Chapter 13 Homework Incident First Responders Explain That Most

Guide to Computer Forensics and Investigations, Fifth Edition 13-1

Chapter 13

Cloud Forensics

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

• Teaching Tips

• Quick Quizzes

Guide to Computer Forensics and Investigations, Fifth Edition 13-2

Lecture Notes

Overview

Chapter 13 explains how to apply forensics skills and techniques to a cloud

environment. First, you will learn an overview of cloud computing. Next, you review

some of the legal and technical challenges in conducting cloud forensics. This chapter

Chapter Objectives

• Describe the main concepts of cloud computing

• Summarize the legal challenges in conducting cloud forensics

• Give an overview of the technical challenges with cloud forensics

• Describe how to acquire cloud data

• Explain how to conduct a cloud investigation

• Explain what remote access tools can be used for cloud investigations

Teaching Tips

An Overview of Cloud Computing

1. Explain that the cloud has introduced new ways of managing data, therefore, cloud

History of the Cloud

1. Discuss the people who are known for coming up with the idea of cloud computing,

2. Point out that in 1999, Salesforce.com developed a customer relationship management

3. Mention other providers that started their own cloud services: Amazon EC2, Google

Apps, Apple iCloud, and Microsoft OneDrive.

.

Guide to Computer Forensics and Investigations, Fifth Edition 13-3

Cloud Service Levels and Deployment Methods

1. Explain that NIST defines cloud computing as a computing storage system that provides

2. Discuss the cloud’s three service levels, use Table 13-1 in your discussion:

3. Discuss the differences between the four deployment methods for a cloud:

• Public cloud

• Private cloud

• Community cloud

• Hybrid cloud

Cloud Vendors

2. Discuss the following CSPs and cloud applications:

• Salesforce

• IBM Cloud

Guide to Computer Forensics and Investigations, Fifth Edition 13-4

Basic Concepts of Cloud Forensics

1. Define cloud forensics as simply as applying digital forensics to cloud computing and

that it is considered a subset of network forensics.

2. Point out that the article referenced in the book describes cloud forensics as having

three dimensions:

• Organizational – addresses the structure of the cloud

3. Discuss the capabilities forensics tools should have to handle acquiring data from a

cloud:

• Forensic data collection

Legal Challenges in Cloud Forensics

2. Mention that understanding a CSP’s contract obligations with cloud users and how

Service Level Agreements

1. Point out that service level agreements are also called “master service agreements” and

2. Explain that SLAs should also specify support options, penalties for services not

provided, system performance, fees, provided software or hardware, etc.

3. Discuss how the SLA should define, in detail, the scope of its services and the

responsibilities of the customer, including the following:

• Service hours

• Restrictions applied to the customer by the CSP

4. Point out that digital forensics examiners should be most concerned with restrictions

5. Explain that forensics investigators should review the following when preparing a cloud

investigation plan:

• Policies – detailed rules for a CSP’s internal operation and typically include

personnel responsibilities, management structure, delegation authority,

contracting authority, expectations of protecting data, and the authorization to

7. Discuss the importance of the CSP’s business continuity and disaster recovery plans.

Mention that these plans can be helpful in recovering and analyzing data you need for

your investigation.

Teaching

To emphasize the importance of Service Level Agreements (SLAs), direct

students to the following article:

Jurisdiction Issues

1. Point out that there is currently no law that ensures uniform access or required handling

2. Explain that the SLA can prescribe what laws are enforceable, they don’t usually

3. Make sure students understand that the definition of privacy rights in different

jurisdictions is a major factor in problems with the right to access data.

4. Explain that digital forensics examiners could be held liable when conducting an

Accessing Evidence in the Cloud

1. Point out that when evidence needs to be seized, warrants are used in criminal cases and

2. Explain that in the U.S., the Electronic Communications Privacy Act (ECPA) describes

4. Explain that in cloud environments, the property to be seized is usually data, rather than

physical hardware unless the CSP is the suspect.

5. Discuss the complications that can arise when requesting a search warrant. Point out

6. Discuss the following:

• Government agency subpoenas

Technical Challenges in Cloud Forensics

1. Explain that cloud forensics procedures combine the following tasks:

• Data recovery

• Network analysis to detect intrusions

Guide to Computer Forensics and Investigations, Fifth Edition 13-7

Architecture

1. Explain that no two CSPs are configured in exactly the same way. Further explain that

2. Point out that differences in recording procedures or log keeping can make it difficult to

Analysis of Cloud Forensic Data

1. Explain that analyzing digital evidence collected from a cloud requires verifying the

2. Point out that examining logs can be useful in comparing the modified, last access, and

Anti-Forensics

1. Define anti-forensics as the act of destroying ESI that’s potential evidence.

2. Discuss the different anti-forensics tactics that hackers may use in order to corrupt or

hide data. Be sure to mention that calculating hash values of files and comparing the

Incident First Responders

1. Explain that most CSPs have personnel trained to respond to network incidents. If a

2. Discuss the factors that should be addressed when assembling a first responder team:

• Will the CSP’s operations staff be cooperative and follow directions?

