(13) Cloud, Container, and Virtual Forensics

Question 1

How do Cloud and other virtual forensics differ from other types of investigations?

Answer 1

Compared to other types of investigations, with cloud providers, contracts with providers need to be taken into question.

In addition, legal recourse with the vendor needs to be considered.

The data that the company needs and if it is available through methods that you or your organization has control of.

The vendor will need to be worked with if the data is not in company control

Question 2

Describe the procedural differences in virtual forensics vs traditional

Answer 2

With virtual forensics, it is less complex because virtual machines can be copied over to the forensics environment without the need for physical cataloguing of computer components, etc.

Also consider how to respond if the virtualization platform itself is being attacked.

Also remember to think about the separation of virtual machines in the virtualized environment compared to the apps running under the containerization engine

Question 3

What considerations need to be made when it comes to containerized technology in terms of filesystems and internal lots?

Answer 3

In terms of internal lots and filesystem artifacts, they are temporary for the most part. They communicate over software defined networks that change all the time.

They take brought online, taken offline, moved, security settings change, etc.

The data that is to be captured needs to be carefully considered as well as the methods to capture said data.

Question 4

What are the first three steps of Forensics procedures?

Answer 4

The first three steps are

1. Decide what it is you are trying to find out
2. Outline where on the system that the types of data that would help someone answer questions from the step discussed above.
3. Document the plan and go over it again

Question 5

What are the remaining 4 steps of Forensics procedures?

Answer 5

4. Get the evidence and preserve it.
5. Analyze the data and document everything you do, what you discover and questions that you need to answer
6. Use the original analysis to further guide where you go forward, review where the original analysis leads, and look for the answers to any questions you have formed
7. Report what you found to the powers that be

Question 6

What is the order of volatility?

Answer 6

The order of volatility is as follows:

1. CPU cache, registers, RAM
2. Traffic on the network
3. Disk Drives
4. Backups, optical media and printouts

Question 7

What do you need to do if you discover something outside the scope of the investigation?

Answer 7

You need to report it to the proper authorities whatever it is, be it something illegal down to violating a minor company policy

Question 8

How does a legal hold typically happen?

Answer 8

A legal hold typically happens when the orgs lawyers get notice from another company’s lawyers.

It could identify specific information or simply provide info about the litigation involving names, dates, or other details that can help identify which data to preserve.

If data is requested that the company typically is about to destroy, then IT needs to have procedures in place to preserve that data

Question 9

Describe data integrity during an investigation

Answer 9

During an investigation, data integrity is very important. Forensic duplication cannot change the source drive or device, so write blockers need to be used.

Multiple copies of data need to be kept as well and the original drive needs to be retained as evidence

Question 10

What Linux Utility is commonly used to clone drives?

Answer 10

The Linux dd utility is often used. It clones a drive in RAW Format, a bit by bit format, it provides a number of useful operators that will help make sure thart imagine is done quickly and correctly

Question 11

How is block size set in dd?

Answer 11

In dd, block size is set with the bs flag and is defined in bytes. dd uses a 512 byte block size, which is smaller than the block size of most modern disks. Use larger block sizes using commands such as bs = 64k

Question 12

What does the if operator do in dd?

Answer 12

The if operator sets the input file

Question 13

What does the of operator do in dd?

Answer 13

The of operator sets the output file

Question 14

What is very critical to remember with dd?

Answer 14

With dd, it is critical to remember to verify the input and output locations for the dd command, this is where write blockers can save the day!

Question 15

Describe the criticality of the chain of custody process?

Answer 15

Chain of custody cannot be overstated, you must have a full record of what happened with data, when it occurred, when devices were transferred, handled, accessed, etc.

A third party may need to be in the room to validate the claims made

Question 16

What are hardware Write blockers?

Answer 16

Hardware write blockers keep writes from occurring while a drive is connected to them. They can be certified to a standard by NIST

Question 17

What is true about software write blockers?

Answer 17

Software write blockers aren’t as common as hardware ones but they are out there.

Question 18

What tools can forensic investigators use to validate the integrity of data?

Answer 18

Forensic investigators use dd, md5sum, or sha1sum hashing utilities to validate images