Upload
brent-muir
View
906
Download
0
Tags:
Embed Size (px)
Citation preview
Forensic Challenges with Cloud Computing
Brent Muir - 2012
Types of Cloud Computing Facing the Unknown – Backend Infrastructure Accessing the Cloud (remote, datacenters) Types of Data (VM filesystems, loose files,
emails, etc) The “Grey” area – Jurisdiction and Legislation Forensically “sound” procedures (industry best
practice) Real-world examples:
◦ Australian Cloud Storage Provide (CSP)◦ Microsoft SkyDrive
Recommendations
Two types of Cloud technologies:
◦ Cloud Processing (e.g. Amazon EC2): Distributed processing power available on-demand that
speeds up resource intensive procedures
Examples: password cracking, video rendering
◦ Cloud Storage (e.g. Dropbox, SkyDrive, iCloud, etc): Remotely stored files that are available over the internet
from any location without the need for localised storage solutions
Examples: email, office documents, photos, videos
Hybrid Mix:
Hybrid Mix:
◦ Cloud solutions that provide file storage and fully virtualised infrastructure to replace traditional hardware
Example: Virtual Machines (VMs) hosted in the cloud
Variety of hardware and infrastructure available to create a private cloud
Depending on complicity of provider this may remain an unknown
Depending on Persons Of Interest (POI) involved in investigation may require covert access
Datacenters◦ If local will be the fastest solution
Requires assistance from host Using hosts infrastructure
Remote◦ Depending on host might not be possible to attend
physical datacenter Accessing over the internet requires patience Slow Prone to drop-outs
Possibility to “push” the content out of the cloud rather than pulling it down Requires assistance from host Using hosts infrastructure
VM data◦ Various file sytems (depending on OS involved) Common - FAT, NTFS, Ext2/3, HFS+
Virtual – VMware FS, ReFS
Disk Images: VMDK, VHD
Loose files◦ Graphic Files: JPG, GIF, PNG, PSD, etc◦ Video Files: MP4, MOV, AVI, WMV, FLV, etc◦ Document Files: DOC, PDF, XLS, PPT, etc
Emails◦ Varies depending on host provider
CSP User Account Details◦ Financial information used to create accounts (if
applicable)
◦ Contact information
Network Logs◦ IP addresses of users/accounts
◦ Dates and times of logins
Crimes committed over the internet? ◦ Who has jurisdiction?
Geographical nature of “Cloud”◦ Often replicated across various datacenters
◦ Not necessarily in same country as Person Of Interest (POI)
◦ Country (and CSP) hosting content may not have any legal requirement (or willingness) to cooperate
Depends on countries involved◦ Hosting content
◦ Where CSP business is registered
Australia:◦ Cybercrime Act 2001 Schedule 1- Computer offences
◦ Criminal Code Act 1995 478.1 Unauthorised access to, or modification of, restricted
data
Standard forensic procedure requires read-only access to potential evidence items◦ No write-blocker for the internet
Each Cloud host will have different infrastructure
Emails: always ensure export type includes headers
VMs: capture RAM, try to get VM HDD images Storage: Try to capture without modification
of MAC times Logs: network
Providing storage and
processing services◦ Including hybrid VM hosting
Person Of Interest (POI) had multiple VMs hosted on service◦ VMs running Windows Server 2008 R2
CSP backend running Linux in datacenter◦ Non-standard file system (which is common to
datacenters due to size limitations of Ext2, Ext3, etc)
◦ Frontend running “Open Xen” control panel
Initially given wrong address◦ Warrant issued for business address, not datacenter
VMs were running live◦ Changed user credentials
◦ Captured RAM
Over internet connection
Utilised FTK Imager
Limited tools available to CSP Admins from control panel◦ While running live converted VMs to NTFSClone
images as only available option
Had to attend physical datacenter to retrieve converted images (NTFSClone) due to time constraints ◦ Alternative was to download over internet – very slow!
NTFSClone is non-standard compressed image◦ Inability to see MBR (partition only)
◦ Unable to be interpreted by any forensic suite
Uncompressed image in Linux to standard partition ntfsclone --restore-image /dev/hda1/backup.img -o /dev/sdb1/backup.dd
Also attempted to image VMs live via FTK Imager over internet connection◦ Three VMs (20 GB each)
◦ Failed multiple times
◦ Very slow
Gave up with partial images after 10 days (none completed correctly)
Client originally after deleted contents from previously existing VMs◦ POI was trashing VMs and creating new ones every
2 weeks!
CSP had no way of knowing what physical infrastructure previous VMs existed on◦ Once deleted from system all resources reallocated
to the “pool”
◦ All storage/processing allocated on the fly when end users setup a new VM
CSP fully cooperative and willing to comply with warrant◦ Handed over POIs content Due to the fact that POI had been paying for service
with stolen credit card numbers
* Had it been another user who had purchased the services legitimately not sure if CSP would have been as cooperative◦ Due to the fact that CSP had not broken any laws directly◦ T&S and T&C negates legal liability (grey area of law
which has not been challenged in court)
Providing storage services
25 GB plus an extra 5 GB of “synced” storage per account
Ability to have unlimited accounts◦ Potential to link accounts
◦ Share data across unlimited accounts
POI storing illicit content (documents, photos & videos) and communications
Unless “synced” nothing stored locally◦ Not even “local” geographically speaking
Content replicated across numerous Microsoft datacenters around the world
POI popped-up during an investigation◦ Admitted to having material and emails stored on
SkyDrive
Legally signed over account
Email:◦ Microsoft’s “Hotmail Connector” for Outlook
Locally download all email and attachments to a PST
PST can be imported into favourite forensic suite (X-Ways, EnCase, FTK, Nuix, etc)
◦ During email “sync” kept dropping out
Had to be restarted numerous times before all content
◦ Contacted Microsoft Law Enforcement Portal to find alternative to Hotmail Connector
None currently exists
Other Content:◦ 2 Options:
Windows Live Mesh
Sync folder/s and download content
Can then be imaged or added to logical evidence container
5GB limitation to content synced through Mesh
Individually download each item through web browser
Potentially affecting MAC times, but not metadata
No other solution suggested by Microsoft Law Enforcement Portal
Multi Lateral Agreements (MLAT)◦ Send content host preservation notice
Generally takes account/s offline
Snapshot of all data taken
◦ Approximately 18 month process once paperwork is filed to receive content from host
◦ Must provide all paperwork in accordance with the host country (generally USA)
Multi Lateral Agreements (MLAT)
Local Agency
Attorney-General
Department (ACT)
USA Department
of Justice (D0J)
US Court Order
Produced
Microsoft
Use of standalone internet-enabled machine to capture remote content◦ Forensically wiped upon job completion
Preservation request sent to CSP (assuming legally compliant)
Consult with technical people employed by CSP prior to “capture”
Expect the unexpected: non-standard file systems (eg. Oracle FS)
Choo, K. (2010) “Cloud computing: Challenges and future directions”, Trends & issues in crime and criminal justice no. 400,Australian Institute of Criminology.
Lillard, Terrence (2010) Digital forensics for network, Internet, and cloud computing, Syngress, USA.
Martini, B. & Choo, K. (2012) “An integrated conceptual digital forensic framework for cloud computing”, Digital Investigation, Volume 9, Issue 2, November 2012, Pages 71–80.
Criminal Code Act 1995
Cybercrime Act 2001
Telecommunications (Interception) Act 1979