Cloud Forensics

Cloud Forensics   

Cloud platforms are being used at a growing pace for developing and deploying services. There are several benefits associated with cloud platforms such as speed, cost, and performance. There are various types of cloud computing models.  

• SaaS – Software as a service. Here the cloud provider provides users with the software on the cloud platform. Example – Google Docs, Office 365, etc.   

• PaaS – Platform as a service. Here user can deploy the platform using the software functionality. Deployment and testing of the application can be executed efficiently.  
• IaaS – Infrastructure as a service. Here, the whole infrastructure such as Microsoft Azure and AWS is provided to the users. An IT environment can be created here.   

Cloud forensics can be divided into three parts.   

• Technical Process- This phase consists of performing investigation in the cloud using multiple forensics tools, acquiring the images, and performing live forensics.  
• Organizational- This phase covers investigating all associated with events, stakeholders and entities such as service providers, policies, and SLAs.  
• Legal- Legal aspects cover all the legislatures associated with acquiring data and conducting forensics, including the geography of the data and entities.   

Server-side forensics- Investigating servers would lead us to a wealth of potential digital evidence. Information can be found in the following sources: Server, application, database, and authentication logs, Access information etc.  

Client-side forensics- Most of the attacks or incidents occur on the client-side or at the endpoint. Also, it is relatively easy to get data from the client rather than the server. Sources of potential digital evidence in the client-side are: Registry files, Logs, Database files etc. Cloud storage platforms such as Dropbox, Google Drive, Microsoft OneDrive, Evernote, etc., have become popular ever since and are an important aspect of client-side forensics. These platforms consist of valuable information of users. These programs leave important artifacts on the system that are important to forensic investigators. The logs of these platforms can be used to create a for event reconstruction and investigation.  

Challenges in cloud forensics   

Collection of evidence is an issue if the virtual machine which was used by an attacker or which was the target has been deleted or reset.  Agreements (SLAs) between the user and cloud service provider or in between cloud service providers have an impact on the forensics standpoint.   

Timestamps and Sync dates Artifacts / PDE in cloud forensics    

• Windows Registry files- This is a hot location where investigators can find valuable information regarding the event of security.    
• Browser Log Files- Browser logs consist of cookies, URLs, and cache data, which could be beneficial in an investigation. Logs are stored under the user directory.   
• Memory- Collecting volatile memory gives a wealth of information to an investigator. Physical memory contains information such as User ID and Passwords.    

In mobile devices 

In IOS operating systems Amazon S3 and Dropbox create an SQLite database file. While Amazon S3 creates a bucket file with the timestamps, Dropbox creates a ‘Dropbox.sqlite’ file.  

In the Android operating system, a similar system is employed. The downloaded files from the cloud app are stored on the device with details about the login and full path in which the app is installed.   

Forensics as a Service   

The focus of this service is to provide forensics services over the cloud. As we can see a drastic increase in cloud computing, cloud forensics is gaining momentum too.  

Virtual Machine Introspection is a method used to monitor run time state of system-level Virtual Machine. Terremark uses VMI for monitoring, management, and security of its vSphere cloud computing offering.   

Features of FaaS   

• Instance collection – for aggregating Access Control, and Centralized log monitoring records.   
• Verification – any collected data would be verified based on an accepted standard. 

CSP Forensics storage   

Security capabilities provided by CSPs Microsoft and Google have inbuilt security centres that have monitoring, logging, and security operations capabilities that are required to handle an incident and contain it.     

iSmile Technology Forensics service provides automated forensics tool and procedures to execute the task from collection to reporting in digital forensics allows for a fast investigation and insights.  

Our service has the following benefits:  

• Cost-effectiveness- It works on the flat-rate price model which lets customers know the exact cost of an investigation, allowing for budget management.  

• Time for conducting digital forensics investigation- Company reputation is a major stake which is affected by an incident, having a plan and investigation in hours instead of days would place the organization in a better position.  

Summary   

Cloud computing is a growing field. Security incidents related to cloud services are growing too. There is a dire need to cloud forensics to investigate the incidents and build methods to prevent it from happening in the future. Forensics as a Service is a newly developed subset under cloud forensics and focuses on providing forensic services over the cloud. It should be considered similar to IaaS, PaaS, and SaaS.  

Ismile for Cloud Forensics 

iSmile Technologies takes care of security on cloud platforms. SIEM, digital forensics, and overall cloud security are provided.  

iSmile Technologies has extensive experience in setting up from the bottom up, providing consulting services, 24×7 managed services for Cloud Security Monitoring, Cyber Security Incident Response, Pen Testing, Remediation, etc. Feel free to contact us for more details.