May 282013
 
 Posted by at 12:27 am
Apr 082013
 

The Digital Forensic Investigation Research Laboratory conducts a lot of research on Cloud environments. However, Cloud environments can sometimes be cumbersome to create and configure, taking time away from testing and research. In order to streamline this process, DigitalFIRE has created a virtualised Cloud environment for Cloud security and investigation researchers. By virtualising Cloud components, this allows researchers to delete, change, prod and generally abuse the Cloud as much as they like while allowing the system to be easily reset. A description of the system as well as information about downloading and using the environment can be found below.

“OpenStack is an Infrastructure as a Service (IaaS) cloud computing project that is free open source software released under the terms of the Apache License” – Wikipedia

The Openstack project provides us with a cloud computing system. It’s an open source project, which is perfect for the more under-the-hood inclined user. If you are looking to work with Openstack, ready your hardware (you’ll need a few spare machines), head over to openstack.org, download and install it.

139 pages of install documentation later, if you managed to follow the instructions precisely, you’ll have an Openstack system.

This is where our research might help you. We’ve created a minimal Openstack system as an OVA (VirtualBox) virtual appliance. Currently, our appliance has two virtual machines “node1” and “node2”, a very minimal Openstack system, but it provides the required Openstack functionality for testing and research purposes.

What is provided in this Openstack installation?

nova http://100.10.10.110:8774/v2/949c06f05b9347928c22b7f87c5f6c90
glance http://100.10.10.110:9292/v1
volume http://100.10.10.110:8776/v1/949c06f05b9347928c22b7f87c5f6c90
ec2 http://100.10.10.110:8773/services/Cloud
swift http://100.10.10.111:8888/v1/AUTH_949c06f05b9347928c22b7f87c5f6c90
keystone http://100.10.10.110:5000/v2.0

 

Swift runs on node2 (100.10.10.111) and the rest of the Openstack services are running on node1 (100.10.10.110). To get you up and running quicker, we’ve added a CirrOS tiny cloud guest image so you can spin up VMs immediately after you install our appliance.

How do I use it?

  1. Download the DigitalFire Openstack OVA appliance. (1GB OVA file)
  2. Install Virtualbox on your OS. http://www.virtualbox.org/manual/ch01.html#intro-installing
  3. Make sure a host only network (ip: 100.10.10.1, DHCP off) exists. More info at http://www.virtualbox.org/manual/ch06.html#network_hostonly
  4. Import the appliance into your hypervisor. (Using Virtualbox, File->Import Appliance). Visit http://www.virtualbox.org/manual/ch01.html for more detailed instructions.
  5. Start the VMs node1 and node2.
  6. Wait about 30 seconds for the nodes to come up.

You now have a working Openstack system. Access the dashboard via your browser at http://100.10.10.110/horizon to begin using your cloud.

Installing Openstack from scratch is quite informative and gives you a good overview of the inner workings, however our appliance will allow you to get started with Openstack very quickly.

Installing a new image for use in Openstack

We’ve added a CirrOS image (very small linux) to our virtual Openstack system. However, If you want to add a new VM image to your Openstack you can. Just follow the steps below:

1. Download an image (quantal-server-cloudimg-i386-disk1.img from http://uec-images.ubuntu.com/ for example).

2. SSH into node1:

Set up our credentials for keystone, on a terminal in root’s home directory:

$ source openrc

Add our new image to Glance, using the Glance CLI:

$ glance image-create –name=ubuntu –disk-format=qcow2 –container-format=bare  < /home/root/quantal-server-cloudimg-i386-disk1.img

3. On Dashboard:

Create a keypair. (Project Tab -> Access & Security -> Keypairs -> Create Keypair)

Your new instance based on the new image with keypair is ready for use.(download .pem file)

In Windows you might want to puttygen -> load .pem -> save private key -> .ppk file

SSH to the new instance (with the .ppk file as auth)

Notes:

Make sure you have a Host-Only VNIC installed on your host system with the following configuration:

IPv4 address: 100.10.10.1 (the last octet is changable, but make sure to leave 100-200 of the last octet available to the openstack system as floating ip address, node addresses etc)

The virtual machines have a NAT connection to the host system, allowing for a guest VM internet connection. You can remove these from the virtual machines if you wish.  They are adapter 2 on each virtual machine.

This Openstack installation is configured for openness and ease of use, many network ports are open, security groups are quite relaxed and all the passwords are very weak. Bottom line, the installation is geared for testing/research purposes.

You’ll need at least 4GB of RAM (more would be a lot better) and a CPU supporting VT-x  in your host system.

Credentials (username/password):

  • Dashboard Admin (admin/password)
  • Dashboard Demo user (lee/lee)
  • Node1 login (100.10.10.110) (root/lee)
  • Mysql server on Node1 (root/root)
  • Node2 login (100.10.10.111) (root/lee)
  • Cirros image (cirros/cubswin:))

UPDATE: The latest version of Virtualbox has broken OVA importing. A (horrible) workaround is to import the OVA in an older version of Virtualbox and then upgrade!

Mar 192013
 

Earlier this year, researchers from the Digital Forensic Investigation Research Group had a chapter published in the book “Cybercrime and Cloud Forensics: Applications for Investigation Processes“.  There were contributions from authors discussing practical as well as theoretical aspects of digital crime, investigation, side channel attacks, law, international cooperation, and the future of crime and Cloud computing environments.

Lock KeyDigitalFIRE specifically focused on how Cloud computing is likely to affect current digital forensic investigators. Instead of assuming that Cloud environments will completely revolutionize the way crime and digital investigations are conducted, we assessed Cloud environments in terms of current digital investigation models. Indeed, new challenges to investigations were found to exist when considering Cloud service models, but many of these challenges stem from increased connectivity and less control. In terms of technology, some challenges exist in Cloud environments that were previously not as common; however, Cloud environments also potentially bring a number of benefits for digital investigators that may ultimately make some types of investigations on Cloud environments easier than on stand-alone systems.

Our chapter aims to be a high-level introduction into the fundamental concepts of both digital forensic investigations and cloud computing for non-experts in one or both areas. Once fundamental concepts are established, we begin to examine Cloud computing security-related questions; specifically how past security challenges are inherited or solved by cloud computing models, as well as new security challenges that are unique to Cloud environments. Next, an analysis is given of the challenges and opportunities Cloud computing brings to digital forensic investigations. Finally, the Integrated Digital Investigation Process model is used as a guide to illustrate considerations and challenges during an investigation involving cloud environments.

James JI, Shosha AF, Gladyshev P. (2013). Digital Forensic Investigation and Cloud Computing. In K. Ruan (Ed.), Cybercrime and Cloud Forensics: Applications for Investigation Processes (pp. 1-41). Hershey, PA: IGI Global. doi:10.4018/978-1-4666-2662-1.ch001 [LINK][PDF]

Oct 032012
 

Last week Joshua and I gave invited talk about digital forensics at InfoSecurity Russia 2012. The slides of the talk are here: Slides of DigitalFIRE Talk at InfoSecurity Russia 2012

Our talk explored the issues of digital forensics in the cloud environment. The first part of the talk introduced the concepts of cyber crime investigations and the challenges faced by digital forensic practitioners. The second part of the talk explored investigative difficulties posed by cloud computing. A possible approach to dealing with some of these difficulties based on the I-STRIDE model was outlined.