I'm talking in general terms. If you do a search in google for cloud forensics, you will find some research papers talking about why and how cloud forensics can be complicated. This is an example
First off, the paper you linked to is three years old.
Second, there are a lot of assumptions made in the paper that aren't mentioned…such as, what did the client establish contractually with the provider? That's kind of a big deal, and one that every client I'm aware of and had talked to had not taken into consideration when they sat down and signed the contract with the provider. As such, this is NOT a technical issue that can be solved through technical means.
Third, the paper, as I read it, is written using broad definitions of things like IaaS and SaaS without a real understanding of specific implementations.
Let's say an IT director feels or is told that he "needs the cloud" and what that means is that they're going to migrate their major applications to the cloud. Okay, so he needs to get computing power and computational capacity (i.e., not strictly storage). So he meets with a cloud provider that has a solution…SaaS, IaaS, etc. At this point, if the IT director signs the contract, we can assume that either (a) the provider had a provision in the contract that covered DFIR, and the IT director was happy with it, or (b) the provider did NOT have a provision in the contract that covered DFIR, and the IT director was happy with it.
Now, let's say something happens…an IT staff member gets phished, his creds to the cloud portal get compromised, and the bad guy accesses the systems in the cloud and does all manner of badness. Then what? At this point, you do not have technical issues or challenges…they're all legal and contractual, and depend heavily on what the IT director established in the contract and signed.
Nevertheless, you might be the best one to help me since you have done it before. Can you help me come up with a crime scenario committed in the cloud which I can solve by using some digital forensics tool?
Something that you may not realize is that not everything is a technical problem with a technical solution.
When I worked for the…we'll call it the "cloud company"…there were a couple of different types of issues ran into…
One was when someone would use a stolen credit card to go to our web site and purchase a server. This server would then get turned up and the bad guy would access it remotely, via Terminal Services (if it was Windows). From there, they'd load tools and start to do bad things.
The "challenge" of access in this case wasn't a challenge…we owned the infrastructure. We had access to the systems, and the entire chain of activity…purchasing, the VM being turned up, etc…was documented. As the virtual system was fraudulently set up, we had legal recourse to address.
The second type of issue was one in which a bad guy would figure out how to access a client's system in our "cloud". *How* the bad guy figured out how to do this varied…but most often the client came to us and asked for help, which we provided. Again, we "owned" the core infrastructure, and all we needed was permission to access the systems…we'd suspend the virtual machine, if it made sense to collect memory, and then copy off the .vmdk file for analysis.
In one such instance, we determined that several bad accessed the system. One had installed Havij, run it, and collected a series of hosts that could be compromised via SQL injection.
I thought about cloud storage at first because I thought it would be the easiest.
For example, let's assume person A has child pornography photos in his google drive and I want to prove him guilty of it. How? Technically?
Okay, now you've switched back to "cloud storage". Google drive is storage, and does not, in itself, have computing capacity.
To answer your question, I'll share how I might go about it…
First, you've got the image of his hard drive, and I'm going to assume that you have access to his Google Drive (how else would you know that there was CP being stored there?). Given this, I'd
- look for access to Google Drive (via browser or app)
- determine if there were any images on his system that matched those on Google Drive
- look for indications of access to the images themselves (Registry, Jump Lists, etc.)
A timeline of system activity, properly constructed, would be extremely beneficial in this case.
I'm talking in general terms. If you do a search in google for cloud forensics, you will find some research papers talking about why and how cloud forensics can be complicated. This is an example
First off, the paper you linked to is three years old.
Second, there are a lot of assumptions made in the paper that aren't mentioned…such as, what did the client establish contractually with the provider? That's kind of a big deal, and one that every client I'm aware of and had talked to had not taken into consideration when they sat down and signed the contract with the provider. As such, this is NOT a technical issue that can be solved through technical means.
Third, the paper, as I read it, is written using broad definitions of things like IaaS and SaaS without a real understanding of specific implementations.
Let's say an IT director feels or is told that he "needs the cloud" and what that means is that they're going to migrate their major applications to the cloud. Okay, so he needs to get computing power and computational capacity (i.e., not strictly storage). So he meets with a cloud provider that has a solution…SaaS, IaaS, etc. At this point, if the IT director signs the contract, we can assume that either (a) the provider had a provision in the contract that covered DFIR, and the IT director was happy with it, or (b) the provider did NOT have a provision in the contract that covered DFIR, and the IT director was happy with it.
Now, let's say something happens…an IT staff member gets phished, his creds to the cloud portal get compromised, and the bad guy accesses the systems in the cloud and does all manner of badness. Then what? At this point, you do not have technical issues or challenges…they're all legal and contractual, and depend heavily on what the IT director established in the contract and signed.
Nevertheless, you might be the best one to help me since you have done it before. Can you help me come up with a crime scenario committed in the cloud which I can solve by using some digital forensics tool?
Something that you may not realize is that not everything is a technical problem with a technical solution.
When I worked for the…we'll call it the "cloud company"…there were a couple of different types of issues ran into…
One was when someone would use a stolen credit card to go to our web site and purchase a server. This server would then get turned up and the bad guy would access it remotely, via Terminal Services (if it was Windows). From there, they'd load tools and start to do bad things.
The "challenge" of access in this case wasn't a challenge…we owned the infrastructure. We had access to the systems, and the entire chain of activity…purchasing, the VM being turned up, etc…was documented. As the virtual system was fraudulently set up, we had legal recourse to address.
The second type of issue was one in which a bad guy would figure out how to access a client's system in our "cloud". *How* the bad guy figured out how to do this varied…but most often the client came to us and asked for help, which we provided. Again, we "owned" the core infrastructure, and all we needed was permission to access the systems…we'd suspend the virtual machine, if it made sense to collect memory, and then copy off the .vmdk file for analysis.