• Will management issue orders stating that you’re the leader of the investigation?

• Do you need to brief staff about operations security?

• Do you need to train staff in evidence collection procedures, including chain of

custody?

Role Management

1. Explain that role management covers data owners, identity protection, users, access

Guide to Computer Forensics and Investigations, Fifth Edition 13-8

Standards and Training

1. Mention that as the cloud becomes more widely used, there is an effort to standardize

cloud architectures for:

• Operating procedures

2. Discuss the following organizations who are involved in the development of standards

and training:

• The Cloud Security Alliance (CSA)

• (ISC)²’s Certified Cyber Forensics Professional

• INFOSEC Institute

Quick Quiz 1

1. Which of the three cloud service levels allows customers to rent hardware and install

whatever OSs and applications they need?

2. A principle of software architecture in which a single installation of a program runs on a

server accessed by multiple entities is known as _____.

3. A contract between a CSP and the customer that describes what services are being

provided and at what level is known as a _____.

4. Destroying, altering, hiding, or failing to preserve evidence is known as _____.

5. _____ in the cloud covers data owners, identity protection, users, access controls, and

so forth.

Acquisitions in the Cloud

1. Explain that the methods used to collect evidence in cloud investigations depend on the

nature of the case.

2. Discuss the following scenarios and the methods used to collect evidence in a cloud

environment:

• Incident involving a network penetration through a CSP’s firewall

Guide to Computer Forensics and Investigations, Fifth Edition 13-9

• Investigating an unauthorized database access

Encryption in the Cloud

1. Mention that many CSPs and third parties offer encryption services for cloud users as a

3. Discuss some of the vendors that offer encryption services for cloud data.

Conducting a Cloud Investigation

1. Explain that investigating cloud incidents should involve the same systematic approach

Investigating CSPs

1. Discuss the following questions that investigators should ask to understand how the

CSP is set up:

• Does the investigator have the authority to use cloud staff and resources to

conduct an investigation?

• Is detailed knowledge of the cloud’s topology, policies, data storage methods,

and devices available?

• Are there any restrictions on collecting digital evidence from remote cloud

storage?

Investigating Cloud Customers

1. Discuss the locations that should be checked when searching for evidence on a cloud

customer’s computer or mobile device:

Guide to Computer Forensics and Investigations, Fifth Edition 13-10

Understanding Prefetch Files

1. Explain that prefetch files contain the DLL pathnames and metadata used by an

2. Point out that metadata in a prefetch file contains an application’s MAC times in UTC

3. Use Figure 13-1 to show offset positions for the counter and the dates and times.

Examining Stored Cloud Data on a PC

1. Introduce the three widely used cloud services: Dropbox, Google Drive, and OneDrive.

Point out how each application is stored on a Windows Computer.

2. Discuss the data to look for in Windows 7 and 8 systems that reveals an association

with one of these cloud services:

• Dropbox

• Google Drive

• OneDrive

Windows Prefetch Artifacts

1. Allow time for students to complete the prefetch activity starting on page 499.

Tools for Cloud Forensics

1. Discuss the following tools that can be applied to cloud forensics:

• Guidance Software EnCase eDiscovery and its incident response and EnCase

Cybersecurity tools

Forensic Open-Stack Tools

1. Explain that Forensic Open-Stack Tools (FROST) integrates with OpenStack and adds

F-Response for the Cloud

Quick Quiz 2

1. With cloud systems running in a virtual environment, _____ can give you valuable

information before, during, and after an incident.

2. Encrypted data in the cloud is in two states. Which state is used to describe data that is

being transmitted over a network?

3. What type of file contains the DLL pathnames and metadata used by an application?

4. A tool with application programming interfaces (APIs) that allow reconfiguring a cloud

on the fly is known as _____.

Class Discussion Topics

1. How has cloud computing changed the way we use the Internet?

2. What are some of the challenges facing forensic data collection?

Additional Projects

1. Ask students to read more about challenges of cloud forensics in a virtualized

environment. Have them write a short essay to summarize their findings.

Additional Resources

1. NIST Cloud Computing Program:

2. SANS Cloud Security Fundamentals:

Guide to Computer Forensics and Investigations, Fifth Edition 13-12

3. NIST Cloud Computing Collaboration Site:

Key Terms

➢ cloud service providers (CSPs) Vendors that provide on-demand network access to a

shared pool of resources (typically remote data storage or Web applications).

➢ community cloud A shared cloud service that provides access to common or shared

➢ management plane A tool with application programming interfaces (APIs) that allow

reconfiguring a cloud on the fly.

➢ multitenancy A principle of software architecture in which a single installation of a

program runs on a server accessed by multiple entities (tenants). When software is

accessed by tenants in multiple jurisdictions, conflicts in copyright and licensing laws

might result.

➢ platform as a service (PaaS) A cloud is a service that provides a platform in the cloud

that has only an OS. The customer can use the platform to load their own applications

and data. The CSP is responsible only for the OS and hardware it runs on; the customer