From the 2013 Techno Security Conference - Cloud Computing and Digital Forensics

, 2013-06-05

I'm processing through my notes for the 2013 Techno Security Conference, which is finishing up today with post-cons. Of all the sessions I attended, the best one was Cloud Security and Digital Forensics, presented by Ken Zatyko. This was actually a replacement talk, because the talk I wanted to see the most was canceled. However, that's what serendipity is all about, right?


When it comes to the physical work, forensics generally works on Locard's Exchange Principle.  The catch with cyber crime is that there doesn't have to be physical contact. So are there still traces? Zatyko said yes, he believes there should still be, but you can't bet that they'll be on the final system, the one we're most concerned with. But what if we expanded out past that final system?

"Artifacts of electronic activity in digital devices are detectable through forensic examination, although such examination might require access to computer and network resources involving expanded scope that may involve more than one venue and geolocation." - Zatyko and Dr. John Bay, 2011 


This should also apply to cloud computing. Too much is focused on the back-end data or the client piece used to connect to the cloud. This falls in line with traditional digital forensics which focuses on that single desktop, laptop, or mobile device. As devices and systems become ubiqitous and since storage is so cheap, digital forensics is already dealing with how to deal with all that other data. It's having to look beyond the single desktop. Digital forensics with respect to cloud computing needs to do so, too. The basics still apply, though:

"The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation." - Ken Zatyko


Which leads to the following list of what you need to do credible digital forensics for Cloud Computing. Note, none of this is any different than traditional digital forensics:

  • Search authority
  • Chain of custody
  • Imaging/hashing function
  • Validated tools
  • Analysis
  • Repeatability (QA)
  • Reporting
  • Possible Expert Presentation


With respect to Cloud Computing, here are portions of the architecture that we need to consider further because they probably aren't being considered enough:

  • Cloud Scheduler/Manager - software that logs and manages usage, etc.
  • Cloud Instance - hypervisor and virtual machines themselves


One of the things that needs to be pointed out is that with multi-tenancy, the possibility of a situation like Moonlight Maze is real.It'll be hard to detect where the real attacks are coming from and by being inside the system we can probe other tenants in the system.


So where does Zatyko think we can find traces? These are straight from my notes and are in outline form:

  • Cloud Client
    • Traditional forensics
    • ISP records

  • Cloud Scheduler/Manager
    • Logs of inbound connections, cloud instances and physical hardware used to service clients
    • Consumer account information
    • Internal cloud service provider audit logs
    • Authentication and access logs (control granted to customers for use of applications and services)

  • Cloud Instances
    • Traditional forensics
    • May require remote acquisition and credentials

  • Hypervisor
    • Dependent on type of hypervisor (bare metal vs. hosted, etc.)
    • Log files detailing cloud instance behavior
    • Cloud instance memory and disk state
    • VM introspection data (if available)

  • Administrative Domain (Domain 0 - management domain)
    • virtual disk images
    • cloud instance memory

  • Cloud storage
    • Data stored by a cloud instance
    • Physical Systems
    • Traditional acquisition of disks and memory

 He also gave some attack vectors to Cloud Computing:

  • traditional attacks against cloud instances
  • supply chain attacks against firmware and hardware of physical systems
  • virtualization break-out attacks
  • traditional insider threats within the consumer's organization
  • malicious insiders at the cloud provider
  • malicious cloud providers
  • foreign espionage facilitated by offshore hosting and storage


And some challenges with respect to performing digital forensics:

  • low technical and legal expertise
  • location of data
  • proliferation of endpoints (time lining, logs formats, deleted data)
  • evidence segregation (concealment, decryption)
  • data redundancy
  • correlation of chain links
  • SLAs
  • tenant rights, evidence admissibility, and chain of custody







Related content

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.


1,567 reads

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...


1,530 reads

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.


360 reads