Security Basics mailing list archives
Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...}
From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 29 Jul 2009 11:42:51 -0400
so let me ask you this. In face of a e-discovery request, does your in-house email admin provide the Legal dept with the entire HDDs from the servers, or just the email (e.g. PST) files of the individual users specified in the e-discovery request?
I am just asking this for my own knowledge. I am trying to find out what the common practice is.
Apples and Oranges here. Let's take this a step further with e-mail wherein the feds are set to raid an office of someone like Bernie Madoff. Normally when the feds come, their forensics teams will come in, take pictures of the machine, take notes, do their bit copies and so on. (Paperwork, chain of command, non-fun forensic stuff). In the course of this procedure, they'd like to get as much information as possible about the machine's state. Who is potentially connected to the machine at the time, what is going on behind the scenes (programs running and so on). So let's look at the logic of "the cloud" from an alternative standpoint... My argument would be one of validation. "So you were given a copy of the disk by whom? Were they certified, did they follow procedure? How do you know this?" One would have to rely on the "trust" factor here and where there is life involved (a defendant) it takes precedence over trust. Would you want to implicitly "trust" that someone didn't fiddle data at your expense? / QUOTE "When we allow services to be delivered by a third party we lose all control over how they secure and maintain the health of their environment and in many cases we lose all visibility into the controls themselves, that being said…Cloud Computing platforms have the potential to offer adequate security controls, but it will require a level of transparency the providers will most likely not be comfortable providing." http://infosecurity.us/?p=4343 / END QUOTE So back on semi-topic, we have the feds raiding the offices of a Madoff, but the machines are NOT there. They're located in "the cloud". For starters how do you know verifiably that no one is apt to tamper with data. Again - you can "hope" that someone 1) has a clue 2) is capable in the field of forensics but "hoping and wishing and praying"... Well those are the lyrics of a song. The feds would likely want a bit copy of that machine which is in a virtualized environment. How do they check states, how do they verify that no other virtualized machine didn't break back into ring0 and cause havoc? Consider Cloudburst or any other virtualized vulnerability, how are we to be sure we don't convict someone without taking the time to truly assess what is going on. As a defense attorney, a question could be posed as: Attorney: "Did you notice whether or not any other machines were compromised on that virtualized environment" Fed on stand: "No we weren't allowed to check states or make bit copies..." Attorney: "So you mean to tell me that there could have possibly been someone who'd hacked into the system and you let it pass you bye?" The arguments would be great AGAINST the validity of cloud computing: Attorney: "You let who perform the bit copies for evidentiary purposes? Fed on stand: "Joe the Plumber sir" Attorney: "Is he certified in the forensics field?" Fed on stand: "I uh..." Attorney: "Scratch that question. Is this the same Joe the plumber who was arrested for DUI?" See in a situation like this, everything counts. Even if Joe the plumber was certified and had anything on him, regardless if he'd became a model citizen, its like throwing blood to sharks on both ends, defense and offense. So to get back to your original comment on pst files, etc., you're looking at a more regulatory control mechanism then for something different in the field of forensics. To be fair to cloud providers, they'll market you to death with "we have audit trails and Cross Reverse Anomaly Processing (CRAP buzzword of the year) but the actuality is, they DON'T, they CAN'T and they WON'T be able to accommodate the forensics scope at the right moment. It hasn't happened yet (subpoenas) that I'm aware of, but keep an eye out for it. If I were a defense attorney, I'd hone in and butcher up any forensics evidence given by a cloud provider to have it thrown out the moment 1) they DIDN'T shut down the entire machine period and 2) the evidence wasn't obtained by someone EXPERIENCED (not an incident response trained individual). Incident response works well internally but where life is concerned, its a whole new ballgame. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...} J. Oquendo (Jul 29)
- Re: Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...} Ali, Saqib (Jul 29)
- Re: Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...} J. Oquendo (Jul 29)
- Re: Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...} zach peerand (Jul 30)
- Re: Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...} Ali, Saqib (Jul 29)
- Re: Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...} Ali, Saqib (Jul 29)