Open Source DFIR

In a previous blog post , we presented how libcloudforensics facilitates digital forensics investigation in the cloud, in particular we focused on disk copy functionality in Google Cloud Platform (GCP) and Amazon Web Services (AWS). We recently added support for Microsoft Azure. In this post we show how the library can be used to respond to incidents occurring on Azure, and present solutions to the main challenges we faced while adding support for this cloud provider. Architecture Azure’s architecture is pretty straightforward: each account has a set of “subscriptions”, within which resources can be organized by “resource groups”. Resource groups can contain any valid Microsoft Azure resource, be it a Compute resource (e.g. a virtual machine) or another kind of resource (e.g. a Network resource such as a network interface). Snapshotting disks in the cloud The following code snippets give examples of forensic acquisition within the Azure environment using the libcloudforensics API. Not...

In an earlier blog post we introduced Libcloudforensics , a multi-cloud forensic library that can be used to make disk copies and set up virtual machines on GCP and AWS for analysis. We now have added functionality that allows you to query logs from AWS and GCP to aid in your investigations. This blogpost describes how to do that, using the library and accom panying CLI tool. Cloud logging Cloud logs are one of the relevant artefacts when investigating cloud incidents. Cloud logs not only provide you with a central place to query your virtual machines logs but also provide audit logs of every (administrative) action taken in the cloud management environment.  A full set of cloud management and resource logs can quickly show you a timeline of: the actors activity in the actual cloud resources, for example, when an actor started a cronjob in a virtual machine. the cloud project activities, for example, where an actor creates 15 extra virtual machines or adds an admin scoped cloud ...

In a previous blog post , we briefly presented how libcloudforensics facilitates digital forensics investigation in the cloud. We recently added support for Amazon Web Services (AWS). In this blog post we will highlight solutions to the main challenges we faced while adding support for this cloud provider. Architecture and nomenclature One of the biggest differences between GCP and AWS lies in the way different cloud resources are structured. In GCP, a single account may work with multiple projects, with each project providing its own grouping of resources. These projects may in turn be grouped together within folders that all fall under a single organization. Identity and Access Management (IAM) policies can be applied at each of these levels: organization-wide, folder-wide, or project-wide. IAM policies can also be set individually for resources within a project. In AWS, things are different. There are no “projects”. Instead, AWS recommends setting up multiple accounts for each team...