10 things to think about with Cloud Computing and Forensics

Cloud computing is going to frustrate the traditionally minded
information security engineer; there are significant limitations but
also significant advantages when working an investigation in the cloud.
Below are 10 issues that I see with cloud computing and forensics from
both the network side and the computer side that information security
engineers should be thinking about before they have to do an
investigation. For all the cool information, you need to go buy the book, but for discussion purposes, you should read this blog and chime in.

1. The investigation is going to be limited to the machine image at
hand rather than the full machine. Rather than the full disk, the
network forensics investigator is working with a machine image. This
will preclude access to items in RAM or in other components that might
fall into the standard forensics review

2. There will be all the standard information in the machine image
that there would be on any other server in the data center if a proper
ISO were made of the machine image, including slack space, but you are
limited to the ISO image and not the bitstream image

3. If the disk is encrypted and the keys are lost, there is
software that will allow a person to spin up many cloud instances to
help crack the encryption of the hard drive. You can use this process
or hacker can use this process, in the longer run, it can be expensive
to do this. You need to think about key management and key backups
keeping copies safe and handy. AWS relies on two-factor authentication
to access the computer system, if you lose the keys; you lose access to
the OS. This will effectively stop any investigation that you might be
undertaking

4. It will be difficult to get any form of routing information that
is not on the box already, for example if there is a botnet controller
or slave on the box this will be complicated by the Amazon Web Services
security mechanisms in place at the host and network level

5. Promiscuous mode will not work in cloud computing—the network
interface card (NIC) can be put into promiscuous mode, but it will only
read the data being sent to that particular box because of how the
virtual computer hypervisor works and routes traffic. There is no
ability to read anything past the hypervisor frame to other systems

6. There is the ability to do a deeper level of logging in the
cloud environment via large database or “big table” with Azure because
the company is working in a computing commodity environment. Logging
everything then building logic around those logs is one of the many
benefits to cloud computing that might make the network forensics
investigators life easier

7. ISO images of machine images can be stored indefinitely in a
secure cloud environment as part of a virtual private cloud without
influencing the local datacenter or being stored locally on an
information security engineer’s disk. The ability to do this provides a
much shorter list of people who have access to those forensic images
and can provide a better provable chain of custody rather than locking
a disk in a file cabinet for years where it might be lost or stolen

8. Use of dual authentication measures to login provides a higher
level of security on the cloud services that can be used for log
storage and restricted to a small group of people who can access the
systems on a regular basis. For example, AWS uses PKI (public key
infrastructure) to authenticate to AWS instances. Different groups can
get different PKI keys that allow them access to a smaller subset of
computer systems with easier management of the PKI infrastructure than
is generally given with many of the current security authentication
measures

9. There is the potential for true ability of C2 level logging at
the database server and individual systems logging without running out
of space or computational ability on the part of the company. Logs are
huge, and can easily overwhelm a company’s ability to store this
information. While the visualization tools and data analysis tools for
information security and cloud computing log analysis are primitive
now, there are many major companies involved in building out scalable
tools that will eventually catch up with the capabilities of cloud
computing. Once the tool sets are mature enough, forensics across a
cloud infrastructure will be push button easy. We are already seeing
trends in this direction from the larger information security tool
companies

10. Antivirus and antispam in the cloud and other large data sets
for signature identification of malware is also becoming part of the
cloud computing experience. Cloud computing systems if properly
configured can quickly identify malware, spyware, and spam software on
computer systems because the computing power is moved off the desktop
and into a remote data center. This may complicate the forensics
investigation if mission critical services are run off the computer
being investigated. This process has been underway for about a year at
the time of writing and will only get more sophisticated and accurate
over time

These are 10 issues that I see with cloud computing and computer
forensics, the biggest limitation is going to be working in the
virtualized environment. Even though companies are already virtualizing
systems in-house, the cloud complicates the forensics investigation
because direct physical access to the machine is not possible. This is
where the thinking shift needs to happen, and why we need better tools
to help security engineers work in the cloud environment. Security
engineers are used to taking down whole boxes and running their
investigation from there, in the cloud environment that is simply not
possible. The question is what other strengths or limitations do other
security engineers see in the cloud environment when it comes to
forensics that I might have missed?

(Cross-posted @ IT Toolbox )