Upload
carmella-newton
View
226
Download
0
Tags:
Embed Size (px)
Citation preview
Mastering Windows Network Forensics and Investigation
Chapter 17: The Challenges of Cloud Computing and Virtualization
Chapter Topics:
• Understand investigative implications when virtualization or cloud services are used
• Detect and acquire artifacts of virtualization applications
• Detect and acquire pertinent data from cloud services
What is Virtualization?
• Host-based– An environment that exists in
specialized software within the host system designed to emulate a wholly separate OS with its own resources
What is Virtualization?
• Server-based– Environment is installed on top of
the host hardware layer to maximizes system resources
• Hypervisor– makes virtualization possible
• Type 1 – bare metal• Type 2 – hosted
What is Virtualization?
• Type 1
• Type 2
Incident Response
• What is the scope of the network• How is the environment
configured?• What machines have been
compromised?• What are their roles? • Where are they?
Acquiring RAM
• Live Host-based Virtual Environment– Similar procedure as host system
• Methods– FTK Imager Lite– DumpIt– Force VM snapshot
Forensic Analysis Techniques
• Identify the source of digital evidence• Forensically acquire the digital
evidence• Analyze digital evidence• Report on pertinent findings
Dead Host-Based VM
• Locate files used to build virtual environment• Acquire virtual disk (.vmdk) using forensic
tools– FTK Imager
Dead Host-Based VM
• Analyze *.vmsd file – Contains meta data about specific VM’s saved to the host
system
• Acquire memory– Locate *.vmem file
– Structured the same as RAM from live system
Live Virtual Environment
• Structured the same as a traditional computer system
• Acquire logical or physical image of storage media using forensic tools– FTK Imager– EnCase
• Additional Artifacts– *vmem (virtual memory)– VM Snapshots
Cloud Computing
• What is it? – “a model for enabling convenient, on-demand network access
to a shared pool of configurable computing resources…”, NIST
– Not new!• Email• Mainframe Dummy Terminals
• Services– IaaS
• Rackspace, VMWare vSphere
– SaaS• Google Apps, Dropbox, iCloud
– PaaS• AWS, SunCloud
Forensic Challenges
• Where is the evidence? – Client Level?– Cloud Service Level?– Underlying cloud servel level?– All of the above?
• Legal Authority– Jurisdictional obstacles– Who will you serve search warrant to? Where?