While the move to the cloud brings forth many challenges and changes to the field of digital forensics and incident response (DFIR), it also presents responders with numerous benefits. Whether it's using functions-as-a-service for automation, deploying cloud-hosted lab environments, or benefiting from scalable resources, there are many ways in which we can leverage the cloud to improve our investigations. In this blog post, we discuss eight different examples of how cloud technologies can be leveraged for improving incident responder workflows.
This topic was discussed in a live stream with FOR509 instructors Megan Roddie and Terrence Williams below
DFIR Lab Environments
Traditionally, DFIR lab workstations were built on beefy, physical computers and configured with all the settings and tools needed to import and analyze evidence. If additional workstations or upgrades were needed, new hardware would have to be acquired. In addition to that, you need the support of an IT team to ensure proper maintenance of the machines. With the move to work-from-home during the pandemic, this presented an even larger challenge as these physical workstations would now have to be shipped to the analyst’s home instead of being included in an office environment. Luckily, the power of the cloud allows us to build DFIR lab environments in an efficient, consistent, and convenient way.
First and foremost, by hosting the DFIR lab workstations as virtual machines in the cloud, we reduce the complexities associated with tying a physical device to a physical location. Now for a responder to access their forensic workstation, they simply need to remotely connect to the cloud rather than go to a physical office location or arrange for a workstation with the power required to be sent to their home office. Additionally, with the region-based resource allocation leveraged by the major cloud providers, the DFIR workstations can be deployed in a cloud region that will optimize costs and speed.
The other major benefit of using cloud technology to build your DFIR workstations is the ability to create consistent lab environments and with quick spin up times. Between infrastructure-as-code and machine images, we have the ability to quickly create a new host pre-configured with a golden image containing all the settings and software needed to carry out an investigation. These machines will be shareable, for standardized use across the team, and be able to be created and destroyed with the click of a button.
If you are interested in using cloud technologies to spin up a DFIR lab, the following services from the major cloud service providers (CSPs) may be worth exploring:
When performing an investigation, it is important to be able to trust the evidence you are looking at. This is an even more important requirement if you are working for law enforcement or on a case that may become a legal matter. In traditional forensics, this requires the use of write-blocking technology, enhanced audit logging, and clear chain of custody procedures. With the cloud, many of these requirements are enabled by default or easily configurable.
With regards to ensuring our logs are not tampered with, data and evidence stored in the cloud can be stored and protected using read-only mechanisms. From a chain of custody perspective, we can ensure simpler tracking of evidence handling. With the logging enabled for cloud objects and its shared nature, we can more easily identify who is accessing and modifying what data. Without cloud technology involved, the risk of files being shared outside the scope of visibility via various communication challenges limits the ability to follow the chain of custody.
In terms of the data that is logged for access to cloud resources, we are going to, by default, see control plane events (resource creation, deletion, updates). If we want to track access to objects, such as who is accessing specific logs, we can enable data plane logging. This is a super useful logging setting to apply to any resources that you need to maintain a chain of custody over.
Unlimited and Scalable Resources
There’s nothing more frustrating than being in the middle of an investigation and getting an alert from your workstation that your hard drive is out of space. Or running analysis on a forensic image and discovering your computer doesn’t have the CPU or memory capacity to process the file. With the cloud, however, resources are nearly unlimited, assuming you are willing to pay the price for it (for context, 50 TB of storage on AWS S3 would cost you just over $1,000). Furthermore, it’s very simple to scale up resources for your forensic hosts.
In a traditional use case, adding CPU, memory, or storage to your forensic workstation would potentially require an extensive requisition process and impede your ability to investigate in the meantime. With a workstation running in the cloud, if you run out of a compute resource, it's as simple as changing a setting for your virtual machine and provisioning it with more drives or processing power. As an added convenience, changes to these workstations don’t typically require a restart or shut down as many similar changes to on-premise devices would. This same scalability concept applies not just to VMs but also to other resources, such as containers on Kubernetes. This greatly reduces the time to respond by eliminating the issue of resource constraints affecting analysis.
