I'm processing through my notes for the 2013 Techno Security Conference, which is finishing up today with post-cons. Of all the sessions I attended, the best one was Cloud Security and Digital Forensics, presented by Ken Zatyko. This was actually a replacement talk, because the talk I wanted to see the most was canceled. However, that's what serendipity is all about, right?
When it comes to the physical work, forensics generally works on Locard's Exchange Principle. The catch with cyber crime is that there doesn't have to be physical contact. So are there still traces? Zatyko said yes, he believes there should still be, but you can't bet that they'll be on the final system, the one we're most concerned with. But what if we expanded out past that final system?
"Artifacts of electronic activity in digital devices are detectable through forensic examination, although such examination might require access to computer and network resources involving expanded scope that may involve more than one venue and geolocation." - Zatyko and Dr. John Bay, 2011
This should also apply to cloud computing. Too much is focused on the back-end data or the client piece used to connect to the cloud. This falls in line with traditional digital forensics which focuses on that single desktop, laptop, or mobile device. As devices and systems become ubiqitous and since storage is so cheap, digital forensics is already dealing with how to deal with all that other data. It's having to look beyond the single desktop. Digital forensics with respect to cloud computing needs to do so, too. The basics still apply, though:
"The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation." - Ken Zatyko
Which leads to the following list of what you need to do credible digital forensics for Cloud Computing. Note, none of this is any different than traditional digital forensics:
With respect to Cloud Computing, here are portions of the architecture that we need to consider further because they probably aren't being considered enough:
One of the things that needs to be pointed out is that with multi-tenancy, the possibility of a situation like Moonlight Maze is real.It'll be hard to detect where the real attacks are coming from and by being inside the system we can probe other tenants in the system.
So where does Zatyko think we can find traces? These are straight from my notes and are in outline form:
He also gave some attack vectors to Cloud Computing:
And some challenges with respect to performing digital forensics: