Chapter 9

Cloud Forensics

1
Objectives

• Describe the main concepts of cloud computing

• Summarize the legal challenges in conducting cloud
forensics
• Give an overview of the technical challenges with cloud
forensics
• Describe how to acquire cloud data
• Explain how to conduct a cloud investigation
• Explain what remote access tools can be used for cloud
investigations

2
An Overview of Cloud Computing

3
An Overview of Cloud Computing

• The cloud has introduced ways of managing data that did

not exist five years ago
• Cloud investigations have unique challenges
• New standards are being developed to improve security
practices and incident responses in cloud environments

4
History of the Cloud

• Idea of cloud computing came from several people:

• Professor John McCarthy of MIT
• Dr. J.C.R. Licklider, director at the U.S. Department of Defense
Advanced Research Projects Agency (ARPA)
• In 1999, Salesforce.com developed a Web service that
applied digital marketing research to business
subscribers
• This service led the way to the cloud

5
History of the Cloud

• Amazon created Amazon Mechanical Turk in 2002

• Provided storage, computations, and human intelligence
• Started Elastic Compute Cloud (EC2) in 2006, aimed at
supporting small businesses
• After Web 2.0 in 2009, other providers started their own
cloud services
• Google Apps, Apple iCloud, Microsoft OneDrive, and more

6
Types of Cloud Computing Services

7
Infrastructure as a Service (IaaS)

• Advantages
• Dynamic infrastructure scaling
• Guaranteed uptime
• Automation of administrative tasks
• Elastic load balancing (ELB)
• Policy-based services
• Global accessibility
• Disadvantages
• Software security is at high risk (third-party providers are more
prone to attacks)
• Performance issues and slow connection speeds

8
Platform as a Service (PaaS)

• Advantages
• Simplified deployment
• Prebuilt business functionality
• Lower risk
• Instant community
• Pay-per-use model
• Scalability
• Disadvantages
• Vendor lock-in
• Data privacy
• Integration with the rest of the system applications

9
Software-as-a-Service (SaaS)

• Advantages
• Low cost
• Easier administration
• Global accessibility
• Compatible (Requires no special hardware or software)
• Disadvantages
• Security and latency issue
• Total dependency on the Internet
• Switching between SaaS vendors is difficult

10
Separation of Responsibilities in Cloud

On-Premises IaaS PaaS SaaS

Applications Applications Applications Applications
Data Data Data Data
Runtime Runtime Runtime Runtime
Middleware Middleware Middleware Middleware
OS OS OS OS
Virtualization Virtualization Virtualization Virtualization
Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking

Subscriber Service Provider

11
Deployment Methods for a Cloud

Public Cloud: accessible to anyone. Services are rendered over a

network that is open for public use

Private Cloud: Cloud infrastructure operates solely for a single

organization. Private cloud can be accessed only by people who have the
necessary credentials

Community Cloud: Shared infrastructure between several organizations

from a specific community with common concerns

Hybrid Cloud: Hybrid cloud enables a company to keep some

information private and designate other files as public or community
information

12
Cloud Computing Threats

Data breach/loss Privilege escalation

Loss of business reputation due to co-
Abuse of cloud services
tenant activities
Insecure interfaces and APIs Natural disasters
Insufficient due diligence Hardware failure
Shared technology issues Supply chain failure
Unknown risk profile Modifying network traffic
Inadequate infrastructure design and
Isolation failure
planning
Conflicts between client hardening
Cloud provider acquisition
procedures and cloud environment
Loss of operational and security logs Management interface compromise
Malicious insiders Network management failure
Illegal access to cloud systems Authentication attacks

13
Cloud Computing Threats

VM-level attacks Theft of computer equipment

Lock-in Cloud service termination or failure
Licensing risks Subpoena and e-discovery
Loss of governance Improper data handling and disposal
Loss of encryption keys Loss or modification of backup data
Risks from changes of Jurisdiction Compliance risks
Economic Denial of Sustainability
Undertaking malicious probes or scans
(EDGS)

