homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Free Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Free Training & Resources
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
      • Leadership Courses
      • Executive Cybersecurity Exercises
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
      • Webcasts Listings
      • Live Streams
        • Wait Just An Infosec
        • Cybersecurity Leadership
        • SANS Threat Analysis Rundown (STAR)
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
        • Blueprint
        • Trust Me, I'm Certified
        • Cloud Ace
        • Wait Just an Infosec
      • Summit Presentations
      • Posters & Cheat Sheets
    • Internet Storm Center
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
      • Open-Source Intelligence (OSINT)
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • Brazil
    • France
    • Japan
    • United Kingdom
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Cloud-Powered DFIR: Harnessing the cloud to improve investigator efficiency
Megan_Roddie_370x370.png
Megan Roddie

Cloud-Powered DFIR: Harnessing the cloud to improve investigator efficiency

This blog covers eight different use cases for leveraging cloud resources and services to improve the efficiency of incident response workflows.

May 4, 2023

While the move to the cloud brings forth many challenges and changes to the field of digital forensics and incident response (DFIR), it also presents responders with numerous benefits. Whether it's using functions-as-a-service for automation, deploying cloud-hosted lab environments, or benefiting from scalable resources, there are many ways in which we can leverage the cloud to improve our investigations. In this blog post, we discuss eight different examples of how cloud technologies can be leveraged for improving incident responder workflows. 

This topic was discussed in a live stream with FOR509 instructors Megan Roddie and Terrence Williams below

DFIR Lab Environments

Traditionally, DFIR lab workstations were built on beefy, physical computers and configured with all the settings and tools needed to import and analyze evidence. If additional workstations or upgrades were needed, new hardware would have to be acquired. In addition to that, you need the support of an IT team to ensure proper maintenance of the machines. With the move to work-from-home during the pandemic, this presented an even larger challenge as these physical workstations would now have to be shipped to the analyst’s home instead of being included in an office environment. Luckily, the power of the cloud allows us to build DFIR lab environments in an efficient, consistent, and convenient way. 

First and foremost, by hosting the DFIR lab workstations as virtual machines in the cloud, we reduce the complexities associated with tying a physical device to a physical location. Now for a responder to access their forensic workstation, they simply need to remotely connect to the cloud rather than go to a physical office location or arrange for a workstation with the power required to be sent to their home office. Additionally, with the region-based resource allocation leveraged by the major cloud providers, the DFIR workstations can be deployed in a cloud region that will optimize costs and speed. 

The other major benefit of using cloud technology to build your DFIR workstations is the ability to create consistent lab environments and with quick spin up times. Between infrastructure-as-code and machine images, we have the ability to quickly create a new host pre-configured with a golden image containing all the settings and software needed to carry out an investigation. These machines will be shareable, for standardized use across the team, and be able to be created and destroyed with the click of a button. 

If you are interested in using cloud technologies to spin up a DFIR lab, the following services from the major cloud service providers (CSPs) may be worth exploring:

  • AWS CloudFormation

  • Azure Resource Manager

  • Google Cloud Deployment Manager

Forensically-Sound Logging

When performing an investigation, it is important to be able to trust the evidence you are looking at. This is an even more important requirement if you are working for law enforcement or on a case that may become a legal matter. In traditional forensics, this requires the use of write-blocking technology, enhanced audit logging, and clear chain of custody procedures. With the cloud, many of these requirements are enabled by default or easily configurable. 

With regards to ensuring our logs are not tampered with, data and evidence stored in the cloud can be stored and protected using read-only mechanisms. From a chain of custody perspective, we can ensure simpler tracking of evidence handling. With the logging enabled for cloud objects and its shared nature, we can more easily identify who is accessing and modifying what data. Without cloud technology involved, the risk of files being shared outside the scope of visibility via various communication challenges limits the ability to follow the chain of custody. 

In terms of the data that is logged for access to cloud resources, we are going to, by default, see control plane events (resource creation, deletion, updates). If we want to track access to objects, such as who is accessing specific logs, we can enable data plane logging. This is a super useful logging setting to apply to any resources that you need to maintain a chain of custody over. 

Unlimited and Scalable Resources

There’s nothing more frustrating than being in the middle of an investigation and getting an alert from your workstation that your hard drive is out of space. Or running analysis on a forensic image and discovering your computer doesn’t have the CPU or memory capacity to process the file. With the cloud, however, resources are nearly unlimited, assuming you are willing to pay the price for it (for context, 50 TB of storage on AWS S3 would cost you just over $1,000). Furthermore, it’s very simple to scale up resources for your forensic hosts. 

In a traditional use case, adding CPU, memory, or storage to your forensic workstation would potentially require an extensive requisition process and impede your ability to investigate in the meantime. With a workstation running in the cloud, if you run out of a compute resource, it's as simple as changing a setting for your virtual machine and provisioning it with more drives or processing power. As an added convenience, changes to these workstations don’t typically require a restart or shut down as many similar changes to on-premise devices would. This same scalability concept applies not just to VMs but also to other resources, such as containers on Kubernetes. This greatly reduces the time to respond by eliminating the issue of resource constraints affecting analysis. 

Evidence Handling 

We already discussed how logging in the cloud can prevent modification of data and provide chain of custody, to an extent, for evidence. We also talked about the unlimited/scalable resources which will assist in preventing evidence storage being maxed out mid-investigation. There are several other characteristics and offerings of the cloud that make it an ideal location to store evidence related to an investigation. 

