Challenges Digital Forensic Investigators face today in the Cloud

  • We encourage our users to use Real Names to build a real community, friendships and networking opportunities.

    [more information]

JohnMSM

New Member
Apr 28, 2018
3
0
#1
Hi,

My organization wants to start using Cloud and I am concerned with my confidential data when someone can break into that Cloud. What is the most difficult evidence to find/get in the Cloud when conducting computer forensic investigation?
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
33
Ratings
29
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#2
John,

It would depend on the cloud technology and what they are after. Honestly, there is a whole bunch of low level hacks into the cloud where hypervisors are being overtaken. However, the application themselves do yield plenty of information for those breaking in.

The advancement of the cloud really does make knowing where the data is physically located at then traditional environments. Some countries make it illegal to store citizens' data outside of the country even using cloud technology. These countries want to make it easier for e-Discovery or ease-dropping on their citizens more then "protecting" the data.

The best way to get cloud data is use the native technology. For example, to extract cloud data from Google Drive, use the Google Drive APIs instead of something else. Same is true for other cloud services.

If you or your company is worried about theft of data, you can setup a private cloud and always encrypt data at rest and in-transit.
 

Farinka

New Member
Oct 31, 2018
4
1
#3
Cloud problems have not been resolved since their appearance and the use of the cloud is recommended only with full confidence in the owner, otherwise - do not even think about it.
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
33
Ratings
29
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#4
You will be amazed how much stuff is really stored in the Cloud today. You might as well never use a computer.
 

BIOS

New Member
Oct 30, 2018
4
Ratings
6
3
#5
Hey John,

Looks like you have 2 big questions.

For now, I’ll just tackle your "concern if someone breaks into the "Cloud" and gets your confidential data?". First, someone could still get your 'confidential data' regardless of where it is stored. Those concerns should exist even if your data is stored on a system not connected to the internet. Perhaps a rogue employee copies files to a USB drive? Do you have auditing in place to track who is accessing what? And, if that storage location is accessible via an internet connection, isn't it basically in the cloud.

Next "the cloud" is a very general term. There are many different methods to setup your own "cloud storage" as well as many different cloud service providers. So, it’s not really fair to say the cloud is secure or is not secure.
The security of it is highly dependent on a lot of factors (including a lot of human factors). However, it's quite possible that storing your data on "the cloud" is a far more secure option than your company's own managed network. For example, Microsoft and Amazon are spending billions on their cloud storage services (and related security), which likely is a lot more money & resources than your organization is putting towards protecting their network.

And in the case of a small business, they might have just one IT guy/gal who is running the whole network, purchasing software/hardware, doing updates & security, as well as taking daily tech support calls for all the staff. They might be a very talented person, but it's a lot of work for one person who is also then supposed to be tasked with securing all of the company’s data. So, my point, "the cloud" might be the most secure option - but you need to choose the right cloud option.
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
33
Ratings
29
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#6
@BIOS makes some excellent points about confidential data and the Cloud. I think the problem people are stuck on is that the Cloud is inherently insecure; however, if you read Ghost in The Wires by Kevin Mitnick, you will realize there are plenty of others problems with security outside of the Cloud.

You could use owncloud or nextcloud to self-hose your own cloud services which you can host directly in a data-center without external connectivity. One step further, encryption your storage would help secure it as long as the encryption method and process is secured. Echoing @BIOS: just choose the right cloud option [based on risks of the company].

I have been a single IT person for a small company and it is a pain. At that time, things like GSuite, Office 365, and other online tools were not even around. Microsoft products were greatly overpriced to use for an SMB; however, I had to convince the owner to purchase licenses for product to be legal and simplify the management of the process. I did have a Samba DC setup with centralized logins. I really need centralized patch management but that did not happen before I left. Also, I was on-call 24/7 for anything and everything. It was not a fun job.
 

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
21
Ratings
9
3
#7
My organization wants to start using Cloud and I am concerned with my confidential data when someone can break into that Cloud.
This is similar to a question we had from a client that was looking to host with us, but was worried about storing their data in the cloud.

Essentially, they stated that they would never host their data in the cloud.

What I attempted to point out to him was that the majority of internal work networks are connected to the internet and it only takes one improperly setup firewall to have access to your internal systems, including any On-Premises applications.

As @BIOS and @azuleonyx correctly point out, security of your data really comes down to the overall setup of the application and the cloud provider being used.

