2. Types of Cloud Computing
Facing the Unknown – Backend Infrastructure
Accessing the Cloud (remote, datacenters)
Types of Data (VM filesystems, loose files,
emails, etc)
The “Grey” area – Jurisdiction and Legislation
Forensically “sound” procedures (industry best
practice)
Real-world examples:
◦ Australian Cloud Storage Provide (CSP)
◦ Microsoft SkyDrive
Recommendations
3. Two types of Cloud technologies:
◦ Cloud Processing (e.g. Amazon EC2):
Distributed processing power available on-demand that
speeds up resource intensive procedures
Examples: password cracking, video rendering
◦ Cloud Storage (e.g. Dropbox, SkyDrive, iCloud, etc):
Remotely stored files that are available over the internet
from any location without the need for localised storage
solutions
Examples: email, office documents, photos, videos
Hybrid Mix:
4. Hybrid Mix:
◦ Cloud solutions that provide file storage and fully
virtualised infrastructure to replace traditional
hardware
Example: Virtual Machines (VMs) hosted in the cloud
5. Variety of hardware and infrastructure
available to create a private cloud
Depending on complicity of provider this may
remain an unknown
Depending on Persons Of Interest (POI)
involved in investigation may require covert
access
6. Datacenters
◦ If local will be the fastest solution
Requires assistance from host
Using hosts infrastructure
Remote
◦ Depending on host might not be possible to attend
physical datacenter
Accessing over the internet requires patience
Slow
Prone to drop-outs
Possibility to “push” the content out of the cloud rather than
pulling it down
Requires assistance from host
Using hosts infrastructure
7. VM data
◦ Various file sytems (depending on OS involved)
Common - FAT, NTFS, Ext2/3, HFS+
Virtual – VMware FS, ReFS
Disk Images: VMDK, VHD
Loose files
◦ Graphic Files: JPG, GIF, PNG, PSD, etc
◦ Video Files: MP4, MOV, AVI, WMV, FLV, etc
◦ Document Files: DOC, PDF, XLS, PPT, etc
Emails
◦ Varies depending on host provider
8. CSP User Account Details
◦ Financial information used to create accounts (if
applicable)
◦ Contact information
Network Logs
◦ IP addresses of users/accounts
◦ Dates and times of logins
9. Crimes committed over the internet?
◦ Who has jurisdiction?
Geographical nature of “Cloud”
◦ Often replicated across various datacenters
◦ Not necessarily in same country as Person Of
Interest (POI)
◦ Country (and CSP) hosting content may not have
any legal requirement (or willingness) to cooperate
10. Depends on countries involved
◦ Hosting content
◦ Where CSP business is registered
Australia:
◦ Cybercrime Act 2001
Schedule 1- Computer offences
◦ Criminal Code Act 1995
478.1 Unauthorised access to, or modification of, restricted
data
11. Standard forensic procedure requires read-
only access to potential evidence items
◦ No write-blocker for the internet
Each Cloud host will have different
infrastructure
Emails: always ensure export type includes
headers
VMs: capture RAM, try to get VM HDD images
Storage: Try to capture without modification
of MAC times
Logs: network
12. Providing storage and
processing services
◦ Including hybrid VM hosting
13. Person Of Interest (POI) had multiple VMs
hosted on service
◦ VMs running Windows Server 2008 R2
CSP backend running Linux in datacenter
◦ Non-standard file system (which is common to
datacenters due to size limitations of Ext2, Ext3,
etc)
◦ Frontend running “Open Xen” control panel
Initially given wrong address
◦ Warrant issued for business address, not datacenter
14. VMs were running live
◦ Changed user credentials
◦ Captured RAM
Over internet connection
Utilised FTK Imager
Limited tools available to CSP Admins from
control panel
◦ While running live converted VMs to NTFSClone
images as only available option
15. Had to attend physical datacenter to retrieve
converted images (NTFSClone) due to time
constraints
◦ Alternative was to download over internet – very slow!
NTFSClone is non-standard compressed image
◦ Inability to see MBR (partition only)
◦ Unable to be interpreted by any forensic suite
Uncompressed image in Linux to standard partition
ntfsclone --restore-image /dev/hda1/backup.img -o
/dev/sdb1/backup.dd
16. Also attempted to image VMs live via FTK
Imager over internet connection
◦ Three VMs (20 GB each)
◦ Failed multiple times
◦ Very slow
Gave up with partial images after 10 days (none
completed correctly)
17. Client originally after deleted contents from
previously existing VMs
◦ POI was trashing VMs and creating new ones every
2 weeks!
CSP had no way of knowing what physical
infrastructure previous VMs existed on
◦ Once deleted from system all resources reallocated
to the “pool”
◦ All storage/processing allocated on the fly when
end users setup a new VM
18. CSP fully cooperative and willing to comply
with warrant
◦ Handed over POIs content
Due to the fact that POI had been paying for service
with stolen credit card numbers
* Had it been another user who had purchased the
services legitimately not sure if CSP would have been
as cooperative
◦ Due to the fact that CSP had not broken any laws directly
◦ T&S and T&C negates legal liability (grey area of law
which has not been challenged in court)
19. Providing storage services
25 GB plus an extra 5 GB of “synced” storage
per account
Ability to have unlimited accounts
◦ Potential to link accounts
◦ Share data across unlimited accounts
20. POI storing illicit content (documents, photos
& videos) and communications
Unless “synced” nothing stored locally
◦ Not even “local” geographically speaking
Content replicated across numerous Microsoft
datacenters around the world
POI popped-up during an investigation
◦ Admitted to having material and emails stored on
SkyDrive
Legally signed over account
21. Email:
◦ Microsoft’s “Hotmail Connector” for Outlook
Locally download all email and attachments to a PST
PST can be imported into favourite forensic suite (X-Ways,
EnCase, FTK, Nuix, etc)
◦ During email “sync” kept dropping out
Had to be restarted numerous times before all content
◦ Contacted Microsoft Law Enforcement Portal to find
alternative to Hotmail Connector
None currently exists
22. Other Content:
◦ 2 Options:
Windows Live Mesh
Sync folder/s and download content
Can then be imaged or added to logical evidence container
5GB limitation to content synced through Mesh
Individually download each item through web browser
Potentially affecting MAC times, but not metadata
No other solution suggested by Microsoft Law
Enforcement Portal
23. Multi Lateral Agreements (MLAT)
◦ Send content host preservation notice
Generally takes account/s offline
Snapshot of all data taken
◦ Approximately 18 month process once paperwork
is filed to receive content from host
◦ Must provide all paperwork in accordance with the
host country (generally USA)
24. Multi Lateral Agreements (MLAT)
Local Agency
Attorney-General
Microsoft
Department (ACT)
US Court Order USA Department
Produced of Justice (D0J)
25. Use of standalone internet-enabled machine
to capture remote content
◦ Forensically wiped upon job completion
Preservation request sent to CSP (assuming
legally compliant)
Consult with technical people employed by
CSP prior to “capture”
Expect the unexpected: non-standard file
systems (eg. Oracle FS)
26. Choo, K. (2010) “Cloud computing: Challenges
and future directions”, Trends & issues in crime
and criminal justice no. 400,
Australian Institute of Criminology.
Lillard, Terrence (2010) Digital forensics for
network, Internet, and cloud computing,
Syngress, USA.
Martini, B. & Choo, K. (2012) “An integrated
conceptual digital forensic framework for cloud
computing”, Digital Investigation, Volume 9,
Issue 2, November 2012, Pages 71–80.