Old method: use an email client (e.g. Outlook) to connect to the account, but

metadata may change.

• Tools like F-Response and Nuix can connect to some online email accounts (POP,

IMAP) but may be blocked or throttled.

• Google provide a Control your data feature (previously Google Takeout) which

captures an entire Google account, including

email.

• Requires interacting with the user’s account.

#CLOUDSEC

Social media

• Can always revert to

screenshots; but

consider integrity

checks.

• Tools like X1 Social

Discovery are handy

(use APIs).

#CLOUDSEC

Dropbox

• User files synchronised across all computers logged into the same Dropbox account.

• Business accounts provide rich features including collaboration, access control,

remote wipe, version history.

• Files deleted via web portal moved to a local dropbox.cache folder.

• Business accounts provide unlimiteddeletion recovery, Pro is up to 1 year,Basic is

30 days.

• Web portal can be used to recover,or permanently

delete files.

• Business accounts keep detailed logs indefinitely,

Pro and Basic for 6 months.

#CLOUDSEC

Office 365

• Solid native eDiscovery functionality exists within O365.

• Covers email, SharePoint (with versions), OneCloud, Skype and more.

• One ring (administrative account) to rule them all …

#CLOUDSEC

Office 365 search syntax

subject:share*

attachment:”Board Minutes.pdf”

to:nick@kleinco.com.au

body:share NEAR(5) price

isread:no

received>01/01/2016 AND received<04/01/2016

#CLOUDSEC

… now served with extra PowerShell

• Searching across all mailboxes:

Get-Mailbox | Search-Mailbox -SearchQuery 'election OR candidate OR vote' -

TargetMailbox "Discovery Search Mailbox" -TargetFolder "AllMailboxes-

Election" -LogLevel Full

• Exporting a user’s mailbox to PST:

New-MailboxExportRequest -Mailbox nklein -FilePath

“\\SERVER01\Discovery\PST\nklein.pst”

#CLOUDSEC

Mobile devices

• iPhone backups commonly found in users’ iCloud accounts, but access has legal

implications.

• Some data will not be available, especially email.

• BYOD creates challenges to access personal devices.

• With most mobile devices, you also need the passcode.

#CLOUDSEC

Remote (and cloud) computers

• Traditionally done by self collection (Hello, IT?) or manual forensic imaging (full or

partial) on each computer.

• These can be slow, inefficient, prone to mistakes, therefore prone to be incomplete

and inaccurate.

• There are betterways …

#CLOUDSEC

Remote computers with F-Response

#CLOUDSEC

Remote computers with F-Response

For example, to process all prefetch files across a group of computers (defined in

targetlist.txt) using TZWorks Prefetch Parser (pf) and F-Response:

for t in targetlist.txt; do

mount $t /dev/target

ls /dev/target/Windows/Prefetch/*.pf | pf –pipe –csv > $t.csv

umount /dev/target

done

#CLOUDSEC

... or with forensic ninja tools

• Developing a tailored collection approach to:

• Identify relevant computers and users

• Collect comprehensive file listings from computers

• Filter and search for relevant material

• Extract forensic data, including locked files,

e.g. MFT, PST, OST, EVTX, etc.

• Can all be easily done with free tools.

#CLOUDSEC

Using native Windows features

• Execute collection on a networked computer:

psexec.exe \\hostname net use q: \\share /user:domain\user password

psexec.exe \\hostname q:\collection.bat

psexec.exe \\hostname net use q: /delete

• … did I mention these tools are free?

#CLOUDSEC

Conclusions

• These challenges will only become more complex.

• Each case has different requirements.

• Choosing the “best” approach requires:

Strong technical understanding of data sources

A broad suite of forensic tools and methods

Training and expertise to use them properly

Experience to develop and apply a thorough approach.

Nick Klein

SANS Institute

www.kleinco.com.au

@sansforensics