Welcome!

Recurring Revenue Authors: Liz McMillan, Elizabeth White, Pat Romanski, Yeshim Deniz, Zakia Bouachraoui

Related Topics: @CloudExpo, Microservices Expo

@CloudExpo: Article

Live Forensics and the Cloud - Part 1

Exploring the effects of Cloud Computing on Digital Forensics

Within the realms of digital forensics analysts traditionally performed analysis on static data, either from a core dump, bit to bit imaging etc. Recently we have seen an increased focus directed at the live forensics environment. As users rely more on mobile and other remote devices to access data on demand; data possibly held in some manner of cloud environment, investigators will have to adapt their mode of investigations to suit.

I recall reading a marketing pitch a while aback where some vendor claimed that an advantage of Cloud Computing is, an ability to conduct live forensics without disrupting mission critical systems. How effective this claim may be, is subject to examination.

According to Brian Carrier - "The only difference between a live and a dead analysis is the reliability of the results; a live analysis techniques use software that existed on the system during the time-frame being investigated; dead analysis techniques, use no software that existed on the system during that time-frame." - Bear in mind though that there are different aspects and levels to these statements.

A few of the experts in this field with whom I was able to interact whilst conducting graduate research a while aback, did state that when conducting a live analysis, the system under investigation will inevitably be altered in some manner or another.This in essence can define a live analysis as not being a pure forensic form.

However the potential for gaining valuable data is looked on as the lesser of two worse case scenarios in this instance.

As we know the concept of cloud computing is an amalgamation of already existing sundry computing concepts viz. distributed, grid and utility computing.

The Cloud Computing environment is as we know susceptible to classical attacks (Cross Site Scripting,DDoS,etc ) as is any regular system. A concern for any security consultant can be the potential for exploitation of a system under live analysis.

Thus the health of any one cloud ecosystem lies within the domains which ensure that confidentiality and privacy concerns within cloud computing are effectively monitored, managed and mitigated. This will include the area of digital forensics and its place within the e-discovery process.

In regular systems one instance of exploitation can be with rootkits. Rootkits as we know can be divided into database rootkits and BIOS rootkits. The potential for exploiting both and remain undetected is high e.g.by manipulating the ACPI (Advanced Configuration Power Interface) in BIOS via its ASL programming language to modify hardware features or memory.

Hypothetically speaking one may be able to insert a rootkit which reacts to a forensic probe and then output pre-programmed results to suit an attacker; remember that a snapshot of a running system can be only reproduced up to its specific instance and cannot be reproduced at a later time-frame. As a result with a live system, data from a probe up to one instance will be different from data from another probe say 15 minutes into the live system.

In another scenario a rootkit may be programmed to respond to a probe by purging and shutting down the system - According to R.C. Vernon "A "hard" reboot includes a power cycle, which ensures that sensitive information in volatile memory is purged".

One can then question; what happens if an attack is able to compromise a host's cloud system and insert a rootkit which remains undetected as described above? Can multiple tenants of any one cloud ecosystem be compromised and if so how far can any such exploitation propagate without detection?

Within the cloud users expect their identity and data to remain private via anonymous authentication; if per chance a system is compromised, an attacker then take advantage of this factor of anonymous authentication and possibly spoof any tenant within the cloud as the attacker while data is compromised. How can an investigator identify and track such an issue?

Continued in Part 2

More Stories By Jon Shende

Jon RG Shende is an executive with over 18 years of industry experience. He commenced his career, in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies,also becoming certified in Industrial Pump and Valve repairs. Jon gained global experience over his career working within several verticals to include pharma, medical sales and marketing services as well as within the technology services environment, eventually becoming the youngest VP of an international enterprise. He is a graduate of the University of Oxford, holds a Masters certificate in Business Administration, as well as an MSc in IT Security, specializing in Computer Crime and Forensics with a thesis on security in the Cloud. Jon, well versed with the technology startup and mid sized venture ecosystems, has contributed at the C and Senior Director level for former clients. As an IT Security Executive, Jon has experience with Virtualization,Strategy, Governance,Risk Management, Continuity and Compliance. He was an early adopter of web-services, web-based tools and successfully beta tested a remote assistance and support software for a major telecom. Within the realm of sales, marketing and business development, Jon earned commendations for turnaround strategies within the services and pharma industry. For one pharma contract he was responsibe for bringing low performing districts up to number 1 rankings for consecutive quarters; as well as outperforming quotas from 125% up to 314%. Part of this was achieved by working closely with sales and marketing teams to ensure message and product placement were on point. Professionally he is a Fellow of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner and holds the CITP and CRISC certifications.Jon Shende currently works as a Senior Director for a CSP. A recognised thought Leader, Jon has been invited to speak for the SANs Institute, has spoken at Cloud Expo in New York as well as sat on a panel at Cloud Expo Santa Clara, and has been an Ernst and Young CPE conference speaker. His personal blog is located at http://jonshende.blogspot.com/view/magazine "We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."

IoT & Smart Cities Stories
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments t...
If a machine can invent, does this mean the end of the patent system as we know it? The patent system, both in the US and Europe, allows companies to protect their inventions and helps foster innovation. However, Artificial Intelligence (AI) could be set to disrupt the patent system as we know it. This talk will examine how AI may change the patent landscape in the years to come. Furthermore, ways in which companies can best protect their AI related inventions will be examined from both a US and...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...