We already discussed how logging in the cloud can prevent modification of data and provide chain of custody, to an extent, for evidence. We also talked about the unlimited/scalable resources which will assist in preventing evidence storage being maxed out mid-investigation. There are several other characteristics and offerings of the cloud that make it an ideal location to store evidence related to an investigation.
First, transferring the data becomes much easier, especially for remote teams. For one, the need to transfer physical drives is removed as data can be stored and transferred securely via the cloud. Also, with region-based storage and services such as AWS’ Transfer Acceleration, evidence can be strategically stored such that people in various regions can retrieve that data more quickly.
Another benefit is that there is reduced costs and overhead in the sense that evidence that needs to be archived for longer or minimally accessed can be stored in cold storage or on cheaper drive types to minimize storage costs. Related to retention, many of the cloud providers have some sort of retention policy feature that allows you to archive or delete data depending on retention requirements. This is especially valuable for organizations with legal or procedural requirements.
Lastly, with Identity and Access Management features (IAM), extremely robust permission structures can be built out. Varying levels of access can be applied depending on who needs what type of permissions. This access can be applied to groups of resources, individual resources, or, in the case of S3, even at the file-level. Furthermore, IAM logs can provide accountability if an audit must be performed.
While not solely a cloud technology, cloud implementations have helped drive the popularity of containers. With this rising technology, incident responders can see a few benefits related to containerizing their workflows.
Applications and services that used to involve complex installation processes can be deployed in the form of containers, reducing the complexity and time responders must put into deploying tools required for investigations. Additionally, when running in the cloud dynamic scaling can be used to ensure that if operations are exceeding the compute power, processing won’t fail. Instead, the resources needed to continue running the container can be added automatically. If you want to learn more about the container services offered by the major CSPs, the most popular options include:
Each of these vendors have various additional container-related services
For organizations who don’t have an established SIEM or log aggregation platform, they may encounter the need to quickly spin up a method for analyzing large amounts of logs. In this case, platform-as-a-service technologies exist that will reduce the overhead for quickly getting a solution deployed.
Some vendors provide native log searching tools, allowing for quick and efficient searching without the need to export the logs to a third-party tool first. These tools are not going to be as robust as a dedicated SIEM or log management tool but can be useful in triaging incidents. If a heftier solution is required, applications such as Elastic can be deployed in the form of a pre-built image or managed service within the cloud, leveraging the unlimited processing power mentioned earlier in this post.
Network logging has often been a complex topic when it comes to incident response. Network forensic data provides immense value but the cost of storing such data as well as the complexity of integrating related hardware into the network architecture limits the ability of many organizations to consider implementing it. The cloud provides methods of gathering network telemetry that eliminate some of the headaches involved and make it more feasible for incident responders to acquire such data.
Collecting flow data in the cloud is as simple as flipping a switch. The flow data is gathered in such a way that it can be enabled without disrupting regular operations or causing downtime. Additionally, once the logs are enabled they can be routed directly to cloud storage, making the collection of the logs simple. Flow logs will provide metadata surrounding connections at the VPC, subnet, and network interface levels, providing valuable context for attacks involving network traffic. The metadata provides the source and destination IPs and ports as well as information regarding the data size, rather than the full content of the packet as a PCAP would provide. It gives us network context without the hefty processing and storage requirements of full packet captures.
Functions-as-a-service are another method through which we can take existing scripts and tools and increase the efficiency of our investigations. By automating evidence collection and parsing, as well as host isolation, we can reduce the time to respond. This time to respond is even further reduced when event-based triggers are used to kick off response activities.
Functions-as-a-service applications typically support a wide variety of programming languages, meaning that any existing scripts can be turned into serverless functions and no additional programming language skills are needed. If you want to learn more about function-as-a-service offerings from the major CSPs, check out the following:
Google Cloud Functions