Microsoft, IBM and Google are betting their future on cloud services and as a result, they are spending billions to ensure it is secure and protected. One major breach into an IBM, Google or MS cloud service would dramatically slow down the adoption of cloud services which is expected to be $30+ Billion per year by the end of 2019 for just Microsoft.

These companies have a LOT to lose.

For some organizations, the cloud may not make sense, but for most small and medium sized businesses, they should strongly consider it for the majority of their applications that need to be accessible from multiple locations while being properly secured.

@azuleonyx waslike the majority of SMB techs, who are overworked and struggling to get the proper funds to secure their small networks.

Read the full article at: Is the Cloud Safe?

What is the most difficult evidence to find/get in the Cloud when conducting computer forensic investigation?
Once again this depends on the cloud provider and the agreements you have in place as a client.

Although I don't know if this is true, one of the complaints I have heard from those organizations that use Office 365 is that the base fee's don't include a lot of analytics to assist with detecting issues. As a result, you may be required to pay more to view analytics which may help you detect your own breach.

Remember, the majority of breaches are not detected for 6+ months. And even when detected, they are often detected by outside organizations.

However, if a major breach does occur and it looks like it may be a result of a service provided by your cloud provider, I am sure they will do what they can to assist to ensure the rest of their clients are protected. They have a vested interest in making sure they know how the breach occurred and what they can do to correct the issue.

Cloud providers like MS Azure are adding more and more threat detection systems and logs which if setup properly, can provide a lot of useful information.

I hope this helps.
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
33
Ratings
29
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#8
However, if a major breach does occur and it looks like it may be a result of a service provided by your cloud provider, I am sure they will do what they can to assist to ensure the rest of their clients are protected. They have a vested interest in making sure they know how the breach occurred and what they can do to correct the issue.
One thing to remember, in most cases, the company who owns the data must secure it even in the cloud. Although, as stated by @RobertM that Cloud providers will help you and provide detection services, it is not their responsibility to secure your business data. In the end, they will do all they can (especially the larger companies) because in the end, it adds credibility to the service and to their bottom line.
 

BIOS

New Member
Oct 30, 2018
4
Ratings
6
3
#10
There are a number of great products out there.
I've had experience using Cellebrite UFED Cloud Analzer: UFED Cloud Analyzer - Cellebrite
It has worked quite well for the most part.

I've also heard good thing about Magnet AXIOM Cloud: Magnet AXIOM Cloud - Magnet Forensics Inc.
On their website, they state, "As enterprises of all sizes continue to shift more and more data into cloud-based content collaboration platforms, it’s more important than ever to learn how to recover cloud-based data and perform forensically sound Office 365 investigations. " Haven't used it - but sounds like an interesting area to explore.

I'm know there are more... but hopefully others can chime in with their experiences or knowledge of other tools.
 

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
21
Ratings
9
3
#11
One thing to remember, in most cases, the company who owns the data must secure it even in the cloud. Although, as stated by @RobertM that Cloud providers will help you and provide detection services, it is not their responsibility to secure your business data. ...
@azuleonyx : This is an excellent point and hopefully my original post was clear that I am only speaking from the perspective of the outside perimeter of security around your data. As a business, you are responsible for properly encrypting all sensitive data both in transit and at rest.

Cloud services like Azure and AWS offer HSM KeyVaults for encryption keys requiring all decryption to take place within the HSM. This isn't usually the actual data, but rather the encryption key used to encrypt the data. For example, we utilize a unique CEK (Content Encryption Key) for every record, which is a 256-bit Symmetric key. The CEK is then encrypted with a 2048-bit Asymmetric Public Key (KEK - Key Encryption Key).

In order to decrypt the CEK to then decrypt the data, the encrypted CEK must be passed into the Azure KeyVault. The PRIVATE KEK Asymmetric key only exists within the KeyVault. As a result, all decryption is then logged by the KeyVault service.

For more information on this process, please take a look at:
Security & Data Encryption | Key Vault | Encryption Keys - Forensic Notes

My point in providing the above is to show you that companies MUST use the technology available to properly secure their data. Azure and AWS will help detect potential breaches and will likely assist in determining how it happened, but it is up to every business to employ proper security to ensure their data is encrypted and secure.

Not only should you encrypt sensitive data in your database, the database should also employ its own encryption if possible. For example, Azure offers Transparent Data Encryption (TDE) with its Azure SQL Databases. This further encrypts the data at rest.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu