19 Aug 2013 ... PROVIDING CLOUD FORENSICS VIA F-RESPONSE. Page 2. 8/19/2013. TABLE
OF CONTENTS. Table of Contents .
CLOUD FORENSICS WITH F-RESPONSE
Leveraging F-Response, X-Ways, and USB-OverEthernet to provide Incident Response and Forensics Services on Cloud Hosted Servers
F-Response is a Registered Trademark of Agile Risk Management LLC. For more information on F-Response, or any of part of the solution presented in this paper please contact us on the web at www.f-response.com.
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
TABLE OF CONTENTS
Table of Contents ........................................................................................................................................... 2 Challenge ........................................................................................................................................................ 3 Solution .......................................................................................................................................................... 4 Prerequisites ................................................................................................................................................... 5 Example .......................................................................................................................................................... 6 Create the Cloud Server ............................................................................................................................. 6 Deploy tools to the Cloud Server ................................................................................................................ 7 Connect to multiple Forensic Dongles with USB Over Ethernet................................................................. 8 Configure F-Response Networking ............................................................................................................. 9 Configure Target Cloud Server(s) Firewalls to allow Examiner access ..................................................... 10 Install/Start F-Response on one or more Cloud Servers .......................................................................... 11 Perform analysis on one or more F-Response connected cloud servers.................................................. 12 Legal Notices ................................................................................................................................................ 13
Page 2
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
CHALLENGE When it comes to performing Incident Response or Computer Forensics Services on Cloud Servers the traditional forensic collection and acquisition model is clearly unsuitable. Simply put, powering down and detaching the hard drive is just not viable with Cloud Servers. Why? Primarily because Cloud Servers aren’t really physical servers, they are typically virtual servers allocated 1 on demand using one of a dozen or more hypervisor technologies. Secondly, the hardware these servers run on is typically shared by a number of customers, many of which would undoubtedly balk at the request to power down their server(s) and remove their shared disk resources.
1
A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.(http://en.wikipedia.org/wiki/Hypervisor) Page 3
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
SOLUTION Using existing software technologies and a single Cloud Server it is possible to deliver a complete onsite solution to virtually any cloud hosted server, anywhere in the world, on demand, and with minimal preparation.
Dedicated Forensic/IR Cloud Server running F-Response and X-Ways
Remote Analyst using RDP and USBOver-Ethernet/RDP
N+ Cloud Servers with Internal Cloud Network Access
Cloud Server Provider
The solution hinges on being able to leverage USB forwarding technology to shift your existing dongle based software licenses to a remote virtual machine running within the Cloud environment. In order to accomplish this we recommend using KernelPro’s USB-Over-Ethernet (“USBoE”) software product. USBoE allows remote examiners (aka consultants) to forward their physical software license dongles to the Dedicated Forensic/IR Cloud Server hosted at the Cloud provider. Once connected to the dedicated server the remote examiner can then deploy F-Response to one or more remote targets, and begin leveraging one or more remotely installed computer forensics, e-Discovery, or incident response applications. Additional storage may be configured through the individual cloud provider to handle collection needs, etc.
Page 4
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
PREREQUISITES Software Required: KernelPro (www.usb-over-ethernet.com) USB-Over-Ethernet USB-Over-Ethernet provides USB device “forwarding” to remote machines. In essence USB hardware dongles, such as those used by F-Response and other Computer Forensic software manufacturers can be forwarded to a remote virtual or physical workstation at the client location. F-Response (www.f-response.com) F-Response Enterprise or Consultant + Covert Edition F-Response Consultant + Covert or Enterprise provide direct, read-only access to remote computers at the client site. Using F-Response you can attach to remote machines from within the client environment and access physical disks, logical volumes, and physical memory in real-time. X-Ways (www.x-ways.com) X-Ways Forensic X-Ways Forensics is an advanced work environment for computer forensic examiners. Highly efficient and well conceived, X-Ways works well with F-Response and