Eka SUTRESNA

Director, Bounga Solusi Informatika

June 15th, 2021
 Agenda

Scope & Boundaries Aligning Perceptions Digital Forensic Q&A

about Cloud Challenges in Cloud
Scope & Boundaries
Let’s have something to agree on …

Digital Forensic Exposure IT & Cloud Literacy No Technical Details

We all have been exposed & involved in We all are not new to IT though not at We are not going to cover technical
digital forensics, from novice to expert. the expert level, and have at least heard details in this session
about cloud, cloud computing, and cloud
services
Digital Forensics Use Cases

Law Enforcement Cyber Security Internal Corporate

Breach Investigation Investigation
This session’s DF focus,
DJP use case of law
enforcement to tax payers
Disclaimer
Not a scientific session
The information provided in this session
is purely based on practical information.
Only relevant facts Bandung Selatan
Pardon my accents …. Thank you
Digital Forensic & Cloud topics covered in
this session covers only relevant
information to enter the challenge
discussion, not intended to provide
comprehensive information on both
topics
Aligning Perceptions
Let’s level the playground and reach
a common understanding …
Data Storage Model in Relevancy
with Digital Forensics - Simple
Databases & Databases &
What Operating System

Apps Apps Digital forensic acquisition typically concerns on

Typical Computer Forensic properties of the disk as part of evidence
Acquisition Focus
preservation process, e.g.:

Files
Files
Files
Files
Files
Files
Files

Files (Physical, Logical)

understands

- Brand, type, serial numbers

Partition/Volume
Partition - Physical appearance
/Volume

OS’ Physical Disk - Sectors

- Etc
Typically contained in acquisition’s manifest file
Physical Disk
Hardware
Layer
Data Storage Model in Relevancy with Digital
Forensics – More Complex
Host 1 Host 2
What Operating System

Databases & Apps Databases & Apps Databases & Apps Databases & Apps

Files
Files
Files
Files

Files
Files
Files

Files
Files
Files

Files
Files

Files
Files
Files
Files
Files

Files
Files
Files

Files
Files
Files

Files
Files

Files
understands

Partition Partition Partition Partition

Partition/Volume Partition/Volume … Partition/Volume
/Volume /Volume /Volume /Volume

OS’ Physical Disk OS’ Physical Disk OS’ Physical Disk OS’ Physical Disk

Logical Disk/LUN Logical Disk/LUN Logical Disk/LUN Logical Disk/LUN

Hardware

RAID Group RAID Group

Layer

Physical Disk Physical Disk Physical Disk Physical Disk Physical Disk Physical Disk
Data Storage Model in Relevancy with Digital
Forensics – What’s in it for us?
- To take the complexity to the next level, add
SAN (storage area network) into equation
- Typically found in servers of medium to large
companies
- How do you define physical properties of the
“physical disks” – brand, type, number of
sectors, etc?
- Acquisition of OS’ physical disk vs hardware’s
physical disk (yes, it is possible)
- Interface consideration (FC, U2, SAS, etc ..)
Data Storage Model – Key
Takeaways
Understand computing environment that
you want to acquire
• What kind of media you are about to
acquire
• Which kind of data (and its format) you
are looking for
• Where this data may reside
• Which acquisition method would be
best
Cloud Category (remember my disclaimer)

Cloud Storage Cloud Computing/Services Others

Storage space available to store data on Model for enabling ubiquitous, convenient, on- Other internet-based services that many
demand, network access to shared pool of configurable
remote servers that can be accessed people considered as “cloud services”, such as
computing resources that can be rapidly provisioned
social medias, daily apps, etc. Not necessarily
from the internet and released with minimal management effort or
wrong, but less relevant to our topic.
service provider interaction
Cloud Services Type
• IaaS (Infrastructure as a Service)
From low level network layer, up to empty VM
• PaaS (Platform as a Service)
IaaS + Operating System & Database
• SaaS (Software as a Service)
IaaS + Business Applications
• BPaaS (Business Process as a Service) – often referred as
Business Process Outsourcing
SaaS + services to run the business process
Legacy IT Services & Cloud Services
BPaaS

All
Legacy vs Cloud IT Services – What’s in it for us?

