cloud forensics with f-response · providing cloud forensics via f-response page 3 8/19/2013...

8/19/2013

CLOUD FORENSICS WITH F-RESPONSE

Leveraging F-Response, X-Ways, and USB-Over-

Ethernet to provide Incident Response and Forensics

Services on Cloud Hosted Servers

F-Response is a Registered Trademark of Agile Risk Management LLC. For more information on F-Response, or any

of part of the solution presented in this paper please contact us on the web at www.f-response.com.

PROVIDING CLOUD FORENSICS VIA F-RESPONSE

8/19/2013

TABLE OF CONTENTS

Table of Contents ........................................................................................................................................... 2

Challenge ........................................................................................................................................................ 3

Solution .......................................................................................................................................................... 4

Prerequisites ................................................................................................................................................... 5

Example .......................................................................................................................................................... 6

Create the Cloud Server ............................................................................................................................. 6

Deploy tools to the Cloud Server ................................................................................................................ 7

Connect to multiple Forensic Dongles with USB Over Ethernet................................................................. 8

Configure F-Response Networking ............................................................................................................. 9

Configure Target Cloud Server(s) Firewalls to allow Examiner access ..................................................... 10

Install/Start F-Response on one or more Cloud Servers .......................................................................... 11

Perform analysis on one or more F-Response connected cloud servers.................................................. 12

Legal Notices ................................................................................................................................................ 13


8/19/2013

CHALLENGE

When it comes to performing Incident Response or Computer Forensics Services on Cloud Servers the

traditional forensic collection and acquisition model is clearly unsuitable. Simply put, powering down and

detaching the hard drive is just not viable with Cloud Servers.

Why?

Primarily because Cloud Servers aren’t really physical servers, they are typically virtual servers allocated

on demand using one of a dozen or more hypervisor1 technologies. Secondly, the hardware these servers

run on is typically shared by a number of customers, many of which would undoubtedly balk at the

request to power down their server(s) and remove their shared disk resources.

1 A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware

that creates and runs virtual machines.(http://en.wikipedia.org/wiki/Hypervisor)


8/19/2013

SOLUTION

Using existing software technologies and a single Cloud Server it is possible to deliver a complete onsite

solution to virtually any cloud hosted server, anywhere in the world, on demand, and with minimal

preparation.

Cloud Server Provider

N+ Cloud Servers

with Internal Cloud

Network Access

Dedicated Forensic/IR Cloud

Server running F-Response

and X-Ways

Remote Analyst

using RDP and USB-

Over-Ethernet/RDP

The solution hinges on being able to leverage USB forwarding technology to shift your existing dongle

based software licenses to a remote virtual machine running within the Cloud environment. In order to

accomplish this we recommend using KernelPro’s USB-Over-Ethernet (“USBoE”) software product. USBoE

allows remote examiners (aka consultants) to forward their physical software license dongles to the

Dedicated Forensic/IR Cloud Server hosted at the Cloud provider.

Once connected to the dedicated server the remote examiner can then deploy F-Response to one or more

remote targets, and begin leveraging one or more remotely installed computer forensics, e-Discovery, or

incident response applications.

Additional storage may be configured through the individual cloud provider to handle collection needs,

etc.


8/19/2013

PREREQUISITES

Software Required:

KernelPro (www.usb-over-ethernet.com)

USB-Over-Ethernet

USB-Over-Ethernet provides USB device “forwarding” to

remote machines. In essence USB hardware dongles,

such as those used by F-Response and other Computer

Forensic software manufacturers can be forwarded to a

remote virtual or physical workstation at the client location.

F-Response (www.f-response.com)

F-Response Enterprise or Consultant + Covert Edition

F-Response Consultant + Covert or Enterprise provide

direct, read-only access to remote computers at the

client site. Using F-Response you can attach to remote

machines from within the client environment and access

physical disks, logical volumes, and physical memory in real-time.

X-Ways (www.x-ways.com)

X-Ways Forensic

X-Ways Forensics is an advanced work environment for

computer forensic examiners. Highly efficient and well

conceived, X-Ways works well with F-Response and the

two products together provide a compelling and cost

effective solution.

http://www.usb-over-ethernet.com/

http://www.f-response.com/

http://www.x-ways.com/


8/19/2013

EXAMPLE

CREATE THE CLOUD SERVER

The following example is presented using Rackspace Cloud Servers, the same process would largely apply

to other Cloud Server providers (Amazon Web Services, Azure, HP Public Cloud, etc).

