Read an Excerpt
Digital Forensics for Network, Internet, and Cloud ComputingA Forensic Evidence Guide for Moving Targets and Data
By Terrence V. Lillard Clint P. Garrison Craig A. Schiller James Steele
SYNGRESSCopyright © 2010 Elsevier Inc
All right reserved.
Chapter OneWhat Is Network Forensics?
INFORMATION IN THIS CHAPTER
* Introduction to Cloud Computing
* Introduction to the Incident Response Process
* Investigative and Forensics Methodologies
* Where Network Forensics Fits In
The modern computer environment has moved past the local data center with a single entry and exit point to a global network comprising many data centers and hundreds of entry and exit points. This business and service migration to remote data centers, where computing and storage are rented from a larger company, is referred to as cloud computing. Companies and people have realized great benefits that result from the use of cloud computing systems – not only in terms of productivity, but also in access to high-speed systems for managing very large data sets in ways that would be financially impossible for some small and midsized companies. Larger companies have also realized the benefits of cheap utility cloud computing as these companies migrate critical databases, transactional processing systems, and software packages to a rented space in a data center that can be anywhere in the world. This migration also has complications for information security, as we traditionally understand the information security process, both procedurally and legally.
The typical data center, locally or within traveling distance, that could have systems physically accessed is quickly becoming a process of the past that will continue to challenge all sections of the information security industry. Computer systems and network forensics are influenced by the change from local data centers to remote data centers, where access is not physically possible. Virtualization has also changed the nature of computer security and computer forensics in relationship to how computers are viewed, when dealing with an actual security incident. This means that there will continue to be changes in how computer security and forensics investigations are completed, when some or all of the system is not physically accessible. It is not possible to think now that one physical device will only have one operating system that needs to be taken down for investigation. The physical server can have many virtual servers running on the physical hardware and those virtual servers might not even belong to the same company or service. The nature and process of computer forensics need to address these new changes along with changes in how law enforcement is involved with physical systems seizure in the event of a major crime.
There is no longer a solid "security perimeter" (Perrin, 2008) as information security people were taught even as recently as 2 years ago. The security perimeter has become any place on any device where people access the network and systems services that the company provides. The flexibility in what has become the new "security perimeter" is attributable to the many ways that we consume data on many different types of devices worldwide. In the world of networked services and systems, data and services are consumed over the Internet that will complicate any computer security investigation. The enterprise class systems that are migrating to the cloud computing platform with services, either Web or otherwise, accessible through a browser or custom application have to be well secured and protected against misuse or theft. There are also legal and compliance issues that need to be addressed in relation to the data and data systems that are being migrated to the cloud computing environment.
Cloud computing will require a change to corporate and security policies concerning remote access and the use of the data over a browser, privacy and audit mechanisms, reporting systems, and management systems that incorporate how data is secured on a rented computer system that can be anywhere in the world. It is the full context of the cloud computing system that a company is using that makes for a complex and challenging security environment and that defines the modern security perimeter. The security perimeter now must be viewed as a series of systems (hardware and operating system packages in a virtualized environment), data, access rules and policies which govern the data and access, as well as incident response that only tend to complicate the architecture and support processes. This "deperimeterization" (Pieters & Van Cleef, 2009) requires a completely new approach to not only how systems are programmed, but also how information security is conducted. These changes have yet to be addressed by best practices, although larger cloud service providers are starting to meet the needs of the industry. Over time, this will include how companies can truly address network and computer forensics in a cloud computing environment.