14
Cloud Computing Attacks

Service Hijacking using Social Service Hijacking using Network

Engineering Attacks Sniffing
Session Hijacking using Session
Session Hijacking using XSS Attack
Riding
Side Channel Attacks or Cross-
Domain Name System Attacks
guest VM Breaches
SQL Injection Attacks Cryptanalysis Attacks
Wrapping Attack DoS and DDoS Attacks

15
Cloud Vendors

• Salesforce
• IBM Cloud
• Cisco Cloud Computing
• Amazon EC2
• AT&T Synaptic
• Google Cloud Storage
• HP Helion
• Microsoft Azure

16
Cloud Forensics

• Cloud forensics is considered a subset of network

forensics
• Cloud forensics can have three dimensions:
• Organizational - addresses the structure of the cloud
• Legal - covers service agreements and other jurisdictional
matters
• Technical - deals with procedures and specialized applications
designed to perform forensics recovery and analysis in the cloud
• Forensic investigations in cloud involve a minimum of
CSP and the client. But the scope of the investigation
extends when the CSP outsources services to third
parties

17
Legal Challenges in Cloud Forensics

• When investigating a cloud system, consider factors

involving a CSP’s relationship with cloud users
Service level agreements (SLAs) - a contract between a CSP and the
customer that describes what services are being provided and at what
level. SLAs also specifies Support options, penalties for services not
provided, system performance, fees, and provided software or hardware

CSP components must state who is authorized to access data and what
limitations are in conducting acquisitions for an investigation

18
Service Level Agreements

• SLAs define the scope services the CSP provides:

• Service hours
• Restrictions applied to the customer by the CSP
• Availability of the cloud to the customer
• Levels of support for the customer
• Response time for data transfers
• Throughput, limitations
• Contingency plan for incident response
• Business continuity and disaster recovery plan
• Fees for the subscription to the cloud and fees for additional
services as they occur
• Security measures
• Terminology of the cloud’s systems and applications

19
Service Level Agreements

• Policies, Standards, and Guidelines for CSPs

• Digital forensics should review CSPs policies, standards, and
guidelines for daily operations
• Policies - detailed rules for a CSP’s internal operation
• Standards - give guidance to staff for unique operations,
hardware, and software and describe the staff’s obligations in
security of the CSP environment
• Guidelines - describe best practices for cloud processes and give
staff an example of what they should strive to achieve in their
work

20
Service Level Agreements

• CSP Processes and Procedures - are detailed documents

that define workflow and step-by-step instructions for
CSP staff
• Often include hardware configuration diagrams, network maps,
and application processing flowcharts
• Digital forensics examiners can use them to understand how
data is stored, manipulated, secured, backed up, restored, and
accessed by CSP staff and customers
• Additional documents of interest:
• CSP business continuity and disaster recovery plans

21
Jurisdiction Issues

• No plans to revise current laws

• Many cross-jurisdiction legal issues haven’t been resolved
• No law ensures uniform access or required handling
procedures for the cloud
• Investigators should be concerned about cases involving
data commingled with other customers’ data
• Often, figuring out what law controls data stored in the
cloud is a challenge

22
Accessing Evidence in the Cloud

• Search Warrants
• Can be used only in criminal cases and must be requested by a
law enforcement officer who has evidence of probably cause
that a crime was committed
• Law requires search warrants to contain specific descriptions of
what’s to be seized
• For cloud environments, the property to be seized usually
describes data rather than physical hardware, unless the CSP is
the suspect
• Must also describe the location of items to be seized
• Difficult when dealing with cloud data because servers are
often dispersed across state or national borders
• Must establish how it will be carried out
• Specifying the date and time of day to minimize disruptions
to people and business operations

23
Technical Challenges in Cloud Forensics

• Architecture
• Data collection
• Analysis of cloud forensic data
• Anti-forensics
• Incident first responders
• Role management
• Legal issues
• Standards and training

24
Architecture

Deletion in the cloud: CPS may not implement necessary methods to retrieve
information on deleted data in an IaaS or PaaS delivery models

Recovering overwritten data: It is very difficult to recover data marked as

deleted, as it may get overwritten by another user sharing the same cloud

Interoperability issues among CSPs

Single points of failure and no single point of failure for criminals: Cloud
ecosystem has single points of failure, which may have adverse impact on the
evidence acquisition process. Collection and analysis of evidentiary data from
distributed and disparate sources is highly difficult as criminals may choose one
CSP to store their data, second CSP to obtain computing services, and third CSP
to route all their communications

