SlideShare a Scribd company logo

Cloud Computing Forensic Science

David Sweigert
David Sweigert

NIST Cloud Computing Forum and Workshop VIII July 2015 Cloud Computing Forensic Science Posted as a courtesy by: Dave Sweigert CISA CISSP HCISPP PMP SEC+

Related slideshows

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
1 of 10
NIST Cloud Computing Forum and Workshop VIII Dr. Martin Herman ITL Senior Advisor for Forensics and IT Information Technology Laboratory (ITL) National Institute of Standards & Technology
NIST Cloud Computing Forum and Workshop VIII July 2015 Cloud Computing Forensic Science •  Application of science and technology to investigation and establishment of facts of interest within cloud environments for –  Courtroom •  Criminal investigation and prosecution (e.g., child exploitation, drug dealings, terrorism, cyber attacks, data breaches, insider theft) •  Civil litigation (e.g., e-discovery in lawsuits, insurance claims) –  Regulatory compliance (e.g., auditing) –  Internal business policy violations •  Within an enterprise (e.g., HR privacy violations, employee computer misuse) –  Cybersecurity (incident response) •  Mitigate future cyber attacks, prevent system failure, minimize data loss
NIST Cloud Computing Forum and Workshop VIII July 2015 NIST Activities •  Chair of the Cloud Computing Forensic Science Working Group •  Long-term goals: –  Determine challenges in cloud forensics •  Forensics applied to artifacts/evidence found in the cloud (as opposed to using the cloud to perform forensic analysis on data from other sources) •  Identify, aggregate, analyze challenges –  Prioritize challenges –  Determine gaps in technology, standards and measurements to address these challenges –  Develop a roadmap to address these challenges
NIST Cloud Computing Forum and Workshop VIII 5. Lack of Transparency 4. Deletion in the Cloud 7. Use of Metadata 1. Confidentiality 3. E-Discovery 8. Geo-location 9. Data Integrity 10. Recovering Overwritten Data 6. Timestamp 2. Root of Trust 11. Data Chain of Custody 12.Chain of Dependencies13. Resource Seizure 14.Secure Provenance 15. Chain of Dependencies 16.Locating Evidence17.Evidence Identification
NIST Cloud Computing Forum and Workshop VIII Cloud Computing Forensic Science Challenges •  Challenges related to: Architecture e.g., Segregation of potential evidence in a multi-tenant system Data collection e.g., Recovery of deleted data in a shared and distributed virtual environment; e.g., E-Discovery Analysis of forensic data e.g., Evidence correlation across multiple cloud Providers Anti-forensics e.g., Malicious code may circumvent virtual machine isolation methods •  Challenges related to: Incident first responders e.g., Confidence, competence, and trustworthiness of the cloud providers to act as first-responders and perform data collection Role management e.g., Ease of anonymity and creating false personas online Legal issues e.g., Ease of anonymity and creating false personas online Standards e.g., Lack of test and validation procedures Training e.g., Lack of test and validation procedures
NIST Cloud Computing Forum and Workshop VIII July 2015 Mindmap (PRIMARY)
NIST Cloud Computing Forum and Workshop VIII July 2015 Assessment  of  Importance  
NIST Cloud Computing Forum and Workshop VIII Highest Priority Challenges & Scores 10 Confidentiality and PII 9 Root of trust 9 E-discovery 8 Deletion in the cloud 8 Lack of transparency 7 Timestamp synchronization 7 Use of metadata 7 Multiple venues and geolocations 7 Data integrity and evidence preservation 6 Recovering overwritten data 6 Cloud confiscation and resource seizure 6 Potential evidence segregation 6 Secure provenance 6 Data chain of custody 6 Chain of dependencies 6 Locating evidence 6 Locating storage media 6 Evidence identification 6 Dynamic storage 6 Live forensics 6 Resource abstraction 6 Ambiguous trust boundaries 6 Cloud training for investigators From  NIST  IR  8006:  DRAFT  NIST  Cloud  Compu1ng  Forensic  Science  Challenges   h;p://csrc.nist.gov/publica1ons/PubsNISTIRs.html      
NIST Cloud Computing Forum and Workshop VIII Use Case Template Cloud forensic challenge highlighted by this use case: Title of use case: Description of use case: Forensic evidence relevant to use case: Relevance to the cloud forensic challenge: The role of each cloud stakeholder in the forensic investigation: Cloud Service Consumer (Enterprise): Cloud Service Consumer (Individual): Cloud Service Provider: Cloud Broker (Technical): Cloud Broker (Business): Cloud Carrier: Cloud Auditor (Law enforcement): Cloud Auditor (Government regulators): Cloud Auditor (Accreditation & certification bodies): Cloud Auditor (Forensics lab practitioners): How do the cloud stakeholders work together in the forensic investigation? The role of client endpoints: What is effect of different cloud service/deployment models? IaaS Public: IaaS Private: IaaS Hybrid: IaaS Community: PaaS Public: PaaS Private: PaaS Hybrid: PaaS Community: SaaS Public: SaaS Private: SaaS Hybrid: SaaS Community: What technical, legal and best practices elements are needed to achieve a successful forensic investigation in this use case? Technical (technology and technical standards): Legal: Best practices: For the technical elements, what are the gaps in technology and standards?
NIST Cloud Computing Forum and Workshop VIII July 2015 Today’s Agenda •  Will focus on several of the top challenges –  Cloud E-Discovery –  Root of trust –  Deletion in the cloud –  Timestamp synchronization –  Data integrity & evidence preservation •  Will also discuss other areas of interest in cloud forensics –  Data governance in the cloud –  Forensics in stealth and dark clouds –  Cloud forensics architecture

