Cloud Forensics

cloud forensic
Overview    

The concept of cloud has truly transformed the technology world and so did the increasing rates of digital and cybercrime. To combat this huge loss, cloud services providers as well as consumers need to establish intelligence that is capable to perform accurate investigations of cloud activities.  Cloud forensics is a sub-domain of digital or computer forensics which deals with investigating and analysing cloud storage and platforms for artifacts/potential digital evidence which consists of user activity, photos, videos, files, etc. It is a cross-discipline domain oscillating between Cloud Computing and Digital Forensics. Moreover, Potential Digital Evidence (from now addressed as PDE) is used in the court of law for proving facts regarding any suspect or related entities involved.   

 

Introduction to computer forensics 

Computer forensics is a concept which consists of analyzing, preserving, and presenting digital data in a way acceptable to the court of law. Considering it just as investigating a crime scene and for any footprints or similar artifacts, we do it for crimes conducted using computers or digital devices. It has a specific procedure.  

Identification 

Collection    

Preservation  

Examination and Analysis   

Presentation   

 

  • Identification

Identifying what needs to be analyzed and what devices should be collected. What will provide potential information is thought in this process. Chain of Custody is very important here. It means documenting who else has handled the data and evidence before handing it over to another person or taking from another person.  

  • Collection

This phase consists of collecting the evidence which has been identified by the forensics examiners or incident responders. Various forensics tools are used to collect digital evidence. For example, FTK Imager tools are used to create a bit to bit imaging of a computer drive or a virtual machine, which then can be used for forensics analysis  

  • Preservation

This phase involves preserving the data and evidence from getting tampered. Digital data can be tampered over a network. Faraday bags and aluminum foil could be used to avoid network connections. The aim is to preserve the originally collected data in the court of law.   

  • Examination and Analysis

Collected data needs to be examined and analyzed for emails, images, videos, and other similar forensics artifacts. This is the most important phase in the forensics process.  

  • Presentation

The presentation consists of reporting whatever findings or artifacts were recovered during the analysis. Reporting aims to make people, especially non-technical audience, understand what the findings are.  

cloud forensic
Cloud Forensics   

Cloud platforms are being used at a growing pace for developing and deploying services. There are several benefits associated with cloud platforms such as speed, cost, and performance. There are various types of cloud computing models.  

  • SaaS – Software as a service. Here the cloud provider provides users with the software on the cloud platform. Example – Google Docs, Office 365, etc.   
  • PaaS – Platform as a service. Here user can deploy the platform using the software functionality. Deployment and testing of the application can be executed efficiently.  
  • IaaS – Infrastructure as a service. Here, the whole infrastructure such as Microsoft Azure and AWS is provided to the users. An IT environment can be created here.   

  

Cloud forensics can be divided into three parts.   

  • Technical Process- This phase consists of performing investigation in the cloud using multiple forensics tools, acquiring the images, and performing live forensics.  
  • Organizational- This phase covers investigating all associated with events, stakeholders and entities such as service providers, policies, and SLAs.  
  • Legal- Legal aspects cover all the legislatures associated with acquiring data and conducting forensics, including the geography of the data and entities.   

 

Server-side forensics- Investigating servers would lead us to a wealth of potential digital evidence. Information can be found in the following sources: Server, application, database, and authentication logs, Access information etc.  

Client-side forensics- Most of the attacks or incidents occur on the client-side or at the endpoint. Also, it is relatively easy to get data from the client rather than the server. Sources of potential digital evidence in the client-side are: Registry files, Logs, Database files etc. Cloud storage platforms such as Dropbox, Google Drive, Microsoft OneDrive, Evernote, etc., have become popular ever since and are an important aspect of client-side forensics. These platforms consist of valuable information of users. These programs leave important artifacts on the system that are important to forensic investigators. The logs of these platforms can be used to create a for event reconstruction and investigation.  