Network forensics in the cloud computing environment could be focused only on data that go to and from the systems that the company has access to, but that would miss the rest of the picture. Network forensics needs to be part of and work with all the other components that comprise the entire system within the cloud environment. Without the network forensics investigator, understanding the architecture of the cloud environment systems and possible compromises will be overlooked or missed. The network forensics investigator also needs to understand that the cloud environment is the space that the company rents on another company's computer systems to perform the work. The rented space in the cloud can be in a globally connected data center with many other companies where the user network entry point can be at any point on the Internet. Data in the cloud environment can be replicated to any data center in the world that is owned and operated by the cloud provider. The cloud providers have their own series of policies, security systems, hardware, and software packages that are independent of what a company is doing in the cloud space. Cloud computing customers may or may not have access to the data that relates to them specifically if a computer is suspected to have been compromised by a hacker or if data is stolen by an insider or outsider.
This complex series of interlinkages between the cloud provider and the cloud consumer provides a fertile ground for hackers and criminals who want to hack into systems for their own purposes. This also provides a fertile ground for insiders as well because the cost of setting up a cloud computer is so cheap. With about $40 a month, a full cloud server can be set up to be used for any purpose by anyone with a credit card. Simple programs like WinSCP can be used to access that cloud computer, or if configured, it can simply be like any other File Transfer Protocol (FTP) server on the Internet meaning that any FTP client including a Windows mounting process can be used to drop data on the cloud server. Some companies like drop box and Mozy offer this service for free up to 2 GB of information per user e-mail address. The cost for not understanding the network forensics in a cloud computing environment can be devastating for a company if their data is lost or stolen by an employee. Cloud computing, with its assets and limitations, can also be a difficult environment for traditionally trained information security professionals to understand just how porous the network has become and how traditional forensics does not fit completely into a globally distributed cloud computing environment.
INTRODUCTION TO CLOUD COMPUTING
Cloud computing can be thought of as a simple rental of computer space in another company's data center. This implies that a company has control over some aspects of its systems depending on which cloud service that the company has bought. However, there is a lack of total control of the company's computing systems that the company would have in a traditional data center or computing environment. This requires a necessary shift in how a company addresses information security through controls, policies, and technical solutions because total control of the computing and networking assets is not possible in the cloud computing environment. Pragmatically, in cloud computing, a company is simply purchasing a virtual machine in someone else's data center.
The cloud service provider also has a set of inherent strengths and weaknesses that comes with the design philosophy that the cloud service provider had when it designed its systems. These design and architectural decisions on the part of the cloud service provider put limitations on what can and cannot be done in a forensics analysis of an event level that a company might engage in if it thinks that it has lost data or its cloud systems were compromised. It is important that the network forensics investigator and any information security person understand these design considerations that went into the cloud service provider's architecture. Amazon, Rackspace, and Microsoft Azure all have significantly different design philosophies that went into how they provide cloud computing services that will complicate any network forensics process that is taken by a company, which suspects that its cloud systems have been hacked.
With Amazon Web Services (AWS), you are purchasing an "Amazon Machine Image" (AMI) that is either Linux or Windows. You can run that virtual machine and do anything you want to do with it; you own it from the operating system on up. You do not own the network infrastructure, and you neither own the firewalls in the data center, nor do you own any of the supporting hardware below the operating system. However, you do own the entire virtualized machine, either Linux or Windows, and can do anything you want to do within the confines of that virtualized system. This is much the same setup that companies have internally in their own virtualized systems in their own company-controlled data centers. This also makes migration of tools and applications easier for traditional security tools that need to make changes to the registry of a computer system to operate. The key to note with Amazon is that once the virtualized server has been shut down, it is essentially lost and there is no way to retrieve that image, so it is very important to never shut down an image that is currently being investigated by a computer forensics or network forensics team. (More information on AWS can be obtained at http://aws.amazon.com/.)
With Microsoft Azure, you own everything above the operating system and cannot alter anything in the operating system, including the registry. Any program that is installed on the system can only be installed as an XCopy (Chappell, 2009a), in that the software cannot make any changes to the registry of the computer, or will require a deeper integration into the operating system as most Windows-based software at this time does. In Azure, you cannot debug an application within the Azure framework to see if it has been doing something it should not do over the network (Chappell, 2009b). Rather, Azure is framed in support of Web services only and it requires a new approach to thinking about programming, as well as traditional software including failover and the sudden loss of a computer system. The use of Azure will speed up operations for transactional and scalable systems, but much like Amazon, once the image has been taken down or stopped, it is no longer available for analysis.
