Cloud Forensics: Collecting data from Cloud network

Cloud computing and digital forensics is constantly infiltration, in the professional belongs to the "cloud forensics", refers to from the cloud infrastructure collection of digital forensics data. For a long time, incident response and digital forensics have been the key parts of computer crime investigation, and with the rapid development of cloud computing, incident response and digital forensics have become more and more challenging.

For a few examples, local evidence includes information gathered from log files, data stored on disk, network traffic, and intrusion markers. The basic difference between local analytics and cloud service analysis is that you can collect and analyze information by simply entering the system using the local computer. However, when it comes to the cloud, the machine cannot physically access it, and only some parts of the computer can be accessed through the Cloud application interface.

In this article, we'll start with a brief description of the cloud, followed by exploring why cloud forensics has become more important than ever before, and exploring the challenges of getting information from different cloud services and deployment models. Finally, we will discuss best practices for establishing a good relationship with cloud service providers to ensure the success of cloud forensics.

Cloud

Explore the different deployments and service patterns of the cloud first. In cloud computing, there are five different deployment models:

Private cloud--in this deployment model, the organization runs its own private cloud with full access. The cloud is behind the firewall, and the organization provides the user with an Access interface that preserves the privacy of the data stored in the cloud at the same time.

Public cloud--in the public cloud model, services are made available to the public through the Internet. The public cloud includes Amazon Web services, Google's computer engine and Microsoft's Azure. In a public cloud, you often use virtualized environments.

Community cloud-organizations can access community cloud services, reducing costs compared to private clouds. Community cloud both internal and external deployments can be managed by the organization as a group or by a third-party provider.

Hybrid cloud--in a hybrid cloud model, services are mixed between private, internal deployment, and public cloud services. This approach helps businesses enjoy the cost benefits of the cloud and does not need to rely entirely on third-party providers.

Distributed cloud-distributed cloud services are dispersed across multiple computers in different locations, but are connected to the same network.

There are three main modes of public cloud computing services, which are commonly used by enterprises at present. Including：

Infrastructure as a service (IaaS), providing the entire infrastructure (such as physical/virtual machines, firewalls, load balancing, and virtual machine management programs)

Platform is a service (PaaS) that provides a platform (such as an operating system, database, and Web server)

Software is a service (SaaS) that the organization can access, and the service provider is responsible for managing the service.

The importance of cloud network forensics

The importance of cloud network forensics cannot be denied. When an attacker attempts to attack a cloud service, forensics can not only be detected, but also help the organization prevent and prevent such attacks from occurring.

When it comes to network forensics, it shows that the attack has occurred and that the organization needs to gather evidence from a bunch of data to determine who the hacker is, how the hacker attacks the service, and what information the hacker gets. Network forensics investigators must carefully examine the data collected-such as file systems, processes, registries, and network traffic-to arrive at this conclusion.

The basic difference of the cloud forensics process is that it limits the data that the network forensics inspector has. Limited data has become the biggest hurdle because investigators must often use virtual images rather than physical machines. A large part of data acquisition must be provided by the cloud provider, and the data may not be required. Fortunately, cloud forensics relies on the same tools as the traditional forensics process. Cloud forensics has developed rapidly in the past few years, so new tools specifically created for cloud forensics may be written in the coming years.

Collecting data from the cloud

The types of information collected vary depending on which cloud service model the enterprise is using. The right table shows what information the organization can obtain when using SaaS, PaaS, IaaS, or local private networks.

Obviously, the organization does not have access to the same information in the cloud compared to performing forensic analysis on the local computer in the cloud Network forensics analysis.

Cloud data collection: Working with service providers

To narrow the gap, companies must work with cloud providers to obtain information for analysis, including application logs, database logs, or blogs. Maintaining continuous, open communication and establishing good relationships with cloud providers is necessary to obtain information that is important to success audits and data analysis.

Unfortunately, many cloud providers do not care about their customers ' inquiries and are extremely uncomfortable. Either they have an intelligent, and/or security Response team to assist in collecting the data needed for the forensics investigation. In some cases, cloud providers may even pass incorrect information that is not available in court. This may seem far-fetched, but for a cloud provider it is difficult to locate and provide the right information, dwarfed by the complexity of the enterprise environment compared to the complexity of the cloud provider environment. Typically, the organization's data is located in multiple data centers around the world, and no one really knows where. What's more, these data are not stored separately from other organizations, so it is difficult for the provider to determine which logs belong to which enterprise.

It is important to be careful when choosing a cloud provider. Different cloud providers, the competitiveness is also different, the Enterprise Cloud Network survey, may achieve great success, may also be a complete failure.

When evaluating a cloud service provider, an enterprise cannot blindly believe what the cloud service provider says. If the provider says that cloud services are secure, the enterprise should ask the provider what tests were done on the infrastructure and how it was tested. Businesses should also ask where the data is and who has access to it. When security vulnerabilities occur, an important criterion is to work with the IT department. We know that a forensic examiner must work closely with the cloud service provider to get the information needed for the vulnerability-which is a great advantage if the provider has its own security team.

With the rapid development of cloud and cloud services, cloud Network forensics becomes more and more important. It is vital that organizations carefully read all the terms before establishing a contract and adopting a cloud service to ensure that the organization's service provider does not affect the Organization's efficiency and success when it has to conduct a cloud-computing survey one day.