11 - Cloud Forensics and the Internet of Anything (IoT)

Notes:

Module Objectives

By the end of this module, you should be able to:

Describe the main concepts of cloud computing
Summarize the legal challenges in conducting cloud forensics- Explain the technical challenges associated with cloud forensics and how to acquire cloud data
Explain how to conduct a cloud investigation and describe some of the commonly used tools
Define the Internet of Anything
Describe the five main categories of the Internet of Anything
Explain the challenges of forensics in the Internet of Anything

Definition of "the Cloud"

"The Cloud is a term commonly used to describe a network of remote
servers hosted on the internet that store, manage, and process data, rather
than relying on a local server or personal computer. It allows users to
access files, applications, and services from anywhere with an internet
connection. Think of it as a virtual storage space and computing resource
that’s scalable and flexible"...Grok

An Overview of the Cloud

Cloud computing offers many benefits to individuals and organizations
It has introduced some unique challenges in connection with digital forensics investigations
New standards are being developed to improve security practices and incident responses in cloud environments

Cloud Service Levels

The National Institute of Standards and Technology (NIST) outlines three basic service levels for cloud computing:
- Software as a service (SaaS) - applications are delivered via the Internet
  - Canvas
- Platform as a service (PaaS) - an OS has been installed on a cloud server
  - Texas CyberRange
- Infrastructure as a service (laaS) - customers can rent hardware and install whatever OSs and applications they need
  - Bluehost.com
Deployment methods for a cloud include the following:
- Public - accessible to anyone
- Private - can be accessed only by people who have the necessary credentials
- Community - a way to bring people together for a specific purpose
- Hybrid - enables a company to keep some information private and designate other files as public or community information
  - Example: You have on-prem but when overload happens you automatically go to an EC2 machine

Cloud Vendors

A cloud service provider (CSP) provides on-demand network access to a shared pool of resources
The following are some CSPs and cloud applications:
- Amazon Web Services (AWS)
- Microsoft Azure
- Google Cloud Storage
- Citrix Hypervisor
- Rackspace
- Salesforce
- Cisco Cloud Solutions

Service-Level Agreements

A cloud service agreement (CSA) is a contract between a CSP and the cloud customer that describes what services are being provided and at what level
- Also called a service-level agreement (SLA)
CSAs should also specify:
- Support options
- Penalties for services not provided
- Expected system performance and fees
- Provided software or hardware
- Customer Responsibility Matrix (CSM)
CSP processes and procedures are detailed documents that define workflow and step-by-step instructions for CSP staff
- They often include hardware configuration diagrams, network maps, and application processing flowcharts
- Digital forensics examiners can use them to understand how data is stored, manipulated, secured, backed up, restored, and accessed by CSP staff and customers
Additional documents of interest are the CSP's business continuity and disaster recovery plans

Customer Responsibility Matrix

Basic Concepts of Cloud Forensics

Forensic tools should have the following capabilities to handle acquiring data from a cloud:
- Forensic data collection - must be able to identify, label, record, and acquire data from the cloud
- Elastic, static, and live forensics - must be able to expand and contract their storage capabilities
- Evidence segregation - different businesses and users share the same applications and storage space
- Investigations in virtualized environments - should have the capability to examine virtual systems

Notes:

If you just need data from one user that's easy
But when you need a whole server, there is others people data there so they won't let you see that

Jurisdiction Issues

No law ensures uniform access or required handling procedures for the cloud
Investigators should be concerned about cases involving data commingled with other customers' data
Often, figuring out what law controls data stored in the cloud is a challenge
How privacy rights are defined in different jurisdictions is a major factor in problems with the right to access data

Accessing Evidence in the Cloud

The Electronic Communications Privacy Act (ECPA) describes five mechanisms the government can use to get electronic information from a provider:
- Search warrants
- Subpoenas
  - With or without prior notice to the customer
- Court orders
  - With or without prior notice to the customer
Search Warrant:
- A search warrant can be used only in criminal cases and must be requested by a law enforcement officer who has evidence of probable cause that a crime was committed
- The law requires that search warrants contain specific descriptions of what's to be seized
- Search warrants must also describe the location of items to seize
- It must establish how it will be carried out
Subpoenas and Court Orders
- Government agency subpoenas - customer communications and records can't be knowingly divulged to any person or entity
  - Used to get information when it's believed there's a danger of death or serious physical injury
- Non-government and civil litigation subpoenas - used to produce information from private parties for litigation
- Court orders - written by judges to compel someone to do or not do something

Technical Challenges in Cloud Forensics

Challenges in conducting cloud forensics include the following:
- Architecture
- Data collection
- Analysis of cloud forensic data
- Anti-forensics
- Incident first responders
- Role management
- Legal issues
- Standards and training

Architecture

No two CSPs are configured exactly the same way
Depending on the type of cloud architecture and the SLA, customer's data could be commingled
Most CSPs keep data storage locations confidential for security reasons
Differences in recording procedures or log keeping can make it difficult to determine the data's origin
- This may complicate an investigation's chain of evidence

Analysis of Cloud Forensic Data

Analyzing digital evidence from a cloud requires verifying the data with other data and log records
Data may need to be reconstructed to determine what actually occurred during an incident
Examining logs can be useful to compare the modified, last access, and create (MAC) dates and times for files
Metadata from affected files should be examined to validate file accesses

