Covering Your Tracks - Anti-forensics for the Cloud - Introduction


Before delving into cloud forensics there are some concepts that need to be explained. The cloud consisted of two entities, provider (companies that host cloud technologies) and tenants (companies that use cloud technologies from the providers). The cloud generally consists of three service models: 

  1. Infrastructure-as-a-Service (IaaS) where the provider provides the hardware and network.
  2. Platform-as-a-Service (PaaS) where the provider provides all the components to a tenant's application.
  3. Software-as-a-Service (SaaS) where the provider supplies the software and the components to run it and the tenant uses and at most configures the application.

Chris Brenton gives a great overview of the cloud and the challenges it poses in the link below:
https://www.sans.org/blog/pen-testing-in-the-cloud/
Surprisingly there is not a lot of coverage out on the web for cloud forensics and this makes sense. Cloud forensics analysts, especially for tenants, may be somewhat limited on access. In example, if a forensic analyst is hired by a tenant, its not likely that the forensic analyst will be able to go to the cloud provider and have access to their servers; at least not without a court order or the provider’s approval. This requires forensic analysts to become familiar with the cloud vendor and to be creative. A great place to start an investigation is to look at the logs the virtual machine.
For Ubuntu Server, the logs may be found in the path /var/log directory as shown below:












Figure 1
On AWS Ubuntu Server instance nano is installed and the grep command may be used to search for ssh connections. The image below is very peculiar (I did not generate these connections myself; someone is trying to brute force log into my ip). The auth.log in the image below shows sshd Authorization Logins which appears to contain many invalid attempts:


















Figure 2
A great article for learning more about ubuntu logs can be found below. Using grep and nano, a forensic investigator can check many logs such as the apache web server logs and see the activity for the virtual machine:
https://help.ubuntu.com/community/LinuxLogFiles
For windows it is the same concept except with event viewer. A quick Google search on Microsoft’s technet forums and discussion will get you up to speed on how search the Microsoft’s logs for unauthorized connections. In AWS’s case (as I’m sure it is with other cloud vendors) log sources such as CloudTrail, CloudWatch, the Resource Config Logs, and Data/Object Access Logs can also be set up and the links below are a good resource on how to do this:
SANS DFIR AWS Forensics Overview: https://www.youtube.com/watch?v=VLIFasM8VbY
AWS S3 Logging: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
The anti-forensics techniques of deleting the auth.log or .bash_history or copying the files and then replacing them and modifying them with the touch command can be done in this case. On my ubuntu server this does not appear to have been done which tells me that there has not been a successful log in attempt (I also verified this in auth.log). While leveraging your virtual machine’s and cloud provider’s logging capabilities, this is not the only thing that can be done.
A lot of cloud providers allow for snapshots to be taken and this can be great for acquisitioning evidence. According to Hartman, AWS allows EBS volume snapshots to be encrypted to prevent sensitive data from being leaked. It is also possible to provision a forensic workstation on AWS. Hartman provided the following steps in his paper (Hartman, 2018, pp. 7-8):
  1. Log into AWS.
  2. Launch an EC2 instance of Ubuntu Server 16.04
  3. Choose a instance type of t2.large or larger.
  4. Create a security group and configure it so the only ingress rule is to allow SSH from external IP addresses. Egress rule should be left as default.
  5. Choose an SSH key by either generating it or using an existing one.
  6. SSH into the instance with the appropriate key.
  7. Run the following commands:
    wget https://github.com/sans-dfir/sift-cli/releases/download/v1.5.1/sift-cli-linux
  8. Move and rename the SIFT Install tool:
    sudo mv sift-cli-linux/usr/local/bin/sift
  9. Set proper permissions:
    sudo chmod 755 /usr/local/bin/sift
    sudo sift install

Once the SIFT workstation is installed evidence may be mounted to it. This allows for forensic analysts to acquire evidence they need for an investigation without having direct access to the cloud vendor’s servers.
The same anti-forensic techniques discussed in the previous blogs can be applied the same to the cloud. In this scenario, it is the forensic analysts who are at somewhat at a disadvantage when doing forensics on the cloud, however, the references below should make a forensic analyst’s life easier. Cloud forensics is a vast topic and deserves its own book (which could probably be found on the internet) so keep researching and happy hacking! 
References
Amazon Web Services. (2020). Amazon S3 Server Access Logging [software]. Retrieved from
            https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
Brenton, C. (2012, July 5). Pen Testing in the Cloud. Retrieved from
            https://pen-testing.sans.org/blog/2012/07/05/pen-testing-in-the-cloud
Hartman, K. (2018, January). Digital Forensic Analysis of Amazon Linux EC2 Instances.
Retrieved from https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235
Poling, J. (2017, September 20). Incident Response in the Cloud (AWS) – SANS Digital
            Forensics & Incident Response Summit 2017 [Video file]. Retrieved from
            https://www.youtube.com/watch?v=VLIFasM8VbY

Comments

Post a Comment

Popular posts from this blog

Covering Your Tracks

The ability to remain stealth during a penetration exercise is what separates a sophisticated hacker from a script kitty. The phrase “The Quieter You Become, The More You Are Able to Hear” holds true, especially in the field of hacking. Being able to perform Ani-forensics and avoid detection is critical to the success of hacking and penetration testing and understanding these methods is beneficial, even for white hat hackers, as there will be times in a penetration where the system is already compromised. In such cases, understanding what the attacker is doing in order to cover their tracks can help determine the sophistication of the attack or bring prosecution to the attacker. All hacks begin with system enumeration and nmap is one of the best tools to use during this discovery phase. However, as I explained in Scanning With nmap blog, port scanning a bunch of IP Addresses or every port on a target system is noisy and can cause denial of service conditions (very bad if you are ...
Read more

LDAP Vulnerabilities

Image
Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course . Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.   Web for Penetration Testers Example 1 Lightweight Directory Access Protocol (LDAP) can be thought of as a hierarchical directory structure. Using the live iso of Web for Pentester 1 lab we can find that Open LDAP service is running by running performing a nmap scan from our kali box (attacking machine): Figure 1 Using the ldapsearch command with the -b (base dn [top of hierarchy in this case]) -LLL (print responses in LDIF format without comments or version) and -x (simple authentication) flags (-h specifies the host) from our kali box (see Figure 2), we see that there are three common names (cn) entries: admin, ...
Read more

Setting Up a Proxy to Protect Your Public IP (An Introduction to Proxies)

Image
I recently purchased a static IP address. While this is great for setting up VPNs, websites, and other major benefits it bothered me that I normally visit CTFs and sites that contain malicious code to accomplish these CTF challenges. There had to be a way I could better protect my public IP from direct exposure in the event I did something stupid while surfing the web. This is where a proxies come into play. A proxy is exactly the same thing meant in the English language; think if computer A who set up the proxy wants to talk to computer C. An intermediary could be introduced (Proxy Server B) so that when computer C talks to computer A it has to go through Proxy Server B. Thus Computer C thinks its talking to Proxy Server B and only sees that IP address; when in reality all traffic is getting forwarded to computer A and vise versa. This creates a layer of abstraction. There are many types of proxies such as reverse proxies which is used mainly for public facing web sites. We are strict...
Read more