The concept of cloud has truly transformed the technology world and so did the increasing rates of digital and cybercrime. To combat this huge loss, cloud services providers as well as consumers need to establish intelligence that is capable to perform accurate investigations of cloud activities.
Cloud forensics is a sub-domain of digital or computer forensics which deals with investigating and analyzing cloud storage and platforms for artifacts/potential digital evidence which consists of user activity, photos, videos, files, etc. It is a cross-discipline domain oscillating between Cloud Computing and Digital Forensics. Moreover, Potential Digital Evidence (from now addressed as PDE) is used in the court of law for proving facts regarding any suspect or related entities involved.
Introduction to computer forensics
Computer forensics is a concept which consists of analyzing, preserving, and presenting digital data in a way acceptable to the court of law. Considering it just as investigating a crime scene and for any footprints or similar artifacts, just we do it for crimes conducted using computers or digital devices. It has a specific procedure.
Examination and Analysis
Identifying what needs to be analyzed and what devices should be collected. What will provide potential information is thought in this process. Chain of Custody is very important here. It means documenting who else has handled the data and evidence before handing it over to another person or taking from another person.
This phase consists of collecting the evidence which has been identified by the forensics examiners or incident responders. Various forensics tools are used to collect digital evidence. For example, FTK Imager tools are used to create a bit to bit image a computer drive or a virtual machine, which then can be used for forensics analysis
This phase consists of preserving the data and evidence from getting tampered. Digital data can be tampered over a network. Faraday bags and aluminum foil could be used to avoid network connections. The aim is to preserve the originally collected data in the court of law.
Examination and Analysis
Collected data needs to be examined and analyzed for emails, images, videos, and other similar forensics artifacts. This is the most important phase in the forensics process.
The presentation consists of reporting whatever findings or artifacts were recovered during the analysis. Reporting aims to make people, especially non-technical audience, understand what the findings are.
Cloud platforms are being used at a growing pace for developing and deploying services. There are several benefits associated with cloud platforms such as speed, cost, and performance.
There are various types of cloud computing models.
SaaS – Software as a service. Here the cloud provider provides users with the software on the cloud platform. Example – Google Docs, Office 365, etc.
PaaS – Platform as a service. Here user can deploy the platform using the software functionality. Deployment and testing of the application can be executed efficiently.
IaaS – Infrastructure as a service. Here the whole infrastructure such as Microsoft Azure and AWS is provided to the users. An IT environment can be created here.
Cloud forensics can be divided into three parts.
Technical Process. This phase consists of performing investigation in the cloud using multiple forensics tools, acquiring the images, and performing live forensics.
Organizational. This phase covers all associated with events stakeholders and entities such as service providers, policies, and SLAs.
Legal. Legal aspects cover all the legislatures associated with acquiring data and conducting forensics, including the geography of the data and entities.
Investigating servers would lead us to a wealth of potential digital evidence. Information can be found in the following sources:
Server, application, database, and authentication logs.
Most of the attacks or incidents occur on the client-side or at the endpoint. Also, it is relatively easy to get data from the client rather than the server. Sources of potential digital evidence in the client-side are:
Cloud storage platforms such as Dropbox, Google Drive, Microsoft OneDrive, Evernote, etc., have become popular ever since and an important aspect of client-side forensics. These platforms consist of valuable information of users. These programs leave important artifacts on the system that are important to forensic investigators. The logs of these platforms can be used to create a for event reconstruction and investigation.
Challenges in cloud forensics
Collection of evidence is an issue if the virtual machine which was used by an attacker or which was the target may have been deleted or reset.
Agreements (SLAs) between the user and cloud service provider or in between cloud service providers have an impact on the forensics standpoint.
Timestamps and Sync dates
Artifacts / PDE in cloud forensics
Windows Registry files. This is a hot location where investigators can find valuable information regarding the event of security.
Browser Log Files. Browser logs consist of cookies, URLs, and cache data, which could be beneficial in an investigation. Logs are stored under the user directory.
Memory. Collecting volatile memory gives a wealth of information to an investigator. Physical memory contains information such as User ID and Passwords.
In mobile devices
In IOS operating systems Amazon S3 and Dropbox create an SQLite database file. While Amazon S3 creates a bucket file with the timestamps, Dropbox creates a ‘Dropbox.sqlite’ file.
In the Android operating system, a similar system is employed. The downloaded files from the cloud app are stored on the device with details about the login and full path in which the app is installed.
Forensics as a Service
The focus of this service is to provide forensics services over the cloud. As we can see a drastic increase in cloud computing, cloud forensics is gaining momentum too. Virtual Machine Introspection is a method used to monitor run time state of system-level Virtual Machine. Terremark uses VMI for monitoring, management, and security of its vSphere cloud computing offering.
Features of FaaS
Instance collection – for aggregating Access Control, and Centralized log monitoring records.
Verification – any collected data would be verified based on an accepted standard.
CSP Forensics storage
Security capabilities provided by CSPs
Microsoft and Google have inbuilt security centers that have monitoring, logging, and security operations capabilities that are required to handle an incident and contain it.
What iSmile Technology Forensics service will provide
Automated forensics tool and procedures to execute the task from collection to reporting in digital forensics allows for a fast investigation and insights. It has the following benefits:
Time for conducting digital forensics investigation.
Faster and informed business decisions.
It works on the flat-rate price model which lets customers know the exact cost of an investigation, allowing for budget management.
Company reputation is a major stake which is affected by an incident, having a plan and investigation in hours instead of days would place the organization in a better position.
Cloud computing is a growing field. Security incidents related to cloud services are growing too. There is a dire need to cloud forensics to investigate the incidents and build methods to prevent it from happening in the future. Forensics as a Service is a newly developed subset under cloud forensics and focuses on providing forensic services over the cloud. It should be considered similar to IaaS, PaaS, and SaaS. iSmile Technologies will take care of security on cloud platforms. SIEM, digital forensics, and overall cloud security would be provided. iSmile Technologies has extensive experience in setting up from the bottom up, providing consulting services, 24×7 managed services for Cloud Security Monitoring, Cyber Security Incident Response, Pen Testing, Remediation, etc. Feel free to contact us for more details.