Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing...
-
Upload
carmella-newton -
Category
Documents
-
view
225 -
download
0
Transcript of Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing...
![Page 1: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/1.jpg)
Mastering Windows Network Forensics and Investigation
Chapter 17: The Challenges of Cloud Computing and Virtualization
![Page 2: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/2.jpg)
Chapter Topics:
• Understand investigative implications when virtualization or cloud services are used
• Detect and acquire artifacts of virtualization applications
• Detect and acquire pertinent data from cloud services
![Page 3: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/3.jpg)
What is Virtualization?
• Host-based– An environment that exists in
specialized software within the host system designed to emulate a wholly separate OS with its own resources
![Page 4: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/4.jpg)
What is Virtualization?
• Server-based– Environment is installed on top of
the host hardware layer to maximizes system resources
• Hypervisor– makes virtualization possible
• Type 1 – bare metal• Type 2 – hosted
![Page 5: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/5.jpg)
What is Virtualization?
• Type 1
• Type 2
![Page 6: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/6.jpg)
Incident Response
• What is the scope of the network• How is the environment
configured?• What machines have been
compromised?• What are their roles? • Where are they?
![Page 7: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/7.jpg)
Acquiring RAM
• Live Host-based Virtual Environment– Similar procedure as host system
• Methods– FTK Imager Lite– DumpIt– Force VM snapshot
![Page 8: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/8.jpg)
Forensic Analysis Techniques
• Identify the source of digital evidence• Forensically acquire the digital
evidence• Analyze digital evidence• Report on pertinent findings
![Page 9: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/9.jpg)
Dead Host-Based VM
• Locate files used to build virtual environment• Acquire virtual disk (.vmdk) using forensic
tools– FTK Imager
![Page 10: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/10.jpg)
Dead Host-Based VM
• Analyze *.vmsd file – Contains meta data about specific VM’s saved to the host
system
• Acquire memory– Locate *.vmem file
– Structured the same as RAM from live system
![Page 11: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/11.jpg)
Live Virtual Environment
• Structured the same as a traditional computer system
• Acquire logical or physical image of storage media using forensic tools– FTK Imager– EnCase
• Additional Artifacts– *vmem (virtual memory)– VM Snapshots
![Page 12: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/12.jpg)
Cloud Computing
• What is it? – “a model for enabling convenient, on-demand network access
to a shared pool of configurable computing resources…”, NIST
– Not new!• Email• Mainframe Dummy Terminals
• Services– IaaS
• Rackspace, VMWare vSphere
– SaaS• Google Apps, Dropbox, iCloud
– PaaS• AWS, SunCloud
![Page 13: Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.](https://reader035.fdocuments.in/reader035/viewer/2022062305/5697c01c1a28abf838ccfc1c/html5/thumbnails/13.jpg)
Forensic Challenges
• Where is the evidence? – Client Level?– Cloud Service Level?– Underlying cloud servel level?– All of the above?
• Legal Authority– Jurisdictional obstacles– Who will you serve search warrant to? Where?