Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...}

["J. Oquendo" <sil () infiltrated net>]

> so let me ask you this. In face of a e-discovery request, does your
> in-house email admin provide the Legal dept with the entire HDDs from
> the servers, or just the email (e.g. PST) files of the individual
> users specified in the e-discovery request?

> I am just asking this for my own knowledge. I am trying to find out
> what the common practice is.

Apples and Oranges here. Let's take this a step further with e-mail
wherein the feds are set to raid an office of someone like Bernie
Madoff. Normally when the feds come, their forensics teams will come in,
take pictures of the machine, take notes, do their bit copies and so on.
(Paperwork, chain of command, non-fun forensic stuff). In the course of
this procedure, they'd like to get as much information as possible about
the machine's state. Who is potentially connected to the machine at the
time, what is going on behind the scenes (programs running and so on).

So let's look at the logic of "the cloud" from an alternative
standpoint... My argument would be one of validation. "So you were given
a copy of the disk by whom? Were they certified, did they follow
procedure? How do you know this?" One would have to rely on the "trust"
factor here and where there is life involved (a defendant) it takes
precedence over trust. Would you want to implicitly "trust" that someone
didn't fiddle data at your expense?

/ QUOTE
"When we allow services to be delivered by a third party we lose all
control over how they secure and maintain the health of their
environment and in many cases we lose all visibility into the controls
themselves, that being said…Cloud Computing platforms have the potential
to offer adequate security controls, but it will require a level of
transparency the providers will most likely not be comfortable providing."
http://infosecurity.us/?p=4343
/ END QUOTE

So back on semi-topic, we have the feds raiding the offices of a Madoff,
but the machines are NOT there. They're located in "the cloud". For
starters how do you know verifiably that no one is apt to tamper with
data. Again - you can "hope" that someone 1) has a clue 2) is capable in
the field of forensics but "hoping and wishing and praying"... Well
those are the lyrics of a song. The feds would likely want a bit copy of
that machine which is in a virtualized environment. How do they check
states, how do they verify that no other virtualized machine didn't
break back into ring0 and cause havoc?

Consider Cloudburst or any other virtualized vulnerability, how are we
to be sure we don't convict someone without taking the time to truly
assess what is going on. As a defense attorney, a question could be
posed as:

Attorney: "Did you notice whether or not any other machines were
compromised on that virtualized environment"

Fed on stand: "No we weren't allowed to check states or make bit copies..."

Attorney: "So you mean to tell me that there could have possibly been
someone who'd hacked into the system and you let it pass you bye?"

The arguments would be great AGAINST the validity of cloud computing:

Attorney: "You let who perform the bit copies for evidentiary purposes?

Fed on stand: "Joe the Plumber sir"

Attorney: "Is he certified in the forensics field?"

Fed on stand: "I uh..."

Attorney: "Scratch that question. Is this the same Joe the plumber who
was arrested for DUI?"

See in a situation like this, everything counts. Even if Joe the plumber
was certified and had anything on him, regardless if he'd became a model
citizen, its like throwing blood to sharks on both ends, defense and
offense. So to get back to your original comment on pst files, etc.,
you're looking at a more regulatory control mechanism then for something
different in the field of forensics.

To be fair to cloud providers, they'll market you to death with "we have
audit trails and Cross Reverse Anomaly Processing (CRAP buzzword of the
year) but the actuality is, they DON'T, they CAN'T and they WON'T be
able to accommodate the forensics scope at the right moment. It hasn't
happened yet (subpoenas) that I'm aware of, but keep an eye out for it.
If I were a defense attorney, I'd hone in and butcher up any forensics
evidence given by a cloud provider to have it thrown out the moment 1)
they DIDN'T shut down the entire machine period and 2) the evidence
wasn't obtained by someone EXPERIENCED (not an incident response trained
individual). Incident response works well internally but where life is
concerned, its a whole new ballgame.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------