cloud forensics with f-response · providing cloud forensics via f-response page 3 8/19/2013...
TRANSCRIPT
8/19/2013
CLOUD FORENSICS WITH F-RESPONSE
Leveraging F-Response, X-Ways, and USB-Over-
Ethernet to provide Incident Response and Forensics
Services on Cloud Hosted Servers
F-Response is a Registered Trademark of Agile Risk Management LLC. For more information on F-Response, or any
of part of the solution presented in this paper please contact us on the web at www.f-response.com.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 2 8/19/2013
TABLE OF CONTENTS
Table of Contents ........................................................................................................................................... 2
Challenge ........................................................................................................................................................ 3
Solution .......................................................................................................................................................... 4
Prerequisites ................................................................................................................................................... 5
Example .......................................................................................................................................................... 6
Create the Cloud Server ............................................................................................................................. 6
Deploy tools to the Cloud Server ................................................................................................................ 7
Connect to multiple Forensic Dongles with USB Over Ethernet................................................................. 8
Configure F-Response Networking ............................................................................................................. 9
Configure Target Cloud Server(s) Firewalls to allow Examiner access ..................................................... 10
Install/Start F-Response on one or more Cloud Servers .......................................................................... 11
Perform analysis on one or more F-Response connected cloud servers.................................................. 12
Legal Notices ................................................................................................................................................ 13
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 3 8/19/2013
CHALLENGE
When it comes to performing Incident Response or Computer Forensics Services on Cloud Servers the
traditional forensic collection and acquisition model is clearly unsuitable. Simply put, powering down and
detaching the hard drive is just not viable with Cloud Servers.
Why?
Primarily because Cloud Servers aren’t really physical servers, they are typically virtual servers allocated
on demand using one of a dozen or more hypervisor1 technologies. Secondly, the hardware these servers
run on is typically shared by a number of customers, many of which would undoubtedly balk at the
request to power down their server(s) and remove their shared disk resources.
1 A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware
that creates and runs virtual machines.(http://en.wikipedia.org/wiki/Hypervisor)
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 4 8/19/2013
SOLUTION
Using existing software technologies and a single Cloud Server it is possible to deliver a complete onsite
solution to virtually any cloud hosted server, anywhere in the world, on demand, and with minimal
preparation.
Cloud Server Provider
N+ Cloud Servers
with Internal Cloud
Network Access
Dedicated Forensic/IR Cloud
Server running F-Response
and X-Ways
Remote Analyst
using RDP and USB-
Over-Ethernet/RDP
The solution hinges on being able to leverage USB forwarding technology to shift your existing dongle
based software licenses to a remote virtual machine running within the Cloud environment. In order to
accomplish this we recommend using KernelPro’s USB-Over-Ethernet (“USBoE”) software product. USBoE
allows remote examiners (aka consultants) to forward their physical software license dongles to the
Dedicated Forensic/IR Cloud Server hosted at the Cloud provider.
Once connected to the dedicated server the remote examiner can then deploy F-Response to one or more
remote targets, and begin leveraging one or more remotely installed computer forensics, e-Discovery, or
incident response applications.
Additional storage may be configured through the individual cloud provider to handle collection needs,
etc.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 5 8/19/2013
PREREQUISITES
Software Required:
KernelPro (www.usb-over-ethernet.com)
USB-Over-Ethernet
USB-Over-Ethernet provides USB device “forwarding” to
remote machines. In essence USB hardware dongles,
such as those used by F-Response and other Computer
Forensic software manufacturers can be forwarded to a
remote virtual or physical workstation at the client location.
F-Response (www.f-response.com)
F-Response Enterprise or Consultant + Covert Edition
F-Response Consultant + Covert or Enterprise provide
direct, read-only access to remote computers at the
client site. Using F-Response you can attach to remote
machines from within the client environment and access
physical disks, logical volumes, and physical memory in real-time.
X-Ways (www.x-ways.com)
X-Ways Forensic
X-Ways Forensics is an advanced work environment for
computer forensic examiners. Highly efficient and well
conceived, X-Ways works well with F-Response and the
two products together provide a compelling and cost
effective solution.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 6 8/19/2013
EXAMPLE
CREATE THE CLOUD SERVER
The following example is presented using Rackspace Cloud Servers, the same process would largely apply
to other Cloud Server providers (Amazon Web Services, Azure, HP Public Cloud, etc).
