I am updating my Checklist notes on the Standards, Best Practices, Guidelines when acquiring target machines in various scenarios and IT infrastructure.
I'm interested in knowing what other Examiner's view as Standards, Best Practices, Guidelines when dealing with complex setup. 'Complex Setup'... this is where the Vets comes in, what are you seeing out there in the wild west of IT Infrastructure?
Target Machine Examples:
- Cloud Computing - (AWS, Azure, etc) running Docker, Kubernetes, and other Containers.
- Capturing embedded/soldered RAM vs slot RAM, Cold Boot attack on embedded/soldered RAM
- Drones, CCTV, and IoTs
- Latest Cellphones
I am updating my Checklist notes on the Standards, Best Practices, Guidelines when acquiring target machines in various scenarios and IT infrastructure.
I'm interested in knowing what other Examiner's view as Standards, Best Practices, Guidelines when dealing with complex setup. 'Complex Setup'... this is where the Vets comes in, what are you seeing out there in the wild west of IT Infrastructure?
Target Machine Examples:
- Cloud Computing - (AWS, Azure, etc) running Docker, Kubernetes, and other Containers.
- Capturing embedded/soldered RAM vs slot RAM, Cold Boot attack on embedded/soldered RAM
- Drones, CCTV, and IoTs
- Latest Cellphones
To help respond can you confirm when you last (as in year 2015 etc) updated your Checklist notes for each of the categories you have stated?
Alot has happened over time and obviously no use in posting if you already have info covered in your Checklist if it is only 6-months old e.g.
1) Have you visited all the Cloud tool providers (see FF partners display ads) that provide blogs, info sheets and webinars? - examples are: https://www.magnetforensics.com/mvs-recordings/ ; https://www.guidancesoftware.com/encase-forensic ; https://www.nuix.com/search?query=cloud
2) Have you searched FF for Cloud Forensics as there are other tool suppliers that can assist?
3) Are you aware of the various proposed Cloud Forensics Methodologies?
4) Some standards provide useful supporting technical details - https://trewmte.blogspot.com/2013/08/lawful-interception-cloudvirtual.html
5) Have you checked out current best practice that is promoted? - https://www.swgde.org/documents/published
Might help get more replies to Cloud in your post, maybe..
Thanks for the links.
Between 2 Google Drive account, I have alot of documents as 'running' notes over the years. But it has been a while since I update my Standards, Best Practices, Guidelines documents.
For sure I know the cloud computing info is outdated. Just from the mere fact that Cloud is so complex (there really isn't a standard setup). I particularly, what to know all the Checklist items when dealing with running Docker, Kubernetes, and other Containers.
Can you shed some light on the various proposed Cloud Forensics Methodologies?
Thanks.
Here is a long list. As you can see from the titles there is no single global one-size-fits-all statement. What these methodologies and models do enable you to assess whether the Checklists you have can be improved upon with their suggestions or guidance you hadn't thought of or had thought of but didn't realise there had been an update that requires modifying your checklist.
* Tackling cloud security issues and forensics model
* An Email Forensics Analysis Method Based on Social Network Analysis
* Digital forensics in social networks and the cloud: Process, approaches, methods, tools, and challenges
* Design and Implement of a Computer Forensics Model for Cloud Environments
* An OCL-Based Formal Model for Cloud Forensics
* A Digital Forensics Method in Cloud Computing Environment
* Towards the Development of a Cloud Forensics Methodology: A Conceptual Model
* A Cloud-Focused Mobile Forensics Methodology
* OCF: An Open Cloud Forensics Model for Reliable Digital Forensics
* SIDNFF: Source identification network forensics framework for cloud computing
* Cloud forensics challenges from a service model standpoint
* ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics
* CURE—Towards enforcing a reliable timeline for cloud forensics: Model, architecture, and experiments
* A Meta-model for Assisting a Cloud Forensics Process
* A framework for cloud forensics evidence collection and analysis using security information and event management
* Chronos: Towards Securing System Time in the Cloud for Reliable Forensics Investigation
Thanks a MILLION. I am going through list now.
From your blog I see that you have done some extensive work with the actual hardware of mobile phones. I will be looking to enroll in JTAG and Chip-Off techniques course within a few months. So soon, I might need to pick your brain on some issues relating to those areas.
CLOUD
Ok hope you find them useful. I do have about 120 different papers on methods, models and frameworks and cloud-specific approaches and these are associated with the last 12 years or so. If you have something specific on Cloud Forensics then no harm in asking.
Now regarding Cloud and Standards I would highly recommend, if you are NOT bound to comply with ISO17025, ISO17020 etc for the purposes of accreditation, then very popular ISO standards in the digital forensics community are:
ISO/IEC 27037: 2012: Guide for collecting, identifying, and preserving electronic evidence
ISO/IEC 27041: 2015: Guide for incident investigations
ISO/IEC 27042: 2015: Guide for digital evidence analysis
ISO/IEC 27043: 2015: Incident investigation principles and processes
What you will find is that there has already been a considerable body of work that has been done to cross-reference ISO standards to forensic subject specific matters. I would highly recommend you read CLOUD SECURITY ALLIANCE Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing, June 2013 as a starting point.
Also there is the 'Live For' project - that was funded by the European Union’s Justice Programme (2014-2020). Their short publication 'Best practices in cloud forensics' is useful to have.
I hope you had or will have an opportunity to look at the Cloud website tool providers that I mentioned early as they offer useful guidance but also identify potential evidence that can be acquired, too. For instance on Magnet Axiom webpage this is a good example of what I am talking about - https://www.magnetforensics.com/docs/axiom/html/Content/en-us/acquire-cloud/acquiring-cloud-evidence.htm#Supporte
As we know Cloud reading materials are volumous so perhaps if you have a specific query that I might be able to help then I wont post any more references, unless you need help finding them.
Cold Boot Attacks
You will need to let me know which approach you intend to take so that I know whether I can even answer the queries you might have.
JTAG/Chip Off
Fine, I have quite a bit of training knowledge in this area. Although if I cannot help I know there are others out there who have a very high degree of experience that might assist.
BR