Rackspace Cloud follows the same design principles as AWS, but is only Linux rather than a mixture of server operating systems (The Rackspace Cloud F.A.Q., 2010). Much like Amazon, you are given a simple virtual machine so that you can do anything you want to do with it. Rackspace is more flexible with dynamic resizing and processing of the system that the company is renting, but because of the use of the single operating system, the typical mixed environment of a larger company does not exist. Like all other primary cloud service providers, once the virtual machine is turned off, it cannot be recovered and it is simply lost.
The platform and hosting service that a company purchases for cloud computing is an essential decision point for network forensics. When making a decision on what provider to use, it is also important to understand how cloud computing works, what can be done with it, and what cannot be done with cloud computing. Some processes are going to be excellent in a cloud computing environment, such as transaction processing, scalable Web services, and scalable Web servers. Cloud computing is also very good at raw horsepower when a large number of computations need to be made, or huge terabyte-size databases need to be reviewed for business intelligence or for information security log file data mining. The inherent limitations of cloud computing also need to be equally understood if network and computer forensics are to be successful in this environment. The decision to use a cloud service provider has to be reviewed not only in terms of what services the cloud service offers, but also in terms of how the company purchasing the cloud computing services decides to use it. These decisions have direct implications on how network and systems forensics will be conducted. It is important that the security department has a voice at the table when a company is looking for a cloud service provider because the security department will need to be able to construct and build security services and monitoring services based on the cloud service provider that is chosen. However, there are commonalities among all the cloud service providers that the security department and the forensics personnel can fall back on regardless of what cloud service provider is chosen by a company. In some cases, regardless of the provider, the virtualized environment will complicate, and in some cases, it will reduce the effectiveness of network-based forensics. The cloud service provider commonalities are as follows:
* There is no access to network routers, load balancers, or other networkbased components.
* There is no access to large firewall installations – the closest firewall is the one that is on board the operating system itself.
* There is no true capability to design a network map of known hops from one instance to another that will remain static or consistent across the cloud-routing schema.
* Systems are meant to be commodity systems in that they are designed to be built and torn down at will. When the virtual machine (VM) is torn down, there is no physical data of that image, and it is simply lost. If the VM is ever shutdown, then the entire system including logs can also be destroyed and never recovered.
* VMs will be built and torn down at will by any number of system administrators at a company as an on-demand service – the company has to make an entire new set of security policies and plans to work with suspected compromised cloud servers and services.
* It is possible to make a bitstream image of the virtual machine but only as an International Organization for Standardization (ISO) image that will have to be examined offline. However, the ISO images can be stored in the cloud computing environment for sharing with law enforcement or legal council.
* What services are being provided, such as Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), make a difference in how security compliance, controls, policies, and investigation standards will be implemented by a company (Cloud Security Alliance, 2009).
* The threat environment is the same on the cloud for an exposed service as it is for any other exposed service that a company offers to anyone on the Internet.
* The network forensics investigator is limited to the tools on the box rather than the entire network because the network forensics investigators have got used to the tools.
The concept of network forensics in cloud computing requires a new mindset where some data will not be available, some data will be suspect, and some data will be court ready and can fit into the traditional network forensics model. The challenge for any forensics investigator is to understand what data set collected falls into each of the categories of not available, suspect, and court ready. Working with the company's legal counsel and cloud computing experts will be a necessity, until the general information security community catches up with the changes that cloud computing represents for information security, in general.
Excerpted from Digital Forensics for Network, Internet, and Cloud Computing by Terrence V. Lillard Clint P. Garrison Craig A. Schiller James Steele Copyright © 2010 by Elsevier Inc. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.