Can You Find the Storm in the Cloud?
Learn Where to Pull Data From and How to Analyze It to Find Evil!
The world of cloud-hosted platforms is changing rapidly, and with it the amount of data used in forensic investigations and where this data reside. This requires changing methods of analysis. Too many examiners are trying to force methods used for “on‐premises” examination onto these cloud platforms. But since these platforms change how data is being stored and accessed, forensic examiners cannot put their hands on that data using those old methods.
"Incident Response in large environments requires successful Incident Responders to master a multitude of different disciplines. Broad forensic knowledge forms the foundation. A good choice of the technical approach allows for scalability. Beyond the pure technical challenge of investigating a network with a 6 figure number of machines, there lies the management aspect of things. Successful Incident Response includes all measures to minimize the impact of the breach on the victim as much as possible and make sure that the attacker can not come back as quickly as before." says course author Mathias Fuchs.
Rather than resisting change, examiners must learn to embrace new opportunities in the form of new evidence sources. SANS’ new FOR509: Enterprise Cloud Forensics & Incident Response course was specifically designed to address today's need to bring examiners up to speed with the rapidly changing world of enterprise cloud environments – which is where their most valuable data are being uploaded to.
Written by industry experts David Cowen, Pierre Lidome and Josh Lemon, FOR509 teaches examiners how the major cloud service providers (Microsoft Azure, Amazon Web Services, and Google Workspace) are extending analysts’ capabilities with new evidence sources not available in traditional “on-premises” investigations. Forensics is far from dead; in fact it is reborn with new technologies and capabilities ranging from cloud equivalents of network traffic monitoring to direct hypervisor interaction for evidence preservation.
As Lidome notes, “the assumption that constant changes in where or how data is stored in the cloud always leads to the false assumption that forensics cannot be performed correctly. Contrary to this assumption, cloud forensics is given new capabilities and depth that do not exist in the ‘on-premises’ world.”
More organizations are moving critical resources into the cloud with Microsoft 365 and Google Workspace. New platforms are now available that, when properly configured, can allow for detection and remediation faster than ever before.
“Examiners no longer have direct access to the email servers and data stores to recover actions, which means they need to learn the new methods available to them to re-create the same data,” explains Cowen. “But why stop at re-creation? These new platforms allow us to extend our reach to data.”
FOR509 also aims to teach students how to preserve, configure, and examine new sources of evidence that only exist in the cloud.
“The course empowers investigators to bring their examination skills into the cloud and learn how to triage within the same environment,” says Lemon.
Like all SANS courses, FOR509 will be updated constantly, in this case to keep up with the fast-moving world of cloud forensics. Numerous hands-on labs throughout the course have been tailored to provide examiners access to evidence generated from the most common incidents and investigations. Importantly, students will be able to immediately apply what they learn in FOR509 as soon as they return to the office.
Before, during, and after an investigation, cloud resources are constantly changing. FOR509: Enterprise Cloud Forensics & Incident Response will train you and your team to work with the data you have today and identify and automate the data you need for the future!
Here is what our FOR509 students are saying:
"The course gives you a great foundation of the core services you need to understand to enable you to perform DFIR in the cloud while at the same time creating the link between the different big three cloud providers. This is going to be a MUST HAVE course on your list for any DFIR/Cloud Security professional!" - Chester L.
"Great course to jumpstart your IR and Forensics knowledge for the cloud. Covers all platforms well." - Dante H.
"The depth of how far David, Josh, and Pierre have delved into is fantastic so I would absolutely recommend this course." -Terrie M.
"The material is awesome and badly needed by the community." -John M.
FOR509: Enterprise Cloud Forensics & Incident Response course students will be able to:
1. Understand forensic data only available in the cloud
2. Use best practices in cloud logging for Digital Forensics and Incident Response
3. Properly handle rapid triage in cloud environments
4. Preserve evidence and use memory acquisition in the cloud
5. Leverage Microsoft Azure, Amazon Web Services, and Google Cloud Platform resources to gather evidence
6. Understand what Google Workspace and Microsoft 365 have available for analysts to review
7. Move your forensic process to the cloud for fast processing where the data reside
For more information about the course and to check out the course syllabus visit here