CLOUD FORENSICS

REPORT AND SCENARIO PRESENTATION

BY;
GROUP 7
 INTRODUCTION
• Cloud operates in three models, i.e. Iaas, Paas and Saas.
• Cloud forensics is a subset of network that follows the main phase of
network forensic with techniques tailored to cloud computing
environment.
• We leveraged the model of Iaas in our project by using machines in a
virtual environment.
• The machines include; an Apache webserver installed with MYSQL
database and a fileserver
 ATTACK SCENARIO
• We simulated an attack on both machine using common attacks such
as;
 SQL injection attack; exploits un-sanitized user inputs in the webserver
 DDOS attack; used nping to flood the fileserver in order to prevent legitimate
requests
 EVIDENCE IDENTIFICATION
• In order to obtain evidence for forensic analysis;
 The webserver and the file server was configured to log access and query
history,
 Installed SNORT in both webserver and fileserver, and
 Deployed Wireshark in host OS to monitor network traffic.
• Snort was able to capture the SQL injection attack and generated alerts with
appropriate rules
• Wireshark also captured packets that formed DDOs attack.
 EVIDENCE IDENTIFICATION CONT’
• Below are the SNORT alert and MySQL logs

• A snippet of captured packets by Wireshark

 CONCLUSION
• These scenario show evidence from three resources could help investigators.
These evidence are from;
 IDS and application software logging,
 Cloud service API calls, and
 System calls from VMs.
• In order to acquire these evidence, the forensic-enabled cloud should have three
extensions which can;
 Store and secure APIs call logs, firewall logs and snapshots for running instances
 Retrieve IDS and software service logging, and
 Obtain system call when evidences from the above are missing.