search

Cloud Forensics

Cloud computing is a computing-as-service paradigm with different declinations:

  • IaaS

  • PaaS

  • SaaS

We will deal with the concept of public clouds and in particular with:

  1. Acquisition issues

  2. Analysis issues

  3. Attribution issues

  4. Legal status issues

hashtag
Acquisition issues

In general, even in IaaS scenarios, no control is given to user on hardware and storage space. Levels of access may vary:

  1. Saas: only cloud service providers have logs/data.

  2. PaaS: customer may have OS/application/network/database logs, depending on the CSP

  3. IaaS: logs until OS level accessible to customers; network/ process logs at provider level (e.g. load balancer logs)

There are big consequences to this, the main one being that investigators cannot access raw hardware, which makes traditional acquisition procedures unfeasible for the host. Moreover:

  • A VM could be spread in different drives -> almost impossible to perform correctly data acquisition.

  • When deallocating, space is gone forever, meaning that there is no deallocated space to analyze -> the concepts of slack space and carving do not apply here.

In conclusion: sometimes we can reconfigure our host instance to collect more logs but otherwise, there's little we can do.

hashtag
Availability of data

  • If the provider already logs the data we are interested in we can ask a judge to request to get the data but often these logs simply don’t exist.

  • Some data exist only in the specific instance of the user so cannot be reconstructed.

  • It can be technically possible to build certain data but it will be practically impossible due to the insanely complex system used by big service providers.

hashtag
Examples of acquisition issues

Acquisition of a simple web page. What could possibly go wrong?

  • Dynamic content on page: How to capture? / How to reproduce in court?

  • Attribution: Whois data / DNS resolution (proving it from multiple points) / Connectivity and provider identification / Geolocation of hoster

In conclusion it is hard to guarantee integrity. The only way is to ask directly the provider to get data directly from databases but, in some cases, it’s simply impossible due to end-to-end encryption.

hashtag
Analysis issues

As said before in the cloud context everything is virtualised, which means that it is beasically impossible to retrieve deleted data, or even fragments of it. In the very unlikely situation where you need to investigate the hypervisor software of a virtualized system, it will be almost impossible due to the lack of knowledge/tools. The only actor able to do it is the provider of the hypervisor itself but often this means going against their interest. It is important to note that disclosing that your hypervisor has been violated is not a smart business choice, which means that collaboration from hypervisor manifacturers is not to be expected.

hashtag
Attribution issues

As seen previously attribution is hard already in cyberspace (e.g. IP spoofing, attribution to technical source eqeq attribution to agent, etc.), Cloud infrastructures add an additional layer of indirection to this, which means that it does not help at all.

hashtag
Legal issues

  • Geographic location

    • Some judiciary acts require a physical location

    • Criminal investigation/prosecution based on physical locations

    • Applicable law depends on physical location

  • Electronic data is unique as it may actually span multiple physical locations! No other artifact has, or ever had, this property

  • Budapest convention support for the concept of Electronic Search and Seizure -> Removal of obstacles (i.e. legal forceful access to systems) cannot be ordered across countries

  • Contract and Service Level Agreement issues with Cloud Service Providers

Example of legal issues: some time ago dropbox used to buy space from AWS (S3). Who is the actual service provider? Are they dropbox or AWS responsibility? Which state of the USA is involved?

Dual criminality: to obtain help from another police jurisdiction the crime you are investigating must be a crime in both countries. For instance, many defamation crimes persecuted in Italy aren’t crimes in the USA.

hashtag
Forensically enabled clouds

FEC: Cloud services providers that satisfies certain requirement for forensics applications.

Why should they care? There are laws for example in Europe which enforce those policies (e.g. iCloud in the USA). Some of the most famous Cloud actors nowadays have specialized helpdesk that handles only this type of relation with legal enforcement.

hashtag
Requirements for a CSP to offer “forensic friendly” services

  1. Make an effort to store (snapshots of) volatile VM data in their infrastructure

  2. Make an effort to provide proof of past data possession

  3. Data location (?)

  4. Identity Management

  5. Encryption and Key Management

  6. Legal provision and SLAs

PreviousEvaluation and PresentationNextIncident Response

Last updated