Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
www.cloudsec.com | #CLOUDSEC
The challenges of ‘the cloud’ for a digital forensic
investigator … and how to overcome them
Nick Klein
Certified DFIR Instructor, SANS Institute
@sansforensics
#CLOUDSEC
Who am I?
• Nick Klein, digital forensic examiner.
• Provide digital forensic investigations and
incident response services to organisations internationally.
• SANS Certified Instructor, teaching
Windows In-Depth Forensic Analysis (FOR408)
Advanced Forensics & Incident Response (FOR508).
#CLOUDSEC
Today’s data collection challenges
• Solid evidence requires completeness and accuracy.
• But today we’re faced with:
• Increased size, complexity and distribution of data
• Pressure on time and cost, which impacts on quality
• Forensic examiners must learnskills and
methods to addressthese challenges.
#CLOUDSEC
Agenda
• Google accounts
• Social media
• Dropbox
• Office365
• Mobile devices
• Networked computers.
#CLOUDSEC
Google accounts
• Old method: use an email client (e.g. Outlook) to connect to the account, but
metadata may change.
• Tools like F-Response and Nuix can connect to some online email accounts (POP,
IMAP) but may be blocked or throttled.
• Google provide a Control your data feature (previously Google Takeout) which
captures an entire Google account, including
email.
• Requires interacting with the user’s account.
#CLOUDSEC
Social media
• Can always revert to
screenshots; but
consider integrity
checks.
• Tools like X1 Social
Discovery are handy
(use APIs).
#CLOUDSEC
Dropbox
• User files synchronised across all computers logged into the same Dropbox account.
• Business accounts provide rich features including collaboration, access control,
remote wipe, version history.
• Files deleted via web portal moved to a local dropbox.cache folder.
• Business accounts provide unlimiteddeletion recovery, Pro is up to 1 year,Basic is
30 days.
• Web portal can be used to recover,or permanently
delete files.
• Business accounts keep detailed logs indefinitely,
Pro and Basic for 6 months.
#CLOUDSEC
Office 365
• Solid native eDiscovery functionality exists within O365.
• Covers email, SharePoint (with versions), OneCloud, Skype and more.
• One ring (administrative account) to rule them all …
#CLOUDSEC
Office 365 search syntax
subject:share*
attachment:”Board Minutes.pdf”
body:share NEAR(5) price
isread:no
received>01/01/2016 AND received<04/01/2016
#CLOUDSEC
… now served with extra PowerShell
• Searching across all mailboxes:
Get-Mailbox | Search-Mailbox -SearchQuery 'election OR candidate OR vote' -
TargetMailbox "Discovery Search Mailbox" -TargetFolder "AllMailboxes-
Election" -LogLevel Full
• Exporting a user’s mailbox to PST:
New-MailboxExportRequest -Mailbox nklein -FilePath
“\\SERVER01\Discovery\PST\nklein.pst”
#CLOUDSEC
Mobile devices
• iPhone backups commonly found in users’ iCloud accounts, but access has legal
implications.
• Some data will not be available, especially email.
• BYOD creates challenges to access personal devices.
• With most mobile devices, you also need the passcode.
#CLOUDSEC
Remote (and cloud) computers
• Traditionally done by self collection (Hello, IT?) or manual forensic imaging (full or
partial) on each computer.
• These can be slow, inefficient, prone to mistakes, therefore prone to be incomplete
and inaccurate.
• There are betterways …
#CLOUDSEC
Remote computers with F-Response
#CLOUDSEC
Remote computers with F-Response
For example, to process all prefetch files across a group of computers (defined in
targetlist.txt) using TZWorks Prefetch Parser (pf) and F-Response:
for t in targetlist.txt; do
mount $t /dev/target
ls /dev/target/Windows/Prefetch/*.pf | pf –pipe –csv > $t.csv
umount /dev/target
done
#CLOUDSEC
... or with forensic ninja tools
• Developing a tailored collection approach to:
• Identify relevant computers and users
• Collect comprehensive file listings from computers
• Filter and search for relevant material
• Extract forensic data, including locked files,
e.g. MFT, PST, OST, EVTX, etc.
• Can all be easily done with free tools.
#CLOUDSEC
Using native Windows features
• Execute collection on a networked computer:
psexec.exe \\hostname net use q: \\share /user:domain\user password
psexec.exe \\hostname q:\collection.bat
psexec.exe \\hostname net use q: /delete
• … did I mention these tools are free?
#CLOUDSEC
Conclusions
• These challenges will only become more complex.
• Each case has different requirements.
• Choosing the “best” approach requires:
Strong technical understanding of data sources
A broad suite of forensic tools and methods
Training and expertise to use them properly
Experience to develop and apply a thorough approach.
Nick Klein
SANS Institute
www.kleinco.com.au
@sansforensics