Detection of the malicious act: It is tough for an investigator to detect a

malicious act by identifying a series of small changes made across many systems
and applications

25
Architecture

Criminals access to low-cost computing power

Real-time investigation Intelligence processes

Malicious code may circumvent VM isolation methods: Vulnerabilities in server

virtualization allow malicious code to evade VM isolation methods arid interfere
with either other guest VMs or the hypervisor itself

Multiple venues and geolocations

Lack of transparency: Cloud’s operational details are not clear enough to

investigators that results in lack of trust and difficulties of auditing

Criminals can hide in cloud: Distributed nature of cloud computing allows

criminal organizations to maintain isolated cells of operation, to preserve
anonymity of each cell by the others

Cloud confiscation and resource seizure may of ten affect the business continuity
of other tenants

26
Architecture

Errors in cloud management portal configurations: Configuration errors in cloud

management portals may allow an attacker to gain control, reconfigure, or delete
another cloud consumer's resources or applications

Potential evidence segregation: Segregation of potential evidence pertaining to

one tenant in a multi-tenant cloud system is a challenge as there are no
technologies that do it without breaching the confidentiality of other tenants

Boundaries and secure provenance: It is a challenge for investigators to maintain

proper chain of custody and security of data metadata, and possibly hardware, as
determining ownership, custody, or exacting location may be difficult

Data chain of custody: It is probably impossible to identify and validate a data

chain of custody due to the multilayered and distributed nature of cloud
computing

27
Data Collection

Decreased access and data: CSPs hide data location purposefully to ease data
movement and replication

Chain of dependencies: , CSPs and most cloud apps rely on other CSP(s), and the
dependencies in a chain of CSP(s)/client(s) can be prominently dynamic

Locating evidence: Locating and collecting evidence is a challenge because data

in cloud may be quickly altered or lost and lack of knowledge on where and how
data is stored in cloud

Data location

Imaging and isolating data

Data available for a limited time: Data collection and preservation of VM

instances is challenging due to the lack of standard practices and tools

Root of trust: Determining the reliability and integrity of cloud forensics data is a
challenge

28
Data Collection

Locating storage media: Locating storage media with certainty in cloud

ecosystem is difficult as it requires in-depth understanding of the cloud
architecture and implementation

Dynamic storage: Often, CSPs dynamically allocate storage based on the

consumer's request. In this case, data collection is challenging because of the
dynamic allocation of storage, and systems that search storage after an item is
deleted

Live forensics: Validating the integrity of data collected is challenging as data

within the cloud is volatile and frequently changing

Application details are not available: Obtaining details of cloud-based

software/applications used to create records is challenging because such details
are usually unavailable to the investigator

Cryptographic key management: Decryption of data is challenging because

ineffective cryptographic key management makes it easier to lose the ability to
decrypt forensic data stored in the cloud

29
Log Collection

Decentralization of Logs

Evaporation of Logs: Once the VM instance is powered off the logs will vanish

Multiple Layers and Tiers: There are many layers and tiers in cloud architecture
and loss are generated in each tier which are valuable to the investigator but
collection from different places is a challenge

30
Anti-Forensics

• Anti-forensics - destroying ESI that may be potential

evidence
• Hackers may use specialized malware for defeating
evidence collection
• Additional methods for anti-forensics
• Inserting malware programs in other files
• Using encryption to obfuscate malware programs activated
through other malware programs
• Using data-hiding utilities that append malware to existing files

31
Anti-Forensics

• Other techniques affect file metadata by changing the

modify and last access times
• Changing timestamps can make it difficult to develop a
timeline of a hacker’s activities
• Calculating hash values of files and comparing the results
with known good files’ hash values can help identify files
that might have been altered

32
Incident First Responders

• CSPs have personnel trained to respond to network

incidents
• They become first responders when a network intrusion occurs
• When CSPs do not have an internal first responder team,
the forensics examiner should organize CSP staff to
handle these tasks

