Digital Forensics, Incident Response, and Cloud Computing Troy Larson Azure | MSRC Microsoft Corp.
DigitalForensics,IncidentResponse,and
CloudComputingTroyLarson
Azure|MSRCMicrosoftCorp.
Forensics, Response, Cloud Computing
•MSRC|Azure• Securityincidentresponseinvestigations.• Forensics@Microsoft.• Compromise|Intrusion|Breach.• Forensicsandincidentresponseinvestigationsforthecloud.
What is cloud computing?
• Insider’sviewofcloudcomputing:• Technologyoverview.• Policy.• ForensicsandIncidentresponse.• Practices.• Challenges.• Opportunities.
What is cloud computing?
What is cloud computing?
•Automated datacenter,wheremachines are-• Deployedbymachine.•Managedbymachine.•Monitoredbymachine.• Forservices.• Fortenants.
Cloud Compute
Vacation Resources
Azure Technical Overview
•Collectionofautomateddatacenters.•Primaryresources:• Compute.• Storage.• Network.
Azure Technical Overview
•Datacenters.•Clusters.• Nodes(blades).
Azure Technical Overview
•Computenode(hostserver).
Azure Technical Overview
•Virtualmachine,fromthehost.
Host
Memory
Media
GPA1 GPA2
VHD1 VHD2
VHD1 VHD2
Azure Technical Overview
•Thepersistent virtualharddrive.
Azure Technical Overview
•Thevirtualharddrive.• Tothehost,afile.• Tothevirtualmachine,aphysicaldisk.• Partitionedandformattedtocreatevolumesandfilesystems.• Canbeorganizedlikephysicalharddrives:• Singledisks.• Dynamicvolumes—volumesspanningvirtualdisks.• RAID.
Azure Technical Overview
•Virtualmachinememory.
PageFileonVHD
Azure Technical Overview
•Virtualmachine,fromwithin.
Memory
C:\ D:\
Azure Technical Overview
•Differentviewpoints.•Onthehostsideofthehypervisor:• Memoryisguestphysicaladdressspace.• Disksarefiles.
•Ontheguestsideofthehypervisor:• Memoryconsistsofvirtualandphysicaladdressspace.• Diskappearasphysicalandlogicalmedia.
Policy
Policy
•Cloudadministratorsandsecurityteams:• ExtremelylimitedvisibilityintowhatishappeningwithtenantVMs.
• Tenantadministratorsandsecurityteams:• CompletevisibilityintowhatishappeningontheirVMs.• NovisibilityintowhatishappeningonothertenantVMsorhostorinfrastructure.
• Securityresponsibilityfollowsownership.
Policy
•Security.• SharedSecurityModel:• Management.• Ownership.
Policy
•Securityincident.
TOR TOR TOR TOR TOR
Network
Forensics, Response, Cloud Computing
EvidenceAcquisitionof
Cloud-BasedMachines
Forensics, Response, Cloud Computing
•Virtualmachines,acquisition.
Forensics, Response, Cloud Computing
Host/VM•Memory• AsGPA.• Assavedstatefile(s).
•Media• Asfiles.• Asblobs.
• Network• Fromvirtualswitch.
Guest/VM•Memory• Live.
•Media• Asphysicalorlogicaldisks.• Asblobs.
• Network• Live.
Forensics, Response, Cloud Computing
Host/VM• Runningorstopped.• Statecanbefrozen.*• Nocollectionartifacts.*• Consistentmemoryanddiskimages.*
Guest/VM• Running.• Stateisdynamic.• Collectionartifacts.• Inconsistentmemoryanddiskimages.
GPAVHD
VHDC:\
D:\
Memory
Forensics, Response, Cloud Computing
Host/VM
•Cloudprovider.
Guest/VM
• Tenant.
Forensics, Response, Cloud Computing
•Tenantevidenceacquisition:• Standardremotecollectionproceduresandtoolsshouldworkforacquiringcloud-basedVMs.*•Blobstorageofvirtualdisksallowsforquickacquisitionorsnapshotsofvirtualdisks.• Equivalentto,orbetterthan,currententerpriseremoteevidencecollectioncapability.*
Forensics, Response, Cloud Computing
•Cloudinfrastructure.• Consistsofhundredsofthousandsofphysicalmachines.• HugeamountsofRAM.*• Hugeamountsofdiskstorage.*• Noveldiskstoragetechnologies.*• Underextremelyheavyload.*
• Canexceedthecapabilityofcurrentforensicstoolsandpractices.