The first step is to create a Forensic/IR server within the same region as your target server(s). In this

example we created a basic Windows 2008 R2 Server and outfitted it with the minimum resources

necessary to perform the basic example. Be sure to note the Administrative password set by the provider,

you will need this password to access your machine via RDP.

Rackspace Cloud Servers provides a number of options when deploying a server, be sure to pay close

attention to the Region your server will be placed in as there is often no internal network access between

regions.


8/19/2013

DEPLOY TOOLS TO THE CLOUD SERVER

Once the remote Cloud Server is operational you will need to connect to that server using Remote

Desktop and configure it with your Forensic Tools (F-Response, X-Ways, and USB-Over-Ethernet). In many

cases the Windows servers are hardened to make it difficult to download files from remote sites,

especially if those sites are SSL encrypted (as is the case with F-Response). As such you’ll want to confirm

the Security Setting in Internet Explorer (Advanced->Security->Do not save Encrypted pages to Disk) is

unchecked.

Many Windows Server configurations have additional controls configured which make it challenging to

download files, the above setting must be disabled to allow F-Response to be downloaded.

You will want to download and install the following applications:

USB over Ethernet Client

F-Response Enterprise

X-Ways Forensics

Specific details on configuring each individual product is outside the scope of this whitepaper, additional

details on configuration and usage can be found on the F-Response Mission Guides and Documentation

page on the F-Response Website (www.f-response.com/support/missionguides).

http://www.f-response.com/support/missionguides


8/19/2013

CONNECT TO MULTIPLE FORENSIC DONGLES WITH USB OVER ETHERNET

Using the USB Over Ethernet Client and Server we can share out and connect to multiple licensing

dongles.

The above screen capture shows connecting to a USB-Over-Ethernet hosted F-Response Enterprise dongle.


8/19/2013

CONFIGURE F-RESPONSE NETWORKING

In our example, the newly deployed Cloud Server is configured with both an externally facing IP address

and an internally facing IP address. We will be using the internal network interface to interact with other

subject computers in the Cloud, as such we will want to configure the F-Response License Manager to

bind to the internal network interface.

F-Response License Manager bound to the internal network interface of the examiner cloud server.


8/19/2013

CONFIGURE TARGET CLOUD SERVER(S) FIREWALLS TO ALLOW EXAMINER ACCESS

In order to access the target Cloud Server(s) we will make Windows Firewall exceptions to allow for

remote access and deployment. The most efficient way to do this is by applying a Firewall rule allowing

inbound access to the remote servers from your newly created forensic examiner server.

The above screen capture shows the creation of a custom rule allowing access from the examiner cloud

hosted server.


8/19/2013

INSTALL/START F-RESPONSE ON ONE OR MORE CLOUD SERVERS

The following represents abbreviated steps from our F-Response Enterprise Mission Guides. You will find

more detailed steps for different operating systems and configurations on the F-Response website (www.f-

response.com/support/missionguides).

Using the supplied credentials for the remote server(s) we install/start F-Response on one or more Cloud

Servers, then select one or more F-Response Targets and Login.

The above screen capture shows an F-Response attached remote machine “disk-0” attached to our

examiner hosted forensic server as PhysicalDrive2.




8/19/2013

PERFORM ANALYSIS ON ONE OR MORE F-RESPONSE CONNECTED CLOUD SERVERS

Using X-Ways Forensics it’s now possible to perform imaging or analysis on the data residing on one or

more subject Cloud Servers.

The above screen capture shows X-Ways Forensics performing analysis live on the newly attached

PhysicalDrive2.


8/19/2013

LEGAL NOTICES

Copyright

Copyright © 2013 Agile Risk Management, LLC. All rights reserved. This document is protected by

copyright with all rights reserved.

Trademarks

F-Response is a trademark of Agile Risk Management, LLC. All other product names or logos mentioned

herein are used for identification purposes only, and are the trademarks of their respective owners.

Statement of Rights

Agile Risk Management, LLC products incorporate technology that is protected by U.S. patent and other

intellectual property (IP) rights owned by Agile Risk Management LLC, and other rights owners.

Disclaimer

While Agile Risk Management LLC has committed its best efforts to providing accurate information in this

document, we assume no responsibility for any inaccuracies that may be contained herein, and we

reserve the right to make changes to this document without notice.

cloud forensics with f-response · providing cloud forensics via f-response page 3 8/19/2013...

Documents