In one such instance, we determined that several bad accessed the system. One had installed Havij, run it, and collected a series of hosts that could be compromised via SQL injection.
I thought about cloud storage at first because I thought it would be the easiest.
For example, let's assume person A has child pornography photos in his google drive and I want to prove him guilty of it. How? Technically?
Okay, now you've switched back to "cloud storage". Google drive is storage, and does not, in itself, have computing capacity.
To answer your question, I'll share how I might go about it…
First, you've got the image of his hard drive, and I'm going to assume that you have access to his Google Drive (how else would you know that there was CP being stored there?). Given this, I'd
- look for access to Google Drive (via browser or app)
- determine if there were any images on his system that matched those on Google Drive
- look for indications of access to the images themselves (Registry, Jump Lists, etc.)A timeline of system activity, properly constructed, would be extremely beneficial in this case.
WOW, what a post. You made my life much easier. I can't be more thankful.
So, you are implying that if measures were taken into consideration before building a cloud service provider, things wouldn't be as bad. Issues are not necessarily technical of course. I can see that.
After reading your post, I now have a question for you. So you wouldn't categorize cloud forensics as an emerging area of digital forensics anymore? I'm asking because that's the impression I got from reading several related papers. I need to know this in order to properly continue.
Another question Are there cloud forensics tools that are free or open source ? Or maybe a demo software that will work for some time?
So, you are implying that if measures were taken into consideration before building a cloud service provider, things wouldn't be as bad.
Not at all. I'm not implying that at all. I'm coming right out and saying it.
After reading your post, I now have a question for you. So you wouldn't categorize cloud forensics as an emerging area of digital forensics anymore? I'm asking because that's the impression I got from reading several related papers. I need to know this in order to properly continue.
That's up to you to decide. I'm giving you my thoughts and my experience. I do think that many of the papers that are available on the subject are making generalizations about different categories of cloud services (i.e., IaaS, SaaS, etc.), and finding challenges based on those generalizations.
Consider this…let's say that your definition of "cloud forensics" is as it relates to computing infrastructure, not simply storage. As such, an individual system within "the cloud" would exist as, say, a .vmdk file (assuming VMWare, of course) sitting…somewhere. As such, if an incident occurs, then someone should be able to locate the virtual machine (VM) in a console, and take the appropriate action.
Now, if this is not possible, as suggested by many of the papers…the owners of the cloud provider cannot locate the specific VM, it is not isolated in a manner that *if* they could locate it they could pause the system, etc…well, then, the client should not have contracted with that provider. Or, the client should have said, "here are our needs, let us know if you can meet them."
Most of the "challenges" I've read about appear to be imaginary or self-inflicted.
Another question Are there cloud forensics tools that are free or open source ? Or maybe a demo software that will work for some time?
Again, let's assume that by "cloud forensics", you mean that there's a Windows 2008 R2 server someplace in "the cloud" that needs to be analyzed. If this is the case, then you already have access to all of the tools you need…open the .vmdk file in FTK Imager Lite, export the data sources you need, parse them (into a timeline) with any number of free, open source tools.
Again, I can't be more thankful to you. If you can help me in doing something that will demonstrate how one can extract or acquire data from the cloud (preferably cloud storage), I'll be more thankful. It is not necessary but I want to improve my paper with it. I have tried so many things but it didn't really work out well.
Things I tried were using Magnet forensics IEF and Magnet acquire, iphone iexplorer, iphone analyzer, MOBIedit software, and the deft OS linux distribution (Forensics dist), and others. I faced a problem with each one of them.
I'll come again in few hours and explain it in details if you want. One example Magnet IEF couldn't find any artifacts in a logical acquisition of an iphone. I tried to do a physical acquisition (Requires that iphone is jailbroken) but it fails after taking a very lone time (9 hours=very time consuming)
2nd example All MOBILedit software ( http//
I also have a question since you are an expert in the field. Can I consider the need to do physical acquisitions (time consuming) as an disadvantage of cloud forensics?
I'm in a hurry to catch a class. Thanks again in advance.
Again, I can't be more thankful to you. If you can help me in doing something that will demonstrate how one can extract or acquire data from the cloud (preferably cloud storage), I'll be more thankful.
http//
I have tried so many things but it didn't really work out well.
I'm sure…not all things in this field "work out well". However, from your correspondence in this thread, I get the impression that it's more due to a need for focus.
Things I tried were using Magnet forensics IEF and Magnet acquire, iphone iexplorer, iphone analyzer, MOBIedit software, and the deft OS linux distribution (Forensics dist), and others. I faced a problem with each one of them.
Sounds like you've done a lot of work…but for what purpose?
I'll come again in few hours and explain it in details if you want. One example Magnet IEF couldn't find any artifacts in a logical acquisition of an iphone.
How do you know? Did you identify the artifacts first, and then decide on the tool to use to locate, extract, and display them…or did you just run the tool?
I also have a question since you are an expert in the field. Can I consider the need to do physical acquisitions (time consuming) as an disadvantage of cloud forensics?
First off, I'm not an expert in the field…I'm simply one of the few that are attempting to reason through this with you.
Second, I can't even begin to answer that question, because I still really don't have a clear understanding of what you consider "cloud forensics".
If you're talking about storage, such as Dropbox, then I'd consider this…why would you need a physical acquisition? I would think that a logical copy of any files…along with the appropriate documentation and hashes…would be sufficient.
If you're referring to a virtual machine in the "cloud", I don't see why pausing the VM wouldn't be sufficient…you can dump memory that way. Depending upon when the event or incident occurred, you may not even need memory, and getting a copy of the virtual machine file itself would be sufficient.