Competence and trustworthiness: For stakeholders, confidence, competence,

and trustworthiness of CSPs acting as first responders is a challenge as the
objectives and priorities of the CSPs may differ from those of the investigators

33
Role Management

• Role management in the cloud covers:

• Data owners
• Identity protection
• Users
• Access controls

Identifying account owner: Identifying owner of the account is challenging

because the technology or policy does not support sufficient identification of the
owner of the account

Fictitious identities: Determining the actual identity of a cloud user (legitimate or

illegitimate) is challenging because criminals can often create accounts with fake
identities

34
Investing Cloud Storage Services

1 Artifacts created during the installation process

2 Artifacts left behind after the uninstallation process

3 Information present in the database files

4 Artifacts created when a file is uploaded or downloaded

5 Artifacts left when a file is shared

6 Artifacts left behind after using anti-forensics software

7 Logs recorded and their accuracy

8 Other sources of information

35
Investigating Google Drive

• Google drive is online file storage and sharing service

from Google that supports sharing of different types of
files such as pictures, videos, documents, spreadsheets,
presentations, etc.
• The service supports various devices including desktops,
mobiles, etc. through different modes such as desktop
client, web portal, mobile application, etc.
• The users can also invite others to view, download and
collaborate on the files

36
Artifacts Left by Google Drive Web Portal

• To recover the deleted files in a Google Drive account:

• First login to the account
• Select the Trash folder from the left side menu list of the
account
• Right click on file required to restore and select the Restore
option from the menu
• Google Drive stores versions of the file, when users edit
it, and tracks if the user moves a file to another location.
Using this feature, the investigators can download
previous versions of files available to the files modified
during the security incident

37
Artifacts Left by Google Drive Web Portal

• Google Drive stores logs of the recent activities as well

as sorts the stored files in order of the activity performed
on them
• Investigators can check these features to view which files the
users or attackers had finally accessed and what kind of activity
they had carried out on their visit

• View valuable information of a particular item by

selecting the item and clicking on the information button
on the top-right
• For each item, there exists 2 panes Details and Activity

38
Artifacts Left by Google Drive on Windows

• The default installation path of Google Drive client in

Windows 10 OS:
C:\Program Files (x86)\Google\Drive
• The default folder used in syncing:
C:\Users \<username>\Google Drive

39
Artifacts Left by Google Drive on Windows

• The installation creates various keys and values inside

the registry from these investigators can make out the
installed version and the user folder from the registry
changes for their investigation

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
HKCU\SOFTWARE\Google\Drive
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleDriveSync
HKCU\SOFTWARE\Classes

40
Artifacts Left by Google Drive on Windows

• WhatChanged Portable is useful for checking program

installations. It is a system utility that scans for modified
files and registry entries
• First, take a snapshot to get the current state of the computer
before installing Google Drive client
• Second, run it again to check the differences since the previous
snapshot, after installing Google Drive client
• WhatChanged uses the 'brute force method' to check files and
the registry

41
Artifacts Left by Google Drive on Windows

• Configuration files are saved inside the installation folder

in the user profile
C:\Users\<username>\AppData\Local\Google\Drive\user_default

• Files created during Google Drive client installation:

C: \Users\<username>\Desktop\Google Drive.lnk
C: \Users\<username>\Links\Google Drive.Ink
C: \ProgramData\Microsoft\Windows\Start Menu\Programs\Google
Drive\Google Drive.Ink
Prefetch Files are located at C:\Windows\Prefetch

42
Artifacts Left by Google Drive on Windows

• Use DB Browser to view evidentiary data in the

sync_config.db. Information includes
• Client version installed
• Local Sync Root path
• E-mail ID
• Use SQLite browsers to access
• snapshot.db
• sync_config.db
• Use DB Browser for SQLite to find information about
local entry and cloud entry in the snapshot.db, such as
file name, created, modified, removed, size, checksum,
shared, resource type, etc.