First, transferring the data becomes much easier, especially for remote teams. For one, the need to transfer physical drives is removed as data can be stored and transferred securely via the cloud. Also, with region-based storage and services such as AWS’ Transfer Acceleration, evidence can be strategically stored such that people in various regions can retrieve that data more quickly.

Another benefit is that there is reduced costs and overhead in the sense that evidence that needs to be archived for longer or minimally accessed can be stored in cold storage or on cheaper drive types to minimize storage costs. Related to retention, many of the cloud providers have some sort of retention policy feature that allows you to archive or delete data depending on retention requirements. This is especially valuable for organizations with legal or procedural requirements.

Lastly, with Identity and Access Management features (IAM), extremely robust permission structures can be built out. Varying levels of access can be applied depending on who needs what type of permissions. This access can be applied to groups of resources, individual resources, or, in the case of S3, even at the file-level. Furthermore, IAM logs can provide accountability if an audit must be performed.

Containers

While not solely a cloud technology, cloud implementations have helped drive the popularity of containers. With this rising technology, incident responders can see a few benefits related to containerizing their workflows.

Applications and services that used to involve complex installation processes can be deployed in the form of containers, reducing the complexity and time responders must put into deploying tools required for investigations. Additionally, when running in the cloud dynamic scaling can be used to ensure that if operations are exceeding the compute power, processing won’t fail. Instead, the resources needed to continue running the container can be added automatically. If you want to learn more about the container services offered by the major CSPs, the most popular options include:

  • AWS Elastic Container Service (ECS)

  • AWS Elastic Kubernetes Service (EKS)

  • Azure Kubernetes Service (AKS)

  • Google Kubernetes Engine (GKE)

Each of these vendors have various additional container-related services

DFIR PaaS

For organizations who don’t have an established SIEM or log aggregation platform, they may encounter the need to quickly spin up a method for analyzing large amounts of logs. In this case, platform-as-a-service technologies exist that will reduce the overhead for quickly getting a solution deployed. 

Some vendors provide native log searching tools, allowing for quick and efficient searching without the need to export the logs to a third-party tool first. These tools are not going to be as robust as a dedicated SIEM or log management tool but can be useful in triaging incidents. If a heftier solution is required, applications such as Elastic can be deployed in the form of a pre-built image or managed service within the cloud, leveraging the unlimited processing power mentioned earlier in this post.

Network Logging

Network logging has often been a complex topic when it comes to incident response. Network forensic data provides immense value but the cost of storing such data as well as the complexity of integrating related hardware into the network architecture limits the ability of many organizations to consider implementing it. The cloud provides methods of gathering network telemetry that eliminate some of the headaches involved and make it more feasible for incident responders to acquire such data. 

Collecting flow data in the cloud is as simple as flipping a switch. The flow data is gathered in such a way that it can be enabled without disrupting regular operations or causing downtime. Additionally, once the logs are enabled they can be routed directly to cloud storage, making the collection of the logs simple. Flow logs will provide metadata surrounding connections at the VPC, subnet, and network interface levels, providing valuable context for attacks involving network traffic. The metadata provides the source and destination IPs and ports as well as information regarding the data size, rather than the full content of the packet as a PCAP would provide. It gives us network context without the hefty processing and storage requirements of full packet captures.

Functions-as-a-Service

Functions-as-a-service are another method through which we can take existing scripts and tools and increase the efficiency of our investigations. By automating evidence collection and parsing, as well as host isolation, we can reduce the time to respond. This time to respond is even further reduced when event-based triggers are used to kick off response activities. 

Functions-as-a-service applications typically support a wide variety of programming languages, meaning that any existing scripts can be turned into serverless functions and no additional programming language skills are needed.  If you want to learn more about function-as-a-service offerings from the major CSPs, check out the following:

  • AWS Lambda

  • Google Cloud Functions

  • Azure Functions

Summary
In this blog post, we covered eight different use cases for leveraging cloud resources and services to improve the efficiency of incident response workflows. If you want to hear a deeper discussion regarding this topic, check out the following webcast: Cloud-Powered DFIR: Harnessing the cloud to improve investigator efficiency.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cloud Security
  • Digital Forensics and Incident Response

Related Content

Blog
Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png
Digital Forensics and Incident Response
May 22, 2023
Finding Evil WMI Event Consumers with Disk Forensics
This blog covers disk-based artifacts and tools available for use during deeper forensic investigations.
370x370_Chad-Tilbury.jpg
Chad Tilbury
read more
Blog
Blog_teaser_images_(19).png
Digital Forensics and Incident Response, Open-Source Intelligence (OSINT)
May 10, 2023
FOR589: Cybercrime Intelligence - NEW SANS DFIR Course coming in 2024
Learn to hunt for Dark Web Intelligence, Social Engineer cybercriminals, investigate illicit Blockchain activity, and analyze Cryptocurrency evidence
Viv_Ross_370x370.png
Viviana Ross
read more
Blog
Blog_-_Ransomware.png
Digital Forensics and Incident Response
May 4, 2023
Ransomware: Every internet-connected network is at risk. Be prepared!
As ransomware attacks increase in number and severity, even the most advanced security systems can be compromised. Here is what you can do to prepare.
370x370_ryan-chapman.jpg
Ryan Chapman
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Terms and Conditions
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn