Forensic Challenges with Cloud Computing

Brent Muir - 2012

Types of Cloud Computing Facing the Unknown – Backend Infrastructure Accessing the Cloud (remote, datacenters) Types of Data (VM filesystems, loose files,

emails, etc) The “Grey” area – Jurisdiction and Legislation Forensically “sound” procedures (industry best

practice) Real-world examples:

◦ Australian Cloud Storage Provide (CSP)◦ Microsoft SkyDrive

Recommendations

Two types of Cloud technologies:

◦ Cloud Processing (e.g. Amazon EC2): Distributed processing power available on-demand that

speeds up resource intensive procedures

Examples: password cracking, video rendering

◦ Cloud Storage (e.g. Dropbox, SkyDrive, iCloud, etc): Remotely stored files that are available over the internet

from any location without the need for localised storage solutions

Examples: email, office documents, photos, videos

Hybrid Mix:

Hybrid Mix:

◦ Cloud solutions that provide file storage and fully virtualised infrastructure to replace traditional hardware

Example: Virtual Machines (VMs) hosted in the cloud

Variety of hardware and infrastructure available to create a private cloud

Depending on complicity of provider this may remain an unknown

Depending on Persons Of Interest (POI) involved in investigation may require covert access

Datacenters◦ If local will be the fastest solution

Requires assistance from host Using hosts infrastructure

Remote◦ Depending on host might not be possible to attend

physical datacenter Accessing over the internet requires patience Slow Prone to drop-outs

Possibility to “push” the content out of the cloud rather than pulling it down Requires assistance from host Using hosts infrastructure

VM data◦ Various file sytems (depending on OS involved) Common - FAT, NTFS, Ext2/3, HFS+

Virtual – VMware FS, ReFS

Disk Images: VMDK, VHD

Loose files◦ Graphic Files: JPG, GIF, PNG, PSD, etc◦ Video Files: MP4, MOV, AVI, WMV, FLV, etc◦ Document Files: DOC, PDF, XLS, PPT, etc

Emails◦ Varies depending on host provider

CSP User Account Details◦ Financial information used to create accounts (if

applicable)

◦ Contact information

Network Logs◦ IP addresses of users/accounts

◦ Dates and times of logins

Crimes committed over the internet? ◦ Who has jurisdiction?

Geographical nature of “Cloud”◦ Often replicated across various datacenters

◦ Not necessarily in same country as Person Of Interest (POI)

◦ Country (and CSP) hosting content may not have any legal requirement (or willingness) to cooperate

Depends on countries involved◦ Hosting content

◦ Where CSP business is registered

Australia:◦ Cybercrime Act 2001 Schedule 1- Computer offences

◦ Criminal Code Act 1995 478.1 Unauthorised access to, or modification of, restricted

data

Standard forensic procedure requires read-only access to potential evidence items◦ No write-blocker for the internet

Each Cloud host will have different infrastructure

Emails: always ensure export type includes headers

VMs: capture RAM, try to get VM HDD images Storage: Try to capture without modification

of MAC times Logs: network

Providing storage and

processing services◦ Including hybrid VM hosting

Person Of Interest (POI) had multiple VMs hosted on service◦ VMs running Windows Server 2008 R2

CSP backend running Linux in datacenter◦ Non-standard file system (which is common to

datacenters due to size limitations of Ext2, Ext3, etc)

◦ Frontend running “Open Xen” control panel

Initially given wrong address◦ Warrant issued for business address, not datacenter

VMs were running live◦ Changed user credentials

◦ Captured RAM

Over internet connection

Utilised FTK Imager

Limited tools available to CSP Admins from control panel◦ While running live converted VMs to NTFSClone

images as only available option

Had to attend physical datacenter to retrieve converted images (NTFSClone) due to time constraints ◦ Alternative was to download over internet – very slow!

NTFSClone is non-standard compressed image◦ Inability to see MBR (partition only)

◦ Unable to be interpreted by any forensic suite

Uncompressed image in Linux to standard partition ntfsclone --restore-image /dev/hda1/backup.img -o /dev/sdb1/backup.dd

Also attempted to image VMs live via FTK Imager over internet connection◦ Three VMs (20 GB each)

◦ Failed multiple times

◦ Very slow

Gave up with partial images after 10 days (none completed correctly)

Client originally after deleted contents from previously existing VMs◦ POI was trashing VMs and creating new ones every

2 weeks!

CSP had no way of knowing what physical infrastructure previous VMs existed on◦ Once deleted from system all resources reallocated

to the “pool”

◦ All storage/processing allocated on the fly when end users setup a new VM

CSP fully cooperative and willing to comply with warrant◦ Handed over POIs content Due to the fact that POI had been paying for service

with stolen credit card numbers

* Had it been another user who had purchased the services legitimately not sure if CSP would have been as cooperative◦ Due to the fact that CSP had not broken any laws directly◦ T&S and T&C negates legal liability (grey area of law

which has not been challenged in court)

Providing storage services

25 GB plus an extra 5 GB of “synced” storage per account

Ability to have unlimited accounts◦ Potential to link accounts

◦ Share data across unlimited accounts

POI storing illicit content (documents, photos & videos) and communications

Unless “synced” nothing stored locally◦ Not even “local” geographically speaking

Content replicated across numerous Microsoft datacenters around the world

POI popped-up during an investigation◦ Admitted to having material and emails stored on

SkyDrive

Legally signed over account

Email:◦ Microsoft’s “Hotmail Connector” for Outlook

Locally download all email and attachments to a PST

PST can be imported into favourite forensic suite (X-Ways, EnCase, FTK, Nuix, etc)

◦ During email “sync” kept dropping out

Had to be restarted numerous times before all content

◦ Contacted Microsoft Law Enforcement Portal to find alternative to Hotmail Connector

None currently exists

Other Content:◦ 2 Options:

Windows Live Mesh

Sync folder/s and download content

Can then be imaged or added to logical evidence container

5GB limitation to content synced through Mesh

Individually download each item through web browser

Potentially affecting MAC times, but not metadata

No other solution suggested by Microsoft Law Enforcement Portal

Multi Lateral Agreements (MLAT)◦ Send content host preservation notice

Generally takes account/s offline

Snapshot of all data taken

◦ Approximately 18 month process once paperwork is filed to receive content from host

◦ Must provide all paperwork in accordance with the host country (generally USA)

Multi Lateral Agreements (MLAT)

Local Agency

Attorney-General

Department (ACT)

USA Department

of Justice (D0J)

US Court Order

Produced

Microsoft

Use of standalone internet-enabled machine to capture remote content◦ Forensically wiped upon job completion

Preservation request sent to CSP (assuming legally compliant)

Consult with technical people employed by CSP prior to “capture”

Expect the unexpected: non-standard file systems (eg. Oracle FS)

Choo, K. (2010) “Cloud computing: Challenges and future directions”, Trends & issues in crime and criminal justice no. 400,Australian Institute of Criminology.

Lillard, Terrence (2010) Digital forensics for network, Internet, and cloud computing, Syngress, USA.

Martini, B. & Choo, K. (2012) “An integrated conceptual digital forensic framework for cloud computing”, Digital Investigation, Volume 9, Issue 2, November 2012, Pages 71–80.

Criminal Code Act 1995

Cybercrime Act 2001

Telecommunications (Interception) Act 1979