Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June - - PowerPoint PPT Presentation

cloud forensics
SMART_READER_LITE
LIVE PREVIEW

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June - - PowerPoint PPT Presentation

Aug 22, 2023 354 likes •527 views

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond Choo The role of digital forensics in incident handling Sources of digital evidence: Any computing devices capable of storing electronic

slide-1
SLIDE 1

ASEAN CSA Summit 2015 Bangkok, Thailand 11–12 June 2015

Dr Kim-Kwang Raymond Choo

Cloud Forensics

slide-2
SLIDE 2

Sources of digital evidence:

Any computing devices capable of storing electronic information (including your smart fridge and smart TV).

The role of digital forensics in incident handling

slide-3
SLIDE 3

“little guidance exists on how to acquire and conduct forensics in a cloud environment” (National Institute of Standards and Technology 2011, p.64) “[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and

  • ften outdated. There are no guidelines specific to evidence gathered in the cloud…”

(Birk and Wegener 2011, p.9) “[m]ore research is required in the cyber domain, especially in cloud computing, to identify and categorize the unique aspects of where and how digital evidence can be found. End points such as mobile devices add complexity to this domain. Trace evidence can be found

  • n servers, switches, routers, cell phones, etc” by previous Director of US Department of

Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15)

Need for evidence-based digital forensic framework to guide investigations, which is

  • Flexible/generic enough to be able to work with future providers
  • ffering new services, yet
  • Be able to step an investigation through a formalized process to

ensure information sources are identified and preserved.

Digital forensics: Challenges of cloud computing

slide-4
SLIDE 4

Iterative The first cloud forensic framework

  • 1. Commence (Scope)

Determine the scope of the investigation, the requirements and limitations, prepare equipment and expertise.

  • 2. Identification and Preservation

It is critical that preservation commences as soon as cloud computing use is discovered in a case, as such it is combined with identification in this model.

  • 3. Collection

The potential difficulties in collection of cloud computing data dictates the requirement for collection to be represented as a separate step.

  • 4. Examination and Analysis

Examination of the collected data allows the investigator to locate the evidence in the data, analysis transforms this data into evidence.

  • 5. Reporting and Presentation

This step relates to reporting and presenting evidence to court. As such this step will remain mostly unchanged.

  • 6. Feedback and Complete

This step relates to a review of the findings and a decision to finalise the case or expand the analysis.

Quick D, Martini B & Choo K-KR 2014. Cloud storage forensics. Syngress, an Imprint of Elsevier

slide-5
SLIDE 5

System tray link RAM password cleartext DBAN Dropbox Yes Yes No Microsoft Skydrive Yes (but not full access to an account) Yes No Google Drive Yes Yes (and also on HDD) No Eraser/CCleaner Configuration files Mobile Dropbox Remnants Yes (Old) / Encrypted (New) Browser Microsoft Skydrive Remnants Yes Browser Google Drive Remnants Yes Browser

Cloud storage forensic preservation: A snapshot

slide-6
SLIDE 6

Cloud forensics Our recent book

“Cloud Storage Forensics, 1st Edition”, please visit http://store.elsevier.com/product.jsp?isbn=9780124199705. The book’s forewords are written by Australia’s Chief Defence Scientist (首席澳大利亚国防科学家及国防科技组织(DSTO)领导人) and the Chair of Electronic Evidence Specialist Advisory Group, Senior Managers of Australian and New Zealand Forensic Laboratories. Highly Commended Award in the 2014 “Best Chapter in a Book” Category by Australia New Zealand Policing Advisory Agency (ANZPAA) National Institute of Forensic Science (NIFS)

slide-7
SLIDE 7

Evidence collection and analysis methodology for Android devices

Martini B, Do Q and Choo K-K R 2015. Chapter 14 – Conceptual evidence collection and analysis methodology for Android devices. In Ko R and Choo K-K R, editors, Cloud Security Ecosystem, pp. 285–307, Syngress, an Imprint of Elsevier

slide-8
SLIDE 8

Implemented the methodology using six popular cloud apps and one password sync app

  • Dropbox (version 2.4.1); OneDrive (version 2.5.1); Box (version 3.0.2);
  • wnCloud (version 1.5.5); Evernote (version 5.8.1); OneNote (version

15.0.2727.2300); and Universal Password Manger (version 1.15)

Information recovered include:

  • Cached or offline files on the device’s external storage
  • File metadata (both for files cached on the device and files stored on the server)
  • n internal storage in an SQLite database
  • … using the information obtained, we could access the cloud service’s servers

as the user (and access their files) on the device for five of the six apps we tested that communicated and authenticated with their servers

Evidence collection and analysis methodology for Android devices

Martini B, Do Q and Choo K-K R 2015. Chapter 15 – Mobile cloud forensics: An analysis of seven popular Android apps. In Ko R and Choo K-K R, editors, Cloud Security Ecosystem, pp. 309–345, Syngress, an Imprint of Elsevier

slide-9
SLIDE 9
slide-10
SLIDE 10

Six-step remote programmatic forensic collection process

Martini B and Choo K-K R 2014. Remote Programmatic vCloud Forensics: A Six-Step Collection Process and a Proof of

  • Concept. In Proceedings of 13th IEEE International Conference on Trust, Security and Privacy in Computing and

Communications (TrustCom 2014), pp. 935–942, 24–26 September 2014, IEEE Computer Society Press

Process 1 . Obtain Organization administrator credentials: These can be obtained from the administrator directly if they are willing to supply them. Otherwise, they can be

  • btained from their client devices or the CSP.