  

Challenges in cloud forensics   

Collection of evidence is an issue if the virtual machine which was used by an attacker or which was the target has been deleted or reset.  Agreements (SLAs) between the user and cloud service provider or in between cloud service providers have an impact on the forensics standpoint.   

Timestamps and Sync dates Artifacts / PDE in cloud forensics    

  • Windows Registry files- This is a hot location where investigators can find valuable information regarding the event of security.    
  • Browser Log Files- Browser logs consist of cookies, URLs, and cache data, which could be beneficial in an investigation. Logs are stored under the user directory.   
  • Memory- Collecting volatile memory gives a wealth of information to an investigator. Physical memory contains information such as User ID and Passwords.    

 

In mobile devices 

In IOS operating systems Amazon S3 and Dropbox create an SQLite database file. While Amazon S3 creates a bucket file with the timestamps, Dropbox creates a ‘Dropbox.sqlite’ file.  

In the Android operating system, a similar system is employed. The downloaded files from the cloud app are stored on the device with details about the login and full path in which the app is installed.   

 

Forensics as a Service   

The focus of this service is to provide forensics services over the cloud. As we can see a drastic increase in cloud computing, cloud forensics is gaining momentum too.  

Virtual Machine Introspection is a method used to monitor run time state of system-level Virtual Machine. Terremark uses VMI for monitoring, management, and security of its vSphere cloud computing offering.   

 

Features of FaaS   

  • Instance collection – for aggregating Access Control, and Centralized log monitoring records.   
  • Verification – any collected data would be verified based on an accepted standard. 

  

CSP Forensics storage   

Security capabilities provided by CSPs Microsoft and Google have inbuilt security centres that have monitoring, logging, and security operations capabilities that are required to handle an incident and contain it.     

iSmile Technology Forensics service provides automated forensics tool and procedures to execute the task from collection to reporting in digital forensics allows for a fast investigation and insights.  

Our service has the following benefits:  

  • Cost-effectiveness- It works on the flat-rate price model which lets customers know the exact cost of an investigation, allowing for budget management.  
  • Time for conducting digital forensics investigation- Company reputation is a major stake which is affected by an incident, having a plan and investigation in hours instead of days would place the organization in a better position.  

 

Summary   

Cloud computing is a growing field. Security incidents related to cloud services are growing too. There is a dire need to cloud forensics to investigate the incidents and build methods to prevent it from happening in the future. Forensics as a Service is a newly developed subset under cloud forensics and focuses on providing forensic services over the cloud. It should be considered similar to IaaS, PaaS, and SaaS.  

 

Ismile for Cloud Forensics 

iSmile Technologies takes care of security on cloud platforms. SIEM, digital forensics, and overall cloud security are provided.  

iSmile Technologies has extensive experience in setting up from the bottom up, providing consulting services, 24×7 managed services for Cloud Security Monitoring, Cyber Security Incident Response, Pen Testing, Remediation, etc. Feel free to contact us for more details. 

Contact Our Cloud Forensic Experts

Get Free Consultation
Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on whatsapp
Share on email

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Post

Hadoop Vs. Hbase

Hadoop is an open-source framework of programs that is used to store and process big data. Hadoop uses multiple clusters of computers to analyze big data sets in parallel. The distributed processing of data sets can

Read More »
no sql databases

No SQL Databases : Types

No SQL databases are non-relational databases. It is an approach to database design which allows storage and retrieval of data in a non-tabular format as that found in relational database. NoSQL

Read More »

Contact us for a quote, help, or to join the team.

email

service@iSmileTechnologies.com

phone

(732) 347-6245

About Us

iSmile Technologies is a global technology services company.

service@iSmileTechnologies.com
(732) 347-6245

USA

+1 (732) 347-6245
241 Jonathan Way
Bolingbrook, IL 60490

INDIA

2-3-285, Secunderabad Hyderabad 500003

CANADA

3190 Stocksbridge Ave
Oakville, ON L6M 0A7