Mastering Windows Network Forensics and Investigation

Chapter 17: The Challenges of Cloud Computing and Virtualization

Chapter Topics:

• Understand investigative implications when virtualization or cloud services are used

• Detect and acquire artifacts of virtualization applications

• Detect and acquire pertinent data from cloud services

What is Virtualization?

• Host-based– An environment that exists in

specialized software within the host system designed to emulate a wholly separate OS with its own resources

What is Virtualization?

• Server-based– Environment is installed on top of

the host hardware layer to maximizes system resources

• Hypervisor– makes virtualization possible

• Type 1 – bare metal• Type 2 – hosted

What is Virtualization?

• Type 1

• Type 2

Incident Response

• What is the scope of the network• How is the environment

configured?• What machines have been

compromised?• What are their roles? • Where are they?

Acquiring RAM

• Live Host-based Virtual Environment– Similar procedure as host system

• Methods– FTK Imager Lite– DumpIt– Force VM snapshot

Forensic Analysis Techniques

• Identify the source of digital evidence• Forensically acquire the digital

evidence• Analyze digital evidence• Report on pertinent findings

Dead Host-Based VM

• Locate files used to build virtual environment• Acquire virtual disk (.vmdk) using forensic

tools– FTK Imager

Dead Host-Based VM

• Analyze *.vmsd file – Contains meta data about specific VM’s saved to the host

system

• Acquire memory– Locate *.vmem file

– Structured the same as RAM from live system

Live Virtual Environment

• Structured the same as a traditional computer system

• Acquire logical or physical image of storage media using forensic tools– FTK Imager– EnCase

• Additional Artifacts– *vmem (virtual memory)– VM Snapshots

Cloud Computing

• What is it? – “a model for enabling convenient, on-demand network access

to a shared pool of configurable computing resources…”, NIST

– Not new!• Email• Mainframe Dummy Terminals

• Services– IaaS

• Rackspace, VMWare vSphere

– SaaS• Google Apps, Dropbox, iCloud

– PaaS• AWS, SunCloud

Forensic Challenges

• Where is the evidence? – Client Level?– Cloud Service Level?– Underlying cloud servel level?– All of the above?

• Legal Authority– Jurisdictional obstacles– Who will you serve search warrant to? Where?