2 . Connect to the environment and collect the available events (logs): As changes to the events will be unavoidable in remote cloud forensics, modification of this evidence source should be kept to a minimum by collecting these logs first. 3 . Collect Organizational metadata: This metadata includes basic details such as Organization name, description, quotas, records of the members in the Organization and references to the Organization VDCs. 4 . Collect VDC metadata: Using the Organization VDC references, we iterate through the VDC objects extracting relevant metadata including name, description, allocation model and capacity information. We also collect references to the VDCs provisioned vApps. 5 . Collect vApp metadata and VM data: vApps contain significant metadata which may be of forensic interest and also contain references to the OVF and VMDK files. This metadata includes name, description, compute capacity, creation date, owner, deployment and storage lease expiry dates and sharing permissions. References to the vApps constituent VMs should also be collected. 6 . Collect VM metadata: In addition to vApps constituent VM files, a selection of VM metadata is also available which may be of forensic interest. This includes names, descriptions, creation dates, capacity information, IP addresses and potentially login credentials.

However, unclear whether existing legislation permits use

  • f remote real-time

evidence preservation and collection processes and tools (without suspect’s approval) to collect / preserve evidential material stored or held

  • verseas without a

mutual assistance request.

slide-11
SLIDE 11

Forensic (remote) data collection and data reduction

Novel data collection techniques (Australian Provisional Patent 2014905255)

  • Limitations due to current forensic techniques making use
  • f vendor data communication facilities built into the client

devices (e.g. iTunes backup for iOS devices), inability to circumvent advanced security features and anti-forensic features, etc

  • Developed data (remote) collection / exfiltration techniques

for forensic / criminal intelligence Commercialisation: A system designed by forensic and security experts, but can be used by the average IT person without forensic and security training

slide-12
SLIDE 12

A rat race

A race not only to keep up with device (i.e. hardware) and software (e.g. app and operating systems) releases by providers, but also from software and hardware modifications made by end users, particularly serious and

  • rganised criminals, to complicate or prevent the collection and analysis of

digital evidence.

  • ‘Thousands of encrypted phones are believed to be in Australia and the officials

say some of the phones are suspected of being used to send the most dangerous messages imaginable - those that lead to murder … [and] Police believe one of Australia's most violent outlaw bikers used uncrackable encrypted phones to order some of the shootings that have rocked Sydney’ (Australian Broadcasting Corporation 2014).

  • NSW Crime Commission’s 2012-2013 annual report stated that ‘[a]s in the last

reporting period, criminal groups continue to exploit mobile-phone encryption

  • methods. Some companies, which appear to be almost exclusive set-up to

supply criminal networks, provide mobile-phones for around $2,200 … The Commission believes the phones are almost exclusively used by criminals and there are limited legitimate users for such heavily encrypted phones in the wider community’.

slide-13
SLIDE 13

http://www.d2dcrc.com. au/news/rcunisa/

slide-14
SLIDE 14

Research gaps remain in relation to the digital forensic data volume challenge, particularly for real-world applications

  • Data reduction techniques,
  • Data mining,
  • Intelligence analysis,
  • Use of open and closed source information,

etc A data reduction process holds potential to influence a range of digital forensic stages; such as collection, processing and analysis, & provide for intelligence, knowledge, and future needs.

Quick D and Choo K-K R 2014. Data reduction and data mining framework for digital forensic evidence: Storage, intelligence, review, and archive. Trends & Issues in Crime and Criminal Justice 480: 1–11. http://aic.gov.au/media_library/publications/tandi_pdf/tandi480.pdf Quick D and Choo K-K R 2014. Impacts of Increasing Volume of Digital Forensic Data: A Survey and Future Research Challenges. Digital Investigation 11(4): 273–294. http://dx.doi.org/10.1016/j.diin.2014.09.002

Big forensic data challenges in law enforcement and criminal intelligence investigations

slide-15
SLIDE 15

Data reduction

Big forensic data reduction method (Australian Provisional Patent 2014905242)

Using an earlier version of our data reduction method resulted in significant reduction in the storage requirements, we managed to

  • Reduce the subset to 0.196 percent and 0.75 percent respectively of the
  • riginal dataset volume from SA Police Electronic Crime Section and

the Digital Corpora Forensic Images from U.S. Naval Postgraduate School

  • Reduce the subset to 0.206 percent of a different original dataset

volume from SA Police Electronic Crime Section

slide-16
SLIDE 16
  • Dr. Kim-Kwang Raymond Choo

Fulbright (ทุนฟุลไบ") Scholar Research Director, Cloud Security Alliance (CSA), Australia Chapter Co-Chair, CSA APAC Education Council Co-founder, Cloud Forensics International URL: https://sites.google.com/site/raymondchooau/ Email: raymond.choo@unisa.edu.au / raymond.choo@fulbrightmail.org