Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 13-1
Chapter 13
Cloud Forensics
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 13-2
Lecture Notes
Overview
Chapter 13 explains how to apply forensics skills and techniques to a cloud
environment. First, you will learn an overview of cloud computing. Next, you review
some of the legal and technical challenges in conducting cloud forensics. This chapter
Chapter Objectives
• Describe the main concepts of cloud computing
• Summarize the legal challenges in conducting cloud forensics
• Give an overview of the technical challenges with cloud forensics
• Describe how to acquire cloud data
• Explain how to conduct a cloud investigation
• Explain what remote access tools can be used for cloud investigations
Teaching Tips
An Overview of Cloud Computing
1. Explain that the cloud has introduced new ways of managing data, therefore, cloud
History of the Cloud
1. Discuss the people who are known for coming up with the idea of cloud computing,
2. Point out that in 1999, Salesforce.com developed a customer relationship management
3. Mention other providers that started their own cloud services: Amazon EC2, Google
Apps, Apple iCloud, and Microsoft OneDrive.
.
Guide to Computer Forensics and Investigations, Fifth Edition 13-3
Cloud Service Levels and Deployment Methods
1. Explain that NIST defines cloud computing as a computing storage system that provides
2. Discuss the cloud’s three service levels, use Table 13-1 in your discussion:
3. Discuss the differences between the four deployment methods for a cloud:
• Public cloud
• Private cloud
• Community cloud
• Hybrid cloud
Cloud Vendors
2. Discuss the following CSPs and cloud applications:
• Salesforce
• IBM Cloud
Guide to Computer Forensics and Investigations, Fifth Edition 13-4
Basic Concepts of Cloud Forensics
1. Define cloud forensics as simply as applying digital forensics to cloud computing and
that it is considered a subset of network forensics.
2. Point out that the article referenced in the book describes cloud forensics as having
three dimensions:
• Organizational – addresses the structure of the cloud
3. Discuss the capabilities forensics tools should have to handle acquiring data from a
cloud:
• Forensic data collection
Legal Challenges in Cloud Forensics
2. Mention that understanding a CSP’s contract obligations with cloud users and how
Service Level Agreements
1. Point out that service level agreements are also called “master service agreements” and
2. Explain that SLAs should also specify support options, penalties for services not
provided, system performance, fees, provided software or hardware, etc.
3. Discuss how the SLA should define, in detail, the scope of its services and the
responsibilities of the customer, including the following:
• Service hours
• Restrictions applied to the customer by the CSP
4. Point out that digital forensics examiners should be most concerned with restrictions
5. Explain that forensics investigators should review the following when preparing a cloud
investigation plan:
• Policies – detailed rules for a CSP’s internal operation and typically include
personnel responsibilities, management structure, delegation authority,
contracting authority, expectations of protecting data, and the authorization to
7. Discuss the importance of the CSP’s business continuity and disaster recovery plans.
Mention that these plans can be helpful in recovering and analyzing data you need for
your investigation.
Teaching
To emphasize the importance of Service Level Agreements (SLAs), direct
students to the following article:
Jurisdiction Issues
1. Point out that there is currently no law that ensures uniform access or required handling
2. Explain that the SLA can prescribe what laws are enforceable, they don’t usually
3. Make sure students understand that the definition of privacy rights in different
jurisdictions is a major factor in problems with the right to access data.
4. Explain that digital forensics examiners could be held liable when conducting an
Accessing Evidence in the Cloud
1. Point out that when evidence needs to be seized, warrants are used in criminal cases and
2. Explain that in the U.S., the Electronic Communications Privacy Act (ECPA) describes
4. Explain that in cloud environments, the property to be seized is usually data, rather than
physical hardware unless the CSP is the suspect.
5. Discuss the complications that can arise when requesting a search warrant. Point out
6. Discuss the following:
• Government agency subpoenas
Technical Challenges in Cloud Forensics
1. Explain that cloud forensics procedures combine the following tasks:
• Data recovery
• Network analysis to detect intrusions
Guide to Computer Forensics and Investigations, Fifth Edition 13-7
Architecture
1. Explain that no two CSPs are configured in exactly the same way. Further explain that
2. Point out that differences in recording procedures or log keeping can make it difficult to
Analysis of Cloud Forensic Data
1. Explain that analyzing digital evidence collected from a cloud requires verifying the
2. Point out that examining logs can be useful in comparing the modified, last access, and
Anti-Forensics
1. Define anti-forensics as the act of destroying ESI that’s potential evidence.
2. Discuss the different anti-forensics tactics that hackers may use in order to corrupt or
hide data. Be sure to mention that calculating hash values of files and comparing the
Incident First Responders
1. Explain that most CSPs have personnel trained to respond to network incidents. If a
2. Discuss the factors that should be addressed when assembling a first responder team:
• Will the CSP’s operations staff be cooperative and follow directions?
• Will management issue orders stating that you’re the leader of the investigation?
