There is a universe of data out there to be discovered.
Before you can begin exploring the universe of cloud data you must learn where and how it exists. In this section you will learn about the most popular cloud architectures (IaaS, PaaS, SaaS) and how each changes your investigative possibilities. You will understand what kind of logging and data access is provided by each cloud architecture and how to extract and process this data.
We will introduce SOF-ELK, an open source SIEM made for enterprise log analysis that easily extends into cloud forensics. We then go into Microsoft 365 which is a SaaS platform that provides the Microsoft Office suite of applications including Excel and Word. In addition, Microsoft 365 implements a number of communications and collaboration tools such as Exchange, SharePoint, and Teams. We finish the day by exploring the Microsoft Graph API and review the logs that it generates.
LAB 0: Install SOF-ELK VM
Prior to the class, students are expected to install the SOF-ELK VM with all the updates including the electronic workbook.
LAB 1.1: Visualize data in SOF-ELK
In this lab students will learn how to search and visualize data in Kibana. They will also learn how to create their own dashboard. Kibana dashboards allow analysts to display summarized statistics and predefined filters for specific scenarios.
LAB 1.2: Find the source of a BEC
Students will review Unified Audit Logs in SOF-ELK to find the source of a business email compromise. Utilizing user agents, IP geo location and source IP addresses students will be able to profile and identify hostile agents.
LAB 1.3: Tracking Graph API Usage
The Graph API is a powerful way to interact with the Microsoft cloud (both Microsoft 365 and Azure). Understanding the permissions granted to a Graph API application is critical to eliminating blindspots and solving incidents. We will explore the logs generated by the Graph API and touch on the lack of logs under certain circumstances.
MODULE 1.1: Key Elements of Cloud for DFIR
- Purpose of the course
- Why are we not using the cloud directly?
- MITRE ATT&CK(R) Cloud Matrix
- Cloud benefits
- Types of clouds
- Shared responsibility model
- DFIR in the cloud
- Core concepts
- Pricing models
- Terminology across clouds
MODULE 1.2: Introducing SOF-ELK
- SOF-ELK architecture
- Search process
- Filtering in Kibana
MODULE 1.3: Microsoft 365 Unified Audit Log
- Connecting a PowerShell session to Microsoft 365
- Properties of the UAL
- Searching the UAL
- UAL Workloads
- Special example: Exchange workload
- Mail clients
- Azure Active Directory
MODULE 1.4: Microsoft Graph API
- Case study: SolarWinds
- Graph API Process
- Five steps to Graph API
- Examples logs
- What's logged?