Anti-Forensics

Destroying ESI that may be potential evidence is called "anti-forensics"
Hackers may use specialized malware for defeating evidence collection
Additional methods for anti-forensics:
- Inserting malware programs in other files
- Using encryption to obfuscate malware programs activated through other malware programs
- Using data-hiding utilities that append malware to existing files
Other techniques affect file metadata by changing the modify and last access times
Changing timestamps (timestomping) can make it difficult to develop a timeline of a hacker's activities
Calculating hash values of files and comparing the results with known good files' hash values can help identify files that might have been altered

Incident First Responders

CSPs have personnel trained to respond to network incidents
- They become first responders when a network intrusion occurs
When CSPs do not have an internal first responder team, the forensics examiner should organize CSP staff to handle these tasks

Notes:

You can now what team is running your server and ask for the credentials for that team

Standards and Training

The Cloud Security Alliance (CSA) has developed resource documentation for CSPs and their staff
- It provides guidance for privacy agreements, security measures, questionnaires, and more
Cloud investigators should have an understanding of cloud architecture in addition to basic digital and network forensic skills

Acquisition in the Cloud

Methods used to collect evidence in cloud investigations depend on the nature of the case
Recovering deleted data from cloud storage is limited (if not impossible) depending on the type of file system the CSP uses
With cloud systems running in a virtual environment, snapshots can give you valuable information before, during, and after an incident
- Forensic examiners should re-create separate cloud servers from each snapshot, acquire an image of each server, and calculate a hash for all files
Many CSPs and third parties offer encryption services for cloud users as a security measure
- Expect to find encrypted files in cloud investigations
You need assistance from the data owner or the CSP to decrypt data with the right encryption key
Encrypted data in the cloud is in two states:
- Data at rest - data that has been written to disk
- Data in motion - data being transmitted over a network

Conducting a Cloud Investigation

When investigating cloud incidents use the same methodical approach covered throughout this book
The type of incident determines how to proceed with planning the investigation
If the investigation involves searching for and recovering data from cloud storage or cloud customers
- See modules "Data Acquisition" and "The Investigator's Laboratory and Digital Forensics Tools"

Investigating CSPs

If a CSP has no team or limited staff, investigators should ask the following questions to understand how the CSP is set up:
- Does the investigator have the authority to use cloud staff and resources to conduct an investigation?
- Is detailed knowledge of the cloud's topology, policies, data storage methods, and devices available?
- Are there any restrictions on collecting digital evidence from remote cloud storage?
If a CSP has no team or limited staff, investigators should ask the following questions to understand how the CSP is set up (continued):
- For e-discovery demands on multitenant cloud systems, is the data to collect commingled with other cloud customers' unrelated data? Is there a way to separate the data to prevent violating privacy rights or confidentiality agreements?
- Is the data of interest to the investigation local or remote? If it's in a remote location, can the CSP provide a forensically sound connection to it?

Investigating Cloud Customers

If a cloud customer doesn't have the CSP's application installed;
- You might find cloud-related evidence in a Web browser's cache file
If the CSP's application is installed:
- You can find evidence of file transfers in the application's folder
- This is usually found under the user's account folder

Understanding Prefetch Files and Artifacts

Prefetch files contain the DLL pathnames and metadata used by an application
The OS reads the associated prefetch file and loads its information into the computer's memory
The OS can handle other tasks instead of waiting for an application to load needed libraries
Example:
- Metadata in a prefetch file contains an application's MAC times in UTC format and a counter of how many times the app has run

Examining Stored Cloud Data on a PC

Dropbox offers third-party applications, such as e-mail, chat, Cisco WebEx, and other collaboration tools
Since 2012, Dropbox has used base-64 format to store content
- Reading them requires specialized software that can read and interpret the Dropbox filecache.dbx file
Gmail users have access to Google Drive for cloud data storage and applications
Google Drive is installed in: C:\Program Files $(x 86) ∖$ Google\Drive
Each user has a configuration file stored in C:IUsers\username\AppDatalLocallGooglelDrive
If Google Drive has been installed, it creates a folder in the path C:IUsers\username|Google Drive
Important Google Drive files include the following:
- sync_config.db - an SQL database file with Google Drive upgrade number, highest application version number, and local synchronization root path
- snapshot.db - contains information about each file accessed, the URL pathname, the modified and created dates and times in UNIX timestamp format, and the file's MD5 value and size
- sync_log.log - has a detailed list of a user's cloud transactions
OneDrive was created by Microsoft and was originally called SkyDrive
- Available with Windows 8 and later
- It is similar to Dropbox and Google Drive and offers subscription services for Microsoft software
OneDrive stores user profiles in the user's account path
Log files and synchronized files are kept in various places under the user's account (depending on the Windows version)

Using Cloud Forensics Tools

The following vendors offer integrated tools that can be applied to cloud forensics:
- OpenText EnCase Endpoint Security
- Exterro Incident and Relief Management
Other tools include the following:
- Forensic Open-Stack Tools (FROST)
- F-Response for the Cloud
- Magnet AXIOM Cloud

Takeaway:

Cloud is not your computer
Commingled info
Look at the service level agreement
Servers can be in Russia
You do not know who has physical access to the server or what OS they us
Do you understand why it is so hard to do cloud forensics?