Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June - PowerPoint PPT Presentation

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 – 12 June 2015 Dr Kim-Kwang Raymond Choo

The role of digital forensics in incident handling Sources of digital evidence: Any computing devices capable of storing electronic information (including your smart fridge and smart TV).

Digital forensics: Challenges of cloud computing “little guidance exists on how to acquire and conduct forensics in a cloud environment” ( National Institute of Standards and Technology 2011, p.64) “[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and often outdated. There are no guidelines specific to evidence gathered in the cloud…” (Birk and Wegener 2011, p.9) “[m]ore research is required in the cyber domain, especially in cloud computing, to identify and categorize the unique aspects of where and how digital evidence can be found. End points such as mobile devices add complexity to this domain. Trace evidence can be found on servers, switches, routers, cell phones, etc” by previous Director of US Department of Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15) Need for evidence-based digital forensic framework to guide investigations, which is • Flexible/generic enough to be able to work with future providers offering new services, yet • Be able to step an investigation through a formalized process to ensure information sources are identified and preserved.

The first cloud forensic framework 1. Commence (Scope) Determine the scope of the investigation, the requirements and limitations, prepare equipment and expertise. 2. Identification and Preservation It is critical that preservation commences as soon as cloud computing use is discovered in a case, as such it is combined with identification in this model. 3. Collection Iterative The potential difficulties in collection of cloud computing data dictates the requirement for collection to be represented as a separate step. 4. Examination and Analysis Examination of the collected data allows the investigator to locate the evidence in the data, analysis transforms this data into evidence. 5. Reporting and Presentation This step relates to reporting and presenting evidence to court. As such this step will remain mostly unchanged. 6. Feedback and Complete This step relates to a review of the findings and a decision to finalise the case or expand the analysis. Quick D, Martini B & Choo K-KR 2014. Cloud storage forensics . Syngress, an Imprint of Elsevier

Cloud storage forensic preservation: A snapshot System tray link RAM password DBAN cleartext Dropbox Yes Yes No Microsoft Skydrive Yes (but not full Yes No access to an account) Google Drive Yes Yes (and also on HDD) No Eraser/CCleaner Configuration files Mobile Dropbox Remnants Yes (Old) / Encrypted Browser (New) Microsoft Skydrive Remnants Yes Browser Google Drive Remnants Yes Browser

Cloud forensics Our recent book “Cloud Storage Forensics, 1 st Edition”, please visit http://store.elsevier.com/product.jsp?isbn=9780124199705 . The book’s forewords are written by Australia’s Chief Defence Scientist ( 首席澳大利亚国防科学家及国防科技组织 (DSTO) 领导人 ) and the Chair of Electronic Evidence Specialist Advisory Group , Senior Managers of Australian and New Zealand Forensic Laboratories. Highly Commended Award in the 2014 “Best Chapter in a Book” Category by Australia New Zealand Policing Advisory Agency (ANZPAA) National Institute of Forensic Science (NIFS)

Evidence collection and analysis methodology for Android devices Martini B, Do Q and Choo K-K R 2015. Chapter 14 – Conceptual evidence collection and analysis methodology for Android devices. In Ko R and Choo K-K R, editors, Cloud Security Ecosystem, pp. 285 – 307, Syngress, an Imprint of Elsevier

Evidence collection and analysis methodology for Android devices Implemented the methodology using six popular cloud apps and one password sync app • Dropbox (version 2.4.1); OneDrive (version 2.5.1); Box (version 3.0.2); ownCloud (version 1.5.5); Evernote (version 5.8.1); OneNote (version 15.0.2727.2300); and Universal Password Manger (version 1.15) Information recovered include: • Cached or offline files on the device’s external storage • File metadata (both for files cached on the device and files stored on the server) on internal storage in an SQLite database • … using the information obtained, we could access the cloud service’s servers as the user (and access their files) on the device for five of the six apps we tested that communicated and authenticated with their servers Martini B, Do Q and Choo K-K R 2015. Chapter 15 – Mobile cloud forensics: An analysis of seven popular Android apps. In Ko R and Choo K-K R, editors, Cloud Security Ecosystem, pp. 309 – 345, Syngress, an Imprint of Elsevier

Six-step remote programmatic forensic collection process Process However, unclear 1 Obtain Organization administrator credentials : These can be obtained from the . administrator directly if they are willing to supply them. Otherwise, they can be whether existing obtained from their client devices or the CSP. legislation permits use 2 Connect to the environment and collect the available events (logs) : As . changes to the events will be unavoidable in remote cloud forensics, modification of of remote real-time this evidence source should be kept to a minimum by collecting these logs first. evidence preservation 3 Collect Organizational metadata : This metadata includes basic details such as . Organization name, description, quotas, records of the members in the Organization and collection and references to the Organization VDCs. processes and tools 4 Collect VDC metadata : Using the Organization VDC references, we iterate . through the VDC objects extracting relevant metadata including name, description, (without suspect’s allocation model and capacity information. We also collect references to the VDCs provisioned vApps. approval) to collect / 5 Collect vApp metadata and VM data : vApps contain significant metadata which preserve evidential . may be of forensic interest and also contain references to the OVF and VMDK files. This metadata includes name, description, compute capacity, creation date, owner, material stored or held deployment and storage lease expiry dates and sharing permissions. References to the vApps constituent VMs should also be collected. overseas without a mutual assistance 6 Collect VM metadata : In addition to vApps constituent VM files, a selection of VM . metadata is also available which may be of forensic interest. This includes names, request. descriptions, creation dates, capacity information, IP addresses and potentially login credentials. Martini B and Choo K-K R 2014. Remote Programmatic vCloud Forensics: A Six-Step Collection Process and a Proof of Concept. In Proceedings of 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2014), pp. 935 – 942, 24 – 26 September 2014, IEEE Computer Society Press

Forensic (remote) data collection and data reduction Novel data collection techniques (Australian Provisional Patent 2014905255) • Limitations due to current forensic techniques making use of vendor data communication facilities built into the client devices (e.g. iTunes backup for iOS devices), inability to circumvent advanced security features and anti-forensic features, etc • Developed data (remote) collection / exfiltration techniques for forensic / criminal intelligence Commercialisation : A system designed by forensic and security experts, but can be used by the average IT person without forensic and security training

A rat race A race not only to keep up with device (i.e. hardware) and software (e.g. app and operating systems) releases by providers, but also from software and hardware modifications made by end users, particularly serious and organised criminals, to complicate or prevent the collection and analysis of digital evidence. • ‘ Thousands of encrypted phones are believed to be in Australia and the officials say some of the phones are suspected of being used to send the most dangerous messages imaginable - those that lead to murder … [and] Police believe one of Australia's most violent outlaw bikers used uncrackable encrypted phones to order some of the shootings that have rocked Sydney ’ (Australian Broadcasting Corporation 2014). • NSW Crime Commission’s 2012 - 2013 annual report stated that ‘ [a]s in the last reporting period, criminal groups continue to exploit mobile-phone encryption methods. Some companies, which appear to be almost exclusive set-up to supply criminal networks, provide mobile-phones for around $2,200 … The Commission believes the phones are almost exclusively used by criminals and there are limited legitimate users for such heavily encrypted phones in the wider community ’.

http://www.d2dcrc.com. au/news/rcunisa/