• Do you need to brief staff about operations security?
• Do you need to train staff in evidence collection procedures, including chain of
custody?
Role Management
1. Explain that role management covers data owners, identity protection, users, access
Guide to Computer Forensics and Investigations, Fifth Edition 13-8
Standards and Training
1. Mention that as the cloud becomes more widely used, there is an effort to standardize
cloud architectures for:
• Operating procedures
2. Discuss the following organizations who are involved in the development of standards
and training:
• The Cloud Security Alliance (CSA)
• (ISC)²’s Certified Cyber Forensics Professional
• INFOSEC Institute
Quick Quiz 1
1. Which of the three cloud service levels allows customers to rent hardware and install
whatever OSs and applications they need?
2. A principle of software architecture in which a single installation of a program runs on a
server accessed by multiple entities is known as _____.
3. A contract between a CSP and the customer that describes what services are being
provided and at what level is known as a _____.
4. Destroying, altering, hiding, or failing to preserve evidence is known as _____.
5. _____ in the cloud covers data owners, identity protection, users, access controls, and
so forth.
Acquisitions in the Cloud
1. Explain that the methods used to collect evidence in cloud investigations depend on the
nature of the case.
2. Discuss the following scenarios and the methods used to collect evidence in a cloud
environment:
• Incident involving a network penetration through a CSP’s firewall
Guide to Computer Forensics and Investigations, Fifth Edition 13-9
• Investigating an unauthorized database access
Encryption in the Cloud
1. Mention that many CSPs and third parties offer encryption services for cloud users as a
3. Discuss some of the vendors that offer encryption services for cloud data.
Conducting a Cloud Investigation
1. Explain that investigating cloud incidents should involve the same systematic approach
Investigating CSPs
1. Discuss the following questions that investigators should ask to understand how the
CSP is set up:
• Does the investigator have the authority to use cloud staff and resources to
conduct an investigation?
• Is detailed knowledge of the cloud’s topology, policies, data storage methods,
and devices available?
• Are there any restrictions on collecting digital evidence from remote cloud
storage?
Investigating Cloud Customers
1. Discuss the locations that should be checked when searching for evidence on a cloud
customer’s computer or mobile device:
Guide to Computer Forensics and Investigations, Fifth Edition 13-10
Understanding Prefetch Files
1. Explain that prefetch files contain the DLL pathnames and metadata used by an
2. Point out that metadata in a prefetch file contains an application’s MAC times in UTC
3. Use Figure 13-1 to show offset positions for the counter and the dates and times.
Examining Stored Cloud Data on a PC
1. Introduce the three widely used cloud services: Dropbox, Google Drive, and OneDrive.
Point out how each application is stored on a Windows Computer.
2. Discuss the data to look for in Windows 7 and 8 systems that reveals an association
with one of these cloud services:
• Dropbox
• Google Drive
• OneDrive
Windows Prefetch Artifacts
1. Allow time for students to complete the prefetch activity starting on page 499.
Tools for Cloud Forensics
1. Discuss the following tools that can be applied to cloud forensics:
• Guidance Software EnCase eDiscovery and its incident response and EnCase
Cybersecurity tools
Forensic Open-Stack Tools
1. Explain that Forensic Open-Stack Tools (FROST) integrates with OpenStack and adds
F-Response for the Cloud
Quick Quiz 2
1. With cloud systems running in a virtual environment, _____ can give you valuable
information before, during, and after an incident.
2. Encrypted data in the cloud is in two states. Which state is used to describe data that is
being transmitted over a network?
3. What type of file contains the DLL pathnames and metadata used by an application?
4. A tool with application programming interfaces (APIs) that allow reconfiguring a cloud
on the fly is known as _____.
Class Discussion Topics
1. How has cloud computing changed the way we use the Internet?
2. What are some of the challenges facing forensic data collection?
Additional Projects
1. Ask students to read more about challenges of cloud forensics in a virtualized
environment. Have them write a short essay to summarize their findings.
Additional Resources
1. NIST Cloud Computing Program:
2. SANS Cloud Security Fundamentals:
Guide to Computer Forensics and Investigations, Fifth Edition 13-12
3. NIST Cloud Computing Collaboration Site:
Key Terms
➢ cloud service providers (CSPs) Vendors that provide on-demand network access to a
shared pool of resources (typically remote data storage or Web applications).
➢ community cloud A shared cloud service that provides access to common or shared
➢ management plane A tool with application programming interfaces (APIs) that allow
reconfiguring a cloud on the fly.
➢ multitenancy A principle of software architecture in which a single installation of a
program runs on a server accessed by multiple entities (tenants). When software is
accessed by tenants in multiple jurisdictions, conflicts in copyright and licensing laws
might result.
➢ platform as a service (PaaS) A cloud is a service that provides a platform in the cloud
that has only an OS. The customer can use the platform to load their own applications
and data. The CSP is responsible only for the OS and hardware it runs on; the customer
