cloud. ⢠Present a Modeled Readiness. Approach in the cloud[ref ISO. 27043] ... validation, identification, analysis, interpretation, documentation and presentation of ... any computing service provided over the Internet or a similar network. lets ...
14th European Conference on Cyber Warfare and Security ECCWS-2015
A functional Architecture for a Cloud Forensic Readiness Largescale Potential Evidence Analysis Victor R. Kebande Prof Hein S. Venter, Advisor ICSA Research Lab, Department of Computer Science, University of Pretoria South Africa
Objectives • • • •
Introduce novel Forensic readiness technique in the cloud Set the scene for Readiness in the cloud Present a Modeled Readiness Approach in the cloud[ref ISO 27043] Propose a suitable way on analysing “large-scale potential evidence” captured for forensic purposes
Agenda • • • • • • • •
Definitions Scope Problem Contribution Threats Conclusion Future work To Thank you
Definitions •
Digital Forensics use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources.
•
Cloud Computing
•
any computing service provided over the Internet or a similar network. lets you keep information on a remote server (the cloud), instead of trapped in a computer. You can access your data from a smartphone, a tablet, a laptop, or a desktop
•
Digital Forensic Readiness
–
Preparedness to gather, store, and handle your incident response data. Maximizing the use of Digital Evidence while minimizing the cost of a Digital Forensic Investigation
•
Digital Evidence
•
Digital evidences are electronically stored records, facts, signs, information of probative value that shows clearly that an event occurred or that a crime has been committed.[hypothesis creation]
Scope •
Planning and Preparing Proactive process Forensic readiness planning should be done before incidents are detected. Incidence response planning. It may include identifying PDE sources, pre-incident collection processes and planning pre-incident detection and incident detection
•
Security incidents An incident is some event at a particular time and place. An incident can occur anywhere
•
Forensic acquisition & Identification Proper post-event response processes should be set in place if an incident is detected. Mainly after Incident identification
•
Digital Forensic Investigation Investigative processes Reactive Process
Problem/Question •
What is the easiest way of conducting digital forensic readiness in the cloud environment?
•
How can the captured Large-scale potential digital evidence be timeously and efficiently be analysed for DFR purposes?
Block diagram of DFR Model
overview
Proposed Architecture • • • •
•
Based on Hadoop/MapReduce framework Collects Digital evidence from the cloud proactively Retrieves large-scale PDE through parallelizing forensic workloads. Digital Forensic Readiness is achieved based on ISO/IEC 27043 standard. Has Incident Response Layer
High-Level View
Detailed View • • • • • •
Forensic Database Forensic MapReduce Task Digital Forensic Readiness Module Incident Response End-user Functions Management Functions
Detailed View
Threats • • •
Legal Authority Chain of custody Forensically sound Evidence
Some of the encountered challenges have been documented by NIST NCC FSWD, July 2014.
Limitations
•
Due to Lack of SOPs in the cloud, multiple-jurisdictional issues and cross-cutting jurisdiction, as at the time of preparing this slide it is focused on a private cloud..
Current Work •
We are currently developing a prototype to do the following 1. Use an NMB to “Infect” [not cynical]VMs collect potential digital evidence. 2. Encrypt the collected information 3. Store the collected Evidence 4. Provide the sequence of events including time-stamping All these for forensic readiness purposes
Future Work
A prototype that Collects, cache, analyse and reconstruct traffic.
Thank you
Thank you
