Cloud computing forensics techniques for evidence acquisition

Planning for digital forensics in cloud computing can be a challenge for security teams. Until recently, few tools were available to help analysts inspect systems and acquire information for cloud computing forensics investigations.

When considering digital evidence acquisition and analysis, analysts usually seek to obtain the following data:

Network packets for traffic analysis.
Workload memory.
Workload disk volumes.
Logs and event data from workloads and cloud environments.

Cloud forensics evidence acquisition and analysis have gotten easier over time. But a major challenge remains: Concerns about cloud forensics investigations often focus more on, “Will the evidence hold up in court?” instead of, “Can we do something about these findings?”
By learning more about cloud forensics techniques and tools to enable or automate investigations, security teams are better equipped to address this challenge.

Cloud forensics evidence collection techniques
The digital forensics techniques and tools used depend on where security analysts collect evidence from, including workloads, containers and other areas on the network.

Cloud workload collection
Evidence collection for cloud workloads differs based on the types of workloads in use. Capturing disk in a running instance is similar to performing disk capture in virtual environments internally. This is because major IaaS providers enable customers to perform a snapshot capture of a VM workload. Analysts can convert the snapshot to a live analysis volume and attach it to a forensics workstation in the cloud or on premises. In most cloud environments, customers can capture IaaS OS and data drives directly from the management portal.
Capturing memory in a shared environment requires a method of capture on a per-instance basis. To acquire running memory of instances, security teams need separate tools, whether remote or local. A variety of tools are available for this purpose. For example, Acquire Volatile Memory for Linux, or AVML, from Microsoft is a free, open source utility that captures memory from traditional workload instances. WinPmem and Linpmem, which are specific to Windows and Linux, respectively, are other examples of free workload capture tools.
Hibernating a workload is another method for creating a memory capture on the local disk volume in some cloud environments, such as AWS. In Google Cloud, security teams can generate a RAM disk for in-memory data. Many third-party, agent-based tools have been adapted to work in cloud environments, which might be more suitable for large enterprises.
Container forensics collection
Forensics in container-based environments is somewhat different. For container environments where the organization controls the underlying runtime engine, tools such as Docker Forensics Toolkit and Docker Explorer, can help evaluate the shared union file system with individual container logs and container history.
For cloud container infrastructure, such as Amazon Elastic Kubernetes Service, Azure Kubernetes Service and Google Kubernetes Engine, a new feature in Kubernetes known as the Kubelet Checkpoint API enables analysts to make a copy or a running container image for offline analysis. Note, this capability might not be available in all PaaS models currently.
Serverless functions should largely rely on logs and actual code versions for evidence because there usually isn’t much else to collect.
Network forensics collection
Network forensics is made possible in most cloud environments with emerging network traffic mirroring and packet capture capabilities. Teams can use flow log data to build network traffic behavioral models.
Additionally, any client can use Virtual Private Cloud Traffic Mirroring in AWS and Google Cloud Packet Mirroring. These services enable the client to automatically copy traffic to a network intrusion detection system or storage location for forensics analysis. Microsoft does not currently offer a packet replication system at the network level in Azure, but the Network Watcher service can copy traffic to a selected destination by installing agents on any VMs teams want to copy traffic from.
Network detection and response tools are also widely available for leading cloud provider environments.

How to document cloud computing forensics investigations
Organizations need to enable write-once storage that is owned and controlled solely by the forensics and incident response teams. Ensure the identity and access management policy is documented and a least privilege access model is in place.
Log evidence acquisition and evidence storage location activities extensively. Do this with storage logging, as well as general cloud control plane logging with tools such as AWS CloudTrail, Azure Monitor and Cloud Logging in Google Cloud.
Building a comprehensive cloud computing forensics program requires analysts to send logs to a storage environment that supports integrity monitoring, if possible.

How to automate cloud forensics investigations
Automation has become another major focus area for cloud computing forensics and incident response. Consider the following activities as potential opportunities to implement automation:

Assess the environment — continuously. Use cloud-native tools, such as AWS Config, Amazon GuardDuty, Azure Security Center and Google Cloud Security Command Center, to evaluate resources for security conditions, where possible.
Locate and tag suspect assets. Any number of network traffic patterns or events in a cloud environment could indicate suspicious or malicious behavior. One of the most effective ways to label suspicious assets is by automatically assigning metadata tags to assets behaving unusually. This enables organizations to track them and respond more effectively.
Perform evidence acquisition. Automated processes can be initiated to acquire evidence, such as memory and disk, as well as local processes or indicators of compromise. Initiate scripts or tools through cloud-compatible methods that produce logs and audit trails to ensure proper monitoring and chain of custody.
Remediation. For any remediation efforts, including quarantine of assets or termination of workloads, automation can help ensure the process is executed immediately and consistently when suspicious behavior is detected.

Cloud service providers are beginning to offer built-in tools and service capabilities to help with automation. For example, AWS offers Automated Forensics Orchestrator for Amazon Elastic Compute Cloud to help teams deploy a completely automated forensics evidence acquisition platform in the cloud.
Equipped with methodologies, security teams can more effectively perform forensics investigations in the cloud. This knowledge — aided by ample third-party and open source tools, new cloud-native features and automation — can add value to enterprise cloud security programs.
Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.