• Understand at which level your targeted information may be

located at
• Accordingly, determine best collection/acquisition & analysis
method
Misconception sanity check …
During audit, your auditee informed you that all accounting data are stored on a cloud drive. He/she
pointed you to the cloud drive.
Question:
Is the accounting data really stored in the cloud as per our aligned understanding?

This seems to be very obvious and too easy to recognize.

But imagine a large company having 3 data centers. Accounting users (less
literate to IT) may misunderstand “my data is in the cloud” just because the
data can be physically hosted in any of the 3 data centers, beyond his
knowledge, despite the fact that the company is running a “Traditional On-
Premise IT Services”.

• Talking to the right person regarding “where the data is”, will be crucial
• Understanding the differences
Example 1:
Company A is using MS Excel to do accounting journal to record all their transactions. The Excel is stored in a computer,
and synchronized to Google Drive (with DriveFS). We suspect Company A did some tax evasion. During an audit, company
A stated that the harddisk of the computer is totally broken that no data is recoverable anymore.

Question:
1. Which cloud category does Company A have?
2. Which cloud services type does Company A have?
3. What is the crucial data and where is it located?
4. If we ever need to do forensic collection of their
accounting data, what should we do?

Answer:
1. Cloud Storage
2. None
3. The accounting data. In the broken computer &
GDrive.
4. Cloud forensic collection to their Google Drive
account
Example 1a:
Company A is using MS Excel to do accounting journal to record all their transactions. The Excel is stored in a computer,
and backed up to a VM in cloud provider. We suspect Company A did some tax evasion. During an audit, company A stated
that the harddisk of the computer is totally broken that no data is recoverable anymore.

Question:
1. Which cloud category does Company A have?
2. Which cloud services type does Company A have?
3. What is the crucial data and where is it located?
4. If we ever need to do forensic collection of their
accounting data, what should we do?
Answer:
1. Cloud Services
2. PaaS
3. The accounting data. In the broken computer & Cloud
VM.
4. Logical collection of the folder or drive containing the
backup Excel file in the VM; or “physical” collection of the
VM’s storage (if it is suspected that the data is deleted in
the VM).
Example 2:
Company B subscribes to cloud-based accounting software to perform all Accounting tasks. The accounting person logs in
to the applications via browser, and record all transaction via the web browser as well.
We suspect the company do some tax evasion.
Question:
1. Which cloud category does Company B have?
2. Which cloud services type does Company B have?
3. Where is their data located?
4. If we ever need to do forensic collection of their
accounting data, what should we do?

Answer:
1. Cloud Services
2. SaaS
3. In the SaaS provider.
4. Ask the SaaS provider to extract all data, if law
jurisdiction, time and technical are all allowing us to do
so; OR; generate report from the SaaS accounting
software, and follow all digital forensic data collection
requirement before, during, and after data collection
Example 3:
Company C purchased an accounting software. They installed it in a Virtual Machine (VM) in a cloud provider. The cloud
provider manages up to OS level of the VM.
We suspect the company do some tax evasion.
Question:
1. Which cloud category does Company C have?
2. Which cloud services type does Company C have?
3. Where is their data located?
4. If we ever need to do forensic collection of their
accounting data, what should we do?
Answer:
1. Cloud Services
2. PaaS
3. In the VM provided by the cloud provider.
4. Physical or logical collection of VM (depends on whether
the data structure in the database is understandable or
not); Generate report from the accounting software.
Follow required procedure in before, during, and after
forensic data collection.
Cloud Forensic Challenges
What is Cloud Forensics?
Application of digital forensic science in cloud environments. Technically, it consists of
hybrid forensic approach (e.g. remote, virtual, network, live, large-scale, thin client,
thick client, including end point devices used to access cloud services) to the discovery
of digital evidence. Organizationally, it involves interaction among cloud actors
(providers, consumer, broker, carrier, auditor) for the purpose of facilitating both
internal and external investigation.

