I'm processing through my notes for the 2013 Techno Security Conference, which is finishing up today with post-cons. Of all the sessions I attended, the best one was Cloud Security and Digital Forensics, presented by Ken Zatyko. This was actually a replacement talk, because the talk I wanted to see the most was canceled. However, that's what serendipity is all about, right?
When it comes to the physical work, forensics generally works on Locard's Exchange Principle. The catch with cyber crime is that there doesn't have to be physical contact. So are there still traces? Zatyko said yes, he believes there should still be, but you can't bet that they'll be on the final system, the one we're most concerned with. But what if we expanded out past that final system?
"Artifacts of electronic activity in digital devices are detectable through forensic examination, although such examination might require access to computer and network resources involving expanded scope that may involve more than one venue and geolocation." - Zatyko and Dr. John Bay, 2011
This should also apply to cloud computing. Too much is focused on the back-end data or the client piece used to connect to the cloud. This falls in line with traditional digital forensics which focuses on that single desktop, laptop, or mobile device. As devices and systems become ubiqitous and since storage is so cheap, digital forensics is already dealing with how to deal with all that other data. It's having to look beyond the single desktop. Digital forensics with respect to cloud computing needs to do so, too. The basics still apply, though:
"The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation." - Ken Zatyko
Which leads to the following list of what you need to do credible digital forensics for Cloud Computing. Note, none of this is any different than traditional digital forensics:
- Search authority
- Chain of custody
- Imaging/hashing function
- Validated tools
- Analysis
- Repeatability (QA)
- Reporting
- Possible Expert Presentation
With respect to Cloud Computing, here are portions of the architecture that we need to consider further because they probably aren't being considered enough:
- Cloud Scheduler/Manager - software that logs and manages usage, etc.
- Cloud Instance - hypervisor and virtual machines themselves
One of the things that needs to be pointed out is that with multi-tenancy, the possibility of a situation like Moonlight Maze is real.It'll be hard to detect where the real attacks are coming from and by being inside the system we can probe other tenants in the system.
So where does Zatyko think we can find traces? These are straight from my notes and are in outline form:
- Cloud Client
- Traditional forensics
- ISP records
- Cloud Scheduler/Manager
- Logs of inbound connections, cloud instances and physical hardware used to service clients
- Consumer account information
- Internal cloud service provider audit logs
- Authentication and access logs (control granted to customers for use of applications and services)
- Cloud Instances
- Traditional forensics
- May require remote acquisition and credentials
- Hypervisor
- Dependent on type of hypervisor (bare metal vs. hosted, etc.)
- Log files detailing cloud instance behavior
- Cloud instance memory and disk state
- VM introspection data (if available)
- Administrative Domain (Domain 0 - management domain)
- virtual disk images
- cloud instance memory
- Cloud storage
- Data stored by a cloud instance
- Physical Systems
- Traditional acquisition of disks and memory
He also gave some attack vectors to Cloud Computing:
- traditional attacks against cloud instances
- supply chain attacks against firmware and hardware of physical systems
- virtualization break-out attacks
- traditional insider threats within the consumer's organization
- malicious insiders at the cloud provider
- malicious cloud providers
- foreign espionage facilitated by offshore hosting and storage
And some challenges with respect to performing digital forensics:
- low technical and legal expertise
- location of data
- proliferation of endpoints (time lining, logs formats, deleted data)
- evidence segregation (concealment, decryption)
- data redundancy
- correlation of chain links
- SLAs
- tenant rights, evidence admissibility, and chain of custody
