Professional Documents
Culture Documents
Files
Files
Files
Files
Files
Files
Files
Partition/Volume
Partition - Physical appearance
/Volume
Databases & Apps Databases & Apps Databases & Apps Databases & Apps
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
Files
understands
OS’ Physical Disk OS’ Physical Disk OS’ Physical Disk OS’ Physical Disk
Physical Disk Physical Disk Physical Disk Physical Disk Physical Disk Physical Disk
Data Storage Model in Relevancy with Digital
Forensics – What’s in it for us?
- To take the complexity to the next level, add
SAN (storage area network) into equation
- Typically found in servers of medium to large
companies
- How do you define physical properties of the
“physical disks” – brand, type, number of
sectors, etc?
- Acquisition of OS’ physical disk vs hardware’s
physical disk (yes, it is possible)
- Interface consideration (FC, U2, SAS, etc ..)
Data Storage Model – Key
Takeaways
Understand computing environment that
you want to acquire
• What kind of media you are about to
acquire
• Which kind of data (and its format) you
are looking for
• Where this data may reside
• Which acquisition method would be
best
Cloud Category (remember my disclaimer)
All
Legacy vs Cloud IT Services – What’s in it for us?
But imagine a large company having 3 data centers. Accounting users (less
literate to IT) may misunderstand “my data is in the cloud” just because the
data can be physically hosted in any of the 3 data centers, beyond his
knowledge, despite the fact that the company is running a “Traditional On-
Premise IT Services”.
• Talking to the right person regarding “where the data is”, will be crucial
• Understanding the differences
Example 1:
Company A is using MS Excel to do accounting journal to record all their transactions. The Excel is stored in a computer,
and synchronized to Google Drive (with DriveFS). We suspect Company A did some tax evasion. During an audit, company
A stated that the harddisk of the computer is totally broken that no data is recoverable anymore.
Question:
1. Which cloud category does Company A have?
2. Which cloud services type does Company A have?
3. What is the crucial data and where is it located?
4. If we ever need to do forensic collection of their
accounting data, what should we do?
Answer:
1. Cloud Storage
2. None
3. The accounting data. In the broken computer &
GDrive.
4. Cloud forensic collection to their Google Drive
account
Example 1a:
Company A is using MS Excel to do accounting journal to record all their transactions. The Excel is stored in a computer,
and backed up to a VM in cloud provider. We suspect Company A did some tax evasion. During an audit, company A stated
that the harddisk of the computer is totally broken that no data is recoverable anymore.
Question:
1. Which cloud category does Company A have?
2. Which cloud services type does Company A have?
3. What is the crucial data and where is it located?
4. If we ever need to do forensic collection of their
accounting data, what should we do?
Answer:
1. Cloud Services
2. PaaS
3. The accounting data. In the broken computer & Cloud
VM.
4. Logical collection of the folder or drive containing the
backup Excel file in the VM; or “physical” collection of the
VM’s storage (if it is suspected that the data is deleted in
the VM).
Example 2:
Company B subscribes to cloud-based accounting software to perform all Accounting tasks. The accounting person logs in
to the applications via browser, and record all transaction via the web browser as well.
We suspect the company do some tax evasion.
Question:
1. Which cloud category does Company B have?
2. Which cloud services type does Company B have?
3. Where is their data located?
4. If we ever need to do forensic collection of their
accounting data, what should we do?
Answer:
1. Cloud Services
2. SaaS
3. In the SaaS provider.
4. Ask the SaaS provider to extract all data, if law
jurisdiction, time and technical are all allowing us to do
so; OR; generate report from the SaaS accounting
software, and follow all digital forensic data collection
requirement before, during, and after data collection
Example 3:
Company C purchased an accounting software. They installed it in a Virtual Machine (VM) in a cloud provider. The cloud
provider manages up to OS level of the VM.
We suspect the company do some tax evasion.
Question:
1. Which cloud category does Company C have?
2. Which cloud services type does Company C have?
3. Where is their data located?
4. If we ever need to do forensic collection of their
accounting data, what should we do?
Answer:
1. Cloud Services
2. PaaS
3. In the VM provided by the cloud provider.
4. Physical or logical collection of VM (depends on whether
the data structure in the database is understandable or
not); Generate report from the accounting software.
Follow required procedure in before, during, and after
forensic data collection.