Challenges:
1. Legal
2. Organizational
3. Technical
Legal Challenges
• Legal access to data
• Effective channels for international communication and cooperation during
investigation
• Contractual terms – cover data collection & forensic investigation?
Organizational Challenges
• Identifying legitimate & exact owner of the account & data
• Role-based account vs physical users
• Anonymity of the accounts
• Ease of accounts creation and roles/rights assignments
• Multiple accounts, multiple roles
• Documenting the process of overcoming the challenges above (evidence, witness, confession). May
need 2nd level documentation to support the documentation.
Recommendations:
1. Quickly identify critical data location and isolate the access to it
2. Identify key persons in the organization that may have access to critical data and potentially alter it
3. Right questions for right person
4. Utilize investigator’s authority to avoid unauthorized access or removal to critical data
5. Time is essential
6. Consistent documentation
Technical Challenges – Data Collection
• Locating crucial data/artifacts in large, distributed, and dynamic systems
• Data Collection from virtual machines
• Multi tenancy – data integrity, confidentiality
• Unfavorable behavior of deleted data permanent deletion – different with typical computers

Recommendations:
1. Time is essential
2. Quickly identify where the critical data is located, and quickly determined best collection method
3. Having a cloud services expert in the collection team
Technical Challenges – Data Analysis
• Unfavorable different behavior of deleted data permanent deletion
• Timestamp differences across artifacts/data, as:
– cloud services may span multiple geographical location, and hence, timezone
– Inconsistencies in timestamping at cloud provider systems during data collection
• In native business applications systems, accessing database may be challenging (unknown password,
encrypted database, data obfuscation, etc)
• Even if we manage to access the database, understanding the data structure is always a challenge

Recommendations:
1. Always look to generate all relevant business applications reports
2. Always look to extract all audit trails from the business application layer
3. Always look to extract all database access logs from the database layer
4. Having an IT-literate person who is well-versed in system/business analyst role at related business
area (e.g. accounting/finance)
Data Collection for Cloud
• Cloud Storage: quite straightforward, collector available
• Others, popular application cloud services – data collector available
• Cloud Services PaaS & IaaS: VM-level data collector is available for some cloud provider
• Cloud Services SaaS & BPaaS: rely on applications’ report.

Considerations:
• Internet Link Speed
• “Securing the account” from password changes, account deletion
• Evidence of account legitimacy (witness, evidence, confession)
• Token vs username/password authentication
• PaaS & IaaS: remote collection from another VM vs from investigator’s workstation
• Strictly follow digital forensic data collection requirements in before, during, and after data collection
• Documentation before, during, and after collection.
– Video screen capture during collection process
– CCTV with native format to record
Cloud VM Data Collection – Method 1
Cloud Provider

Internet
Investigator
workstation
Target VM

1. Initiate collection process

2. Data Collection traffic

Benefits:
• 1-step effort
• Does not incur additional cost for more VM instance
Drawback:
• If internet link is slow, collection will take long time & may be
unreliable
Cloud VM Data Collection – Method 2
Cloud Provider

Collection
VM Investigator
workstation
Target VM

Internet
Benefits:
• Collection process will be faster
• Downloading collection result over the internet is more manageable process compared to
collection over the internet
Drawback:
• 2-step process
• May incur additional cost for collection VM & its resources
Challenges in Evidence Preservation
• There is no physical evidence
• Seizure of evidence happens in “virtual location”, challenging in associating it with the suspect
(prone to denial by suspect)

Recommendations:
• Strictly follow digital forensic data collection requirements in before, during, and after data collection.
Document it.
• Documentation before, during, and after collection.
– Video for collection process
– CCTV with native format to record collection process
• Acknowledgements of documentations
Further Reading
NISTIR 8006 – NIST Cloud Computing Forensic Science Challenges
(https://doi.org/10.0628/NIST.IR.8006)
Thank You
eka@bounga.id
+62-812 99 66620
Q&A