Planning for forensics in cloud computing can be a challenge for security teams. Until recently, few tools were available to help analysts inspect systems and acquire information for cloud forensics investigations.
When considering evidence acquisition and analysis, analysts usually seek to obtain the following data:
- network packets for traffic analysis;
- workload memory;
- workload disk volumes; and
- logs and other event data from workloads and the cloud environment.
Fortunately, cloud computing forensics evidence acquisition and analysis have gotten easier over time. But a major challenge remains: Concerns about cloud forensics investigations often focus more on, "Will the evidence hold up in court?" instead of, "Can we do something about these findings?"
By learning more about cloud forensics techniques and tools to enable or automate their investigations, security teams are better equipped to address this challenge.
Cloud forensics techniques for evidence collection
Capturing disk in a running instance is similar to performing disk capture in virtual environments internally. This is because major IaaS cloud providers enable customers to perform a snapshot capture of a VM workload. Analysts can convert the snapshot to a live analysis volume and attach it to a forensics workstation in the cloud or on premises. In most cloud environments, customers can capture IaaS OS and data drives directly from the management portal.
Capturing memory in a shared environment requires a method of capture on a per-instance basis. To acquire running memory of instances, security teams will need separate tools, whether remote or local. Fortunately, there are a variety of tools available for this purpose. For example, Rekall from Google is a free, open source utility used to capture memory from instances.
Hibernating a workload is another method for creating a memory capture on the local disk volume in some cloud environments, such as AWS. In Google Cloud Platform (GCP), security teams can generate a RAM disk for in-memory data. Many third-party, agent-based tools have also been adapted to work in cloud environments, which may be more suitable for large enterprises.
Network forensics is made possible in most cloud environments with emerging network traffic mirroring and packet capture capabilities. Flow log data can be used to build network traffic behavioral models.
Additionally, VPC Traffic Mirroring in AWS and GCP Packet Mirroring are available to any clients. These services enable the client to automatically copy traffic to a network intrusion detection system or storage location for forensics analysis. Azure virtual network Terminal Access Point, or vTAP, can also copy traffic to a selected destination. Network detection and response tools are widely available for leading cloud provider environments as well.
Documenting cloud computing forensics investigations
Organizations need to enable write-once storage that is owned and controlled solely by the forensics and incident response teams. Ensure the identity and access management policy is documented and a least privilege access model is in place.
Evidence acquisition and evidence storage location activities should also be logged extensively. This should be done with storage logging, as well as general cloud control plane logging with AWS CloudTrail, Azure Monitor and GCP's operations suite (formerly Stackdriver), for example. Building a comprehensive cloud computing forensics program requires logs be sent to a storage environment that supports integrity monitoring, if possible.
Automating cloud forensics investigations
Automation has become another major focus area for cloud computing forensics and incident response. Consider the following activities as potential opportunities to implement automation:
- Assessing the environment -- continuously. Use cloud-native tools, such as AWS Config, to evaluate resources for security conditions, where possible.
- Locating and tagging suspect assets. Any number of network traffic patterns or events in a cloud environment could indicate suspicious or malicious behavior. One of the most effective ways to label suspicious assets is by automatically assigning metadata tags to assets behaving unusually. This enables organizations to track them and respond more effectively.
- Performing evidence acquisition. Automated processes can be initiated to acquire evidence, such as memory and disk, along with local processes or indicators of compromise. Initiate scripts or tools through cloud-compatible methods that produce logs and audit trails to ensure proper monitoring and chain of custody.
- Remediation. For any remediation efforts -- including quarantine of assets or termination of workloads -- automation can help ensure the process is executed immediately and consistently when suspicious behavior is detected.
Equipped with methodologies, security teams can more effectively perform forensics investigations in the cloud. This knowledge, aided by ample third-party and open source tools, new cloud-native features and automation, can add value to enterprise cloud security programs.