The first step is to create a Forensic/IR server within the same region as your target server(s). In this
example we created a basic Windows 2008 R2 Server and outfitted it with the minimum resources
necessary to perform the basic example. Be sure to note the Administrative password set by the provider,
you will need this password to access your machine via RDP.
Rackspace Cloud Servers provides a number of options when deploying a server, be sure to pay close
attention to the Region your server will be placed in as there is often no internal network access between
regions.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 7 8/19/2013
DEPLOY TOOLS TO THE CLOUD SERVER
Once the remote Cloud Server is operational you will need to connect to that server using Remote
Desktop and configure it with your Forensic Tools (F-Response, X-Ways, and USB-Over-Ethernet). In many
cases the Windows servers are hardened to make it difficult to download files from remote sites,
especially if those sites are SSL encrypted (as is the case with F-Response). As such you’ll want to confirm
the Security Setting in Internet Explorer (Advanced->Security->Do not save Encrypted pages to Disk) is
unchecked.
Many Windows Server configurations have additional controls configured which make it challenging to
download files, the above setting must be disabled to allow F-Response to be downloaded.
You will want to download and install the following applications:
USB over Ethernet Client
F-Response Enterprise
X-Ways Forensics
Specific details on configuring each individual product is outside the scope of this whitepaper, additional
details on configuration and usage can be found on the F-Response Mission Guides and Documentation
page on the F-Response Website (www.f-response.com/support/missionguides).
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 8 8/19/2013
CONNECT TO MULTIPLE FORENSIC DONGLES WITH USB OVER ETHERNET
Using the USB Over Ethernet Client and Server we can share out and connect to multiple licensing
dongles.
The above screen capture shows connecting to a USB-Over-Ethernet hosted F-Response Enterprise dongle.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 9 8/19/2013
CONFIGURE F-RESPONSE NETWORKING
In our example, the newly deployed Cloud Server is configured with both an externally facing IP address
and an internally facing IP address. We will be using the internal network interface to interact with other
subject computers in the Cloud, as such we will want to configure the F-Response License Manager to
bind to the internal network interface.
F-Response License Manager bound to the internal network interface of the examiner cloud server.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 10 8/19/2013
CONFIGURE TARGET CLOUD SERVER(S) FIREWALLS TO ALLOW EXAMINER ACCESS
In order to access the target Cloud Server(s) we will make Windows Firewall exceptions to allow for
remote access and deployment. The most efficient way to do this is by applying a Firewall rule allowing
inbound access to the remote servers from your newly created forensic examiner server.
The above screen capture shows the creation of a custom rule allowing access from the examiner cloud
hosted server.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 11 8/19/2013
INSTALL/START F-RESPONSE ON ONE OR MORE CLOUD SERVERS
The following represents abbreviated steps from our F-Response Enterprise Mission Guides. You will find
more detailed steps for different operating systems and configurations on the F-Response website (www.f-
response.com/support/missionguides).
Using the supplied credentials for the remote server(s) we install/start F-Response on one or more Cloud
Servers, then select one or more F-Response Targets and Login.
The above screen capture shows an F-Response attached remote machine “disk-0” attached to our
examiner hosted forensic server as PhysicalDrive2.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 12 8/19/2013
PERFORM ANALYSIS ON ONE OR MORE F-RESPONSE CONNECTED CLOUD SERVERS
Using X-Ways Forensics it’s now possible to perform imaging or analysis on the data residing on one or
more subject Cloud Servers.
The above screen capture shows X-Ways Forensics performing analysis live on the newly attached
PhysicalDrive2.
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
Page 13 8/19/2013
LEGAL NOTICES
Copyright
Copyright © 2013 Agile Risk Management, LLC. All rights reserved. This document is protected by
copyright with all rights reserved.
Trademarks
F-Response is a trademark of Agile Risk Management, LLC. All other product names or logos mentioned
herein are used for identification purposes only, and are the trademarks of their respective owners.
Statement of Rights
Agile Risk Management, LLC products incorporate technology that is protected by U.S. patent and other
intellectual property (IP) rights owned by Agile Risk Management LLC, and other rights owners.
Disclaimer
While Agile Risk Management LLC has committed its best efforts to providing accurate information in this
document, we assume no responsibility for any inaccuracies that may be contained herein, and we
reserve the right to make changes to this document without notice.