More Related Content

Cloud Computing Forensic Science

  • 1. NIST Cloud Computing Forum and Workshop VIII Dr. Martin Herman ITL Senior Advisor for Forensics and IT Information Technology Laboratory (ITL) National Institute of Standards & Technology
  • 2. NIST Cloud Computing Forum and Workshop VIII July 2015 Cloud Computing Forensic Science •  Application of science and technology to investigation and establishment of facts of interest within cloud environments for –  Courtroom •  Criminal investigation and prosecution (e.g., child exploitation, drug dealings, terrorism, cyber attacks, data breaches, insider theft) •  Civil litigation (e.g., e-discovery in lawsuits, insurance claims) –  Regulatory compliance (e.g., auditing) –  Internal business policy violations •  Within an enterprise (e.g., HR privacy violations, employee computer misuse) –  Cybersecurity (incident response) •  Mitigate future cyber attacks, prevent system failure, minimize data loss
  • 3. NIST Cloud Computing Forum and Workshop VIII July 2015 NIST Activities •  Chair of the Cloud Computing Forensic Science Working Group •  Long-term goals: –  Determine challenges in cloud forensics •  Forensics applied to artifacts/evidence found in the cloud (as opposed to using the cloud to perform forensic analysis on data from other sources) •  Identify, aggregate, analyze challenges –  Prioritize challenges –  Determine gaps in technology, standards and measurements to address these challenges –  Develop a roadmap to address these challenges
  • 4. NIST Cloud Computing Forum and Workshop VIII 5. Lack of Transparency 4. Deletion in the Cloud 7. Use of Metadata 1. Confidentiality 3. E-Discovery 8. Geo-location 9. Data Integrity 10. Recovering Overwritten Data 6. Timestamp 2. Root of Trust 11. Data Chain of Custody 12.Chain of Dependencies13. Resource Seizure 14.Secure Provenance 15. Chain of Dependencies 16.Locating Evidence17.Evidence Identification
  • 5. NIST Cloud Computing Forum and Workshop VIII Cloud Computing Forensic Science Challenges •  Challenges related to: Architecture e.g., Segregation of potential evidence in a multi-tenant system Data collection e.g., Recovery of deleted data in a shared and distributed virtual environment; e.g., E-Discovery Analysis of forensic data e.g., Evidence correlation across multiple cloud Providers Anti-forensics e.g., Malicious code may circumvent virtual machine isolation methods •  Challenges related to: Incident first responders e.g., Confidence, competence, and trustworthiness of the cloud providers to act as first-responders and perform data collection Role management e.g., Ease of anonymity and creating false personas online Legal issues e.g., Ease of anonymity and creating false personas online Standards e.g., Lack of test and validation procedures Training e.g., Lack of test and validation procedures
  • 6. NIST Cloud Computing Forum and Workshop VIII July 2015 Mindmap (PRIMARY)
  • 7. NIST Cloud Computing Forum and Workshop VIII July 2015 Assessment  of  Importance  
  • 8. NIST Cloud Computing Forum and Workshop VIII Highest Priority Challenges & Scores 10 Confidentiality and PII 9 Root of trust 9 E-discovery 8 Deletion in the cloud 8 Lack of transparency 7 Timestamp synchronization 7 Use of metadata 7 Multiple venues and geolocations 7 Data integrity and evidence preservation 6 Recovering overwritten data 6 Cloud confiscation and resource seizure 6 Potential evidence segregation 6 Secure provenance 6 Data chain of custody 6 Chain of dependencies 6 Locating evidence 6 Locating storage media 6 Evidence identification 6 Dynamic storage 6 Live forensics 6 Resource abstraction 6 Ambiguous trust boundaries 6 Cloud training for investigators From  NIST  IR  8006:  DRAFT  NIST  Cloud  Compu1ng  Forensic  Science  Challenges   h;p://csrc.nist.gov/publica1ons/PubsNISTIRs.html      
  • 9. NIST Cloud Computing Forum and Workshop VIII Use Case Template Cloud forensic challenge highlighted by this use case: Title of use case: Description of use case: Forensic evidence relevant to use case: Relevance to the cloud forensic challenge: The role of each cloud stakeholder in the forensic investigation: Cloud Service Consumer (Enterprise): Cloud Service Consumer (Individual): Cloud Service Provider: Cloud Broker (Technical): Cloud Broker (Business): Cloud Carrier: Cloud Auditor (Law enforcement): Cloud Auditor (Government regulators): Cloud Auditor (Accreditation & certification bodies): Cloud Auditor (Forensics lab practitioners): How do the cloud stakeholders work together in the forensic investigation? The role of client endpoints: What is effect of different cloud service/deployment models? IaaS Public: IaaS Private: IaaS Hybrid: IaaS Community: PaaS Public: PaaS Private: PaaS Hybrid: PaaS Community: SaaS Public: SaaS Private: SaaS Hybrid: SaaS Community: What technical, legal and best practices elements are needed to achieve a successful forensic investigation in this use case? Technical (technology and technical standards): Legal: Best practices: For the technical elements, what are the gaps in technology and standards?
  • 10. NIST Cloud Computing Forum and Workshop VIII July 2015 Today’s Agenda •  Will focus on several of the top challenges –  Cloud E-Discovery –  Root of trust –  Deletion in the cloud –  Timestamp synchronization –  Data integrity & evidence preservation •  Will also discuss other areas of interest in cloud forensics –  Data governance in the cloud –  Forensics in stealth and dark clouds –  Cloud forensics architecture