43
Artifacts Left by Google Drive on Windows

• Four files are created in the database path directory

C\Users\<username>\AppData\Local\Google\Drive\user_default
after data is added and synced into Google Drive
• snapshot.db-shm
• snapshot.db-wal
• sync_config.db-shm
• sync_config.db-wal
• These files are temporarily created by SQLite, mainly
used for transaction logging such as rollback changes
when a transaction fails

44
Artifacts Left by Google Drive on Windows

• Information about the client sync session can be

obtained from the sync_log.log file
• Information available includes sync sessions, file created,
file modified, and file deleted
• Open the sync_log.log file and use the strings
RawEvent[CREATE, RawEvent[DELETE, RawEvent[MODIFY.
These events will help the investigators in cross-checking
the information with details found on the client and
check for suspicious modifications

45
Disk Pulse

• Disk Pulse is a disk change monitoring solution allowing

investigators to (i) monitor changes in one or more disks and
directories, (ii) send E-Mail notifications, (iii) save various types of
reports, (iv) generate statistical pie charts, (v) export detected
changes to an SQL database, (vi) send error messages to the system
event log, and (vii) execute custom commands when a user-specified
number of changes detected

46
Directory Monitor

• Directory Monitor can be used by the investigators for the

surveillance of certain directories and/or network shares and will
notify the investigator of file changes/access, deletions,
modifications, and new files in real-time. Users and processes
making the changes can also be detected

47
Artifacts Left by Google Drive on Windows

• If the Google Drive client is installed on the PC, it is

possible to find information about the sessions in RAM
using tools such as RAM Capturer and HxD

48
Artifacts Left by Google Drive on Windows

• Uninstalling the Google Drive Client application

• Removes the client config folder (sync_config.db)
• Sync_log.log entries are identified from unallocated space
• does not delete the local copy of the file
• preserves the Prefetch files even after uninstallation
• It is possible to recover information from
• Registry keys of recent files
• LINK files
• Browser history and cache
• Thumbnails
• Registry Point/Volume Shadow Copies
• Pagefile.sys
• Hiberfil.sys

49
Investigating OneDrive

• OneDrive - created by Microsoft and was originally

called SkyDrive
• Available with Windows 8
• Similar to DropBox and Google Drive and offers subscription
services for Microsoft software
• OneDrive stores user profiles in the user’s account path
• Log files and synchronized files are kept in various places
under the user’s account (depending on the Windows
version)

50
Investigating OneDrive

• More information can be found in the following folder

C:\Users\<username>\AppData\Local\Microsoft\Windows\SkyDrive\logs

• SyncEngine-yyyy-mm-ddnn.nnn-n.et1 manages synchronization

between OneDrive and a user’s computer
• SyncDiagnostics.log contains client ID, clientType, clientVersion,
device, deviceID, and timeUtc values

51
Investigating Dropbox

• Dropbox is an online application that allows users to

store their files on a cloud and share them when required
• Users can access and use Dropbox through the following
methods, website, desktop or mobile application. In both
ways, the Dropbox creates artifacts on a system that
may provide relevant information for the forensic
investigation
• Besides, the Dropbox servers also save information such
as account history, a user's file history, and logs. These
artifacts and log files can help the investigator in
conducting a detailed forensic analysis

52
Artifacts Left by Dropbox Web Portal

• Login to the user's Dropbox profile and access

information about deleted files. For the free version, only
files deleted in the last 30 days can be recovered. For the
commercial version, all the deleted files can be recovered
• Dropbox stores certain information, which helps the
investigators during investigation
• Last browser sessions
• Devices linked with the Dropbox
• Apps linked with the Dropbox
• Click on username in the top-right. From the Menu, Settings,
Security

53
Artifacts Left by Dropbox Web Portal

Version history for each file

54
Artifacts Left by Dropbox Web Portal

• Dropbox contains an event log feature that records

activities performed on Dropbox folders
• Investigators can use this feature to track the account activities
• This feature will reveal details such as connected accounts,
accounts that made the changes, type of action, targets of the
action and the time of action
• Steps
• In the Dropbox web portal homepage, select the Events option
from the right-side menu list
• The site will navigate to the events page, which will display
events and related details such as time and date of the event,
account that performed it, actions performed, and file or folders
modified