Forensics, Response, Cloud Computing
•Cloudinfrastructure.• Networkisnotastandardcorporatenetwork.• Nodomainauthentication.• Segmented.• Firewalled.
• Standardenterpriseremoteevidencetoolsandproceduresoftenwillnotwork.
Forensics, Response, Cloud Computing
ForensicAnalysisOf
Cloud-BasedMachines
Forensics, Response, Cloud Computing
•Cloudmachines:• Usestandardoperatingsystems.• Common,wellknownfilesystems,filetypes,structures,andstrings.• Amenabletostandardanalyticaltoolsandprocedures.• Subjecttocompromise,breach,andothercommonsport.
Forensics, Response, Cloud Computing
•Securityincidentresponseandstateless virtualmachines.• PAASdesignedtobestateless.• Scalabilityandfaulttolerance.• Persistentdatagoestostorage.• Newinstancestartsclean.
• Remediationbycommandline.•Whatisthepointofdoingforensicsorotherin-depthsecurityincidentinvestigation?
Forensics, Response, Cloud Computing
•Cloud(virtual)machineadvantages.• Fromhost:• Fullyconsistentmemorydumps.• Fullyconsistentdrive(volume)images.• Statefiles.
• Bytenant:• Fullyconsistentdriveimagesfromstorage.*
Forensics, Response, Cloud Computing
• Issuesofscaleandscalability.• Cloudinfrastructureisvast.• Cloudenvironmentismorevast.• Virtualentitiescanbedynamic,andendpointsephemeral.
• Tenantdeploymentscanbevastanddynamic,too.
Forensics, Response, Cloud Computing
•Cloud-readyincidentresponseandforensics:•Mustbeabletoworkatscale.•Mustbescalable—monitoring,triage,loganalysis,forensics.*
•Problem:• DF/IRisdependentonsubjectmatterexpertise.• Subjectmatterexpertsdonotscalewell.*
Forensics, Response, Cloud Computing
Researchtopics.
Forensics, Response, Cloud Computing
•Whatisnormal?*
Theanalyticalopportunitiesofscale.
*JesseKornblumhttps://digital-forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-jesse-kornblum-computer-forensic-tool-panel.pdf
Forensics, Response, Cloud Computing
•Cloudmachines|“Roles”|n identicalinstances.• Role instances:• xyz-service-01_of_200• xyz-service-02_of_200• xyz-service-03_of_200• ...• xyz-service-56_of_200
Forensics, Response, Cloud Computing
•RoleInstances:• SameOSVHD.• Samehardwareanddrivers.• Sameconfigurationsettings.• Sameapplicationsandservices.• Sameprocessesandcommandlines.• Sameevents.
Forensics, Response, Cloud Computing
•Processescreationevent(SecEventID4688):• Newprocessnameandpath.• Parentprocess.• Commandline.• Accountthatlaunchestheprocess.
•Whatprocessesruninexactlythesameway,onallroleinstances?
Forensics, Response, Cloud Computing
•Role-specific,eventbaselines:• Identical4688events,acrossallinstances(perrole),showwhatruns,how,bywhataccount.• Whatisnormalforanyinstanceofthatrole.• Usage:Compareindividualtotheherd.• Detectionandmonitoring.• Liveanalysisandtriage(e.g.,Kansa).• Memoryforensics.• Diskforensics.
Forensics, Response, Cloud Computing
•Role-specific,eventbaselines:• Signaltonoise:non-identical4688events.• Uniqueforaroleinstance.• Anomalous,mayindicatesecurityissue.• Usage:Whatstandsoutagainsttheherd.• Detectionandmonitoring.• Hunting.
Forensics, Response, Cloud Computing
•Whatotherherdbehaviorcanindicatenormalorhighlightanomalies?• Taskschedulerandserviceevents.• Objectaccessevents?• Logon,sourceIPaddress?• Errorandfailureevents?• IPFIX?• Prefetch?• Amache.hve?
Forensics, Response, Cloud Computing
Questions?