Forensic in the Cloud
I'm doing a simple research on forensic on the cloud and I have some question.
First of all, I was reading a paper in which the researchers were evaluating current tools (like FTK and EnCase) in cloud environment.They wanted to know whether these tools can acquire forensic data. So they created an EC2 instance, downloaded Apache on that instance, made some web pages and compromised the machine using a web-based vulnerability. Then they acquired an image and checked if they can find the timeline of their activities.
My question is once I've acquired an image of an EC2 EBS drive, doesn't the situation become the same as if I have acquired an image from a local disk? I mean what's the difference? Isn't acquiring the image from a cloud environment is the hard part? Or there is something else that I'm missing?
There are still lots of issues about Cloud Forensics. Like legal issue, privacy issue, geographic location issue…When you want to make sure if suspect hide some data in some Cloud service, first you need suspect's credentials to acquire logical evidence. And it still depends on Cloud service provider corporate or not…Otherwise you try to hack/crack it…
If you want to acquire an image of Cloud service to find the evidence,Cloud service provider would claim that their servers are at different geographic locations..which server you want to acquire? Each server may has capacity such as couples of TBs…how would you acquire from such huge capacity disk and how long it will take? Maybe you went to London to acquire 1 TB image file…and you have to got to Taipei for another acquiring..it's a big challenge for forensic examiners.
Now we emphasize the issue about privacy and security. Suspect may use such laws to against you…and he/she would tell everybody who use same Cloud Service that you want to acquire data from the Cloud Service…including everybody's data…It sounds scaring,right? People will say you invade their privacy and won't allow you to do so…
I'm interested in Cloud Forensics too..and I'm working on it…If some examiners know how to do Cloud Forensics pls let me know…I'd appreciate your providing me any info you guys have. Thanks a lot.
Thanks for your reply Rick.
Now let's assume that I have access to the EC2 instance (whether a private key for a Linux instance or the username and password for Windows instance), and I used a software like FTK Remote Agent to acquire an image. Isn't this image the same as if I was able to go to the data center and physically connect and acquire the image?
In my opinion,that is different thins. First,remote acquiring means you are not sure if the server(virtual machine or physical one)still been accessed or not…if still being accessed, the MD5 hash value for the image acquired may different from the original…
Just like an on-line services running on a production server, the best situation is to ask them to shut the server down or block access…but in reality..you can not ask you client just shut it down in order to acquire an image of disks…