55
Artifacts Left by Dropbox on Windows

• On Windows 10 OS, by default Dropbox client is

installed at C:\Program Files (x86)\Dropbox
• The default folder used for syncing files:
C:\Users\<usemame>\Dropbox
HKLM\SYSTEM\CurrentControISet\Services\SharedAccess\Parameters\Firewall
Policy\FirewallRuIes
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOve
rlayldentifiers\DropboxExt(n)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstaIl\Dropbox
HKLM\SOFTWARE\CIasses\DropboxUpdate.ProcessLauncher
HKLM\SOFTWARE\Dropbox\lnstallPath
HKLM\SOFTWARE\Dropbox\CIient\Version

56
Artifacts Left by Dropbox on Windows

• WhatChanged Portable is useful for checking program

installations. It is a system utility that scans for modified
files and registry entries
• First, take a snapshot to get the current state of the computer
before installing Google Drive client
• Second, run it again to check the differences since the previous
snapshot, after installing Google Drive client
• WhatChanged uses the 'brute force method' to check files and
the registry

57
Artifacts Left by Dropbox on Windows

• Configuration files are saved inside the installation folder

in the user profile
C:\Users\<username>\AppData\Local\Dropbox\instance(n)

• Files created during Dropbox client installation:

C:\Users\<username>\Desktop\Dropbox.Ink
C:\Users\<username>\Links\Dropbox.Ink
C:\Wincows\Prefetch\DROPBOX.EXE-1AFC8E96.pf
C:\Wincows\Prefetch\DROPBOX.EXE-EBC41F124.pf
C:\Windows\Prefetch\DROPBOXCLIENT_3.14.7.EXE-67CA8E4C.pf

58
Artifacts Left by Dropbox on Windows

config.db: Obtain some Information about local Dropbox Installation and account.
Lists the email IDs linked with the account, current version/build for the Ideal
application, the host_id, and local path information

filecache.db: It consists of several columns of which, "file_journal“ is important a

list of all directories and files inside "Dropbox". It appears as if they are existing
files, not deleted ones.

sigstore.db: Record SHA-256 hash and each File's site information, but no names
etc.

host.db: Plain text file containing hash value(s) of usernames

unlink.db: Binary/database file

.dropbox.cache: It is a hidden directory located at the root Dropbox folder that is

used as a staging area for downloading and uploading files

59
Artifacts Left by Dropbox on Windows

• MAGNET IEF can be used by forensics professionals to

find, analyze, and report on the digital evidence from
computers, smartphones, and tablets
• It can recover evidence from a variety of data sources
and integrate them into a single Magnet IEF case file

60
Artifacts Left by Dropbox on Windows

• It is possible view changes to the Dropbox using tools

such as Disk Pulse, Directory Monitor, etc.
• RAM contents can be dumped and analyzed using RAM
Capturer and HxD
• Investigators can trace the path of filecache.dbx by
searching the RAM dump using hex editor with the string
filecache.dbx, use the string server_time to trace the
server time of a particular instance and use the string
updated/deleted to find the updated and deleted files
• In case of Web-based Dropbox, it is possible to find the
username and password in dear from RAM dump using
strings login_email, login_password

61
Artifacts Left by Dropbox on Windows

• Uninstalling the Dropbox Client application

• Removes the client config folder
• Does not delete the local copy of the file
• Preserves the registry key HKLM\SOFTWARE\Dropbox (but
without values)
• Preserves the Prefetch files even after uninstallation
• It is possible to recover information from
• Registry keys of recent files
• LINK files
• Browser history and cache
• Thumbnails
• Registry Point/Volume Shadow Copies
• Pagefile.sys
• Hiberfil.sys

62
Summary

• CSPs should have an incident response team ready to

respond to network intrusions
• Role management defines the duties of CSP staff and
customers
• The Cloud Security Alliance is developing resources that
guide CSPs in privacy agreements and security measures
• Procedures for acquiring cloud evidence include
examining network and firewall logs, performing disk
acquisitions of a cloud system’s OS, and examining data
storage devices

63
Summary

• When investigating a cloud incident, apply a systematic

approach to planning and processing the case
• The three cloud services Dropbox, Google Drive, and
Microsoft OneDrive contain data on a user’s computer
or mobile device that can reveal what files were copied
or accessed
• Vendors offer tools that can be combined for cloud
forensics

64