Cloud Forensic Challenges
What is Cloud Forensics?
Application of digital forensic science in cloud environments. Technically, it consists of
hybrid forensic approach (e.g. remote, virtual, network, live, large-scale, thin client,
thick client, including end point devices used to access cloud services) to the discovery
of digital evidence. Organizationally, it involves interaction among cloud actors
(providers, consumer, broker, carrier, auditor) for the purpose of facilitating both
internal and external investigation.
Challenges:
1. Legal
2. Organizational
3. Technical
Legal Challenges
• Legal access to data
• Effective channels for international communication and cooperation during
investigation
• Contractual terms – cover data collection & forensic investigation?
Organizational Challenges
• Identifying legitimate & exact owner of the account & data
• Role-based account vs physical users
• Anonymity of the accounts
• Ease of accounts creation and roles/rights assignments
• Multiple accounts, multiple roles
• Documenting the process of overcoming the challenges above (evidence, witness, confession). May
need 2nd level documentation to support the documentation.
Recommendations:
1. Quickly identify critical data location and isolate the access to it
2. Identify key persons in the organization that may have access to critical data and potentially alter it
3. Right questions for right person
4. Utilize investigator’s authority to avoid unauthorized access or removal to critical data
5. Time is essential
6. Consistent documentation
Technical Challenges – Data Collection
• Locating crucial data/artifacts in large, distributed, and dynamic systems
• Data Collection from virtual machines
• Multi tenancy – data integrity, confidentiality
• Unfavorable behavior of deleted data permanent deletion – different with typical computers
Recommendations:
1. Time is essential
2. Quickly identify where the critical data is located, and quickly determined best collection method
3. Having a cloud services expert in the collection team
Technical Challenges – Data Analysis
• Unfavorable different behavior of deleted data permanent deletion
• Timestamp differences across artifacts/data, as:
– cloud services may span multiple geographical location, and hence, timezone
– Inconsistencies in timestamping at cloud provider systems during data collection
• In native business applications systems, accessing database may be challenging (unknown password,
encrypted database, data obfuscation, etc)
• Even if we manage to access the database, understanding the data structure is always a challenge
Recommendations:
1. Always look to generate all relevant business applications reports
2. Always look to extract all audit trails from the business application layer
3. Always look to extract all database access logs from the database layer
4. Having an IT-literate person who is well-versed in system/business analyst role at related business
area (e.g. accounting/finance)
Data Collection for Cloud
• Cloud Storage: quite straightforward, collector available
• Others, popular application cloud services – data collector available
• Cloud Services PaaS & IaaS: VM-level data collector is available for some cloud provider
• Cloud Services SaaS & BPaaS: rely on applications’ report.
Considerations:
• Internet Link Speed
• “Securing the account” from password changes, account deletion
• Evidence of account legitimacy (witness, evidence, confession)
• Token vs username/password authentication
• PaaS & IaaS: remote collection from another VM vs from investigator’s workstation
• Strictly follow digital forensic data collection requirements in before, during, and after data collection
• Documentation before, during, and after collection.
– Video screen capture during collection process
– CCTV with native format to record
Cloud VM Data Collection – Method 1
Cloud Provider
Internet
Investigator
workstation
Target VM
Benefits:
• 1-step effort
• Does not incur additional cost for more VM instance
Drawback:
• If internet link is slow, collection will take long time & may be
unreliable
Cloud VM Data Collection – Method 2
Cloud Provider
Collection
VM Investigator
workstation
Target VM
Internet
Benefits:
• Collection process will be faster
• Downloading collection result over the internet is more manageable process compared to
collection over the internet
Drawback:
• 2-step process
• May incur additional cost for collection VM & its resources
Challenges in Evidence Preservation
• There is no physical evidence
• Seizure of evidence happens in “virtual location”, challenging in associating it with the suspect
(prone to denial by suspect)
Recommendations:
• Strictly follow digital forensic data collection requirements in before, during, and after data collection.
Document it.
• Documentation before, during, and after collection.
– Video for collection process
– CCTV with native format to record collection process
• Acknowledgements of documentations
Further Reading
NISTIR 8006 – NIST Cloud Computing Forensic Science Challenges
(https://doi.org/10.0628/NIST.IR.8006)
Thank You
eka@bounga.id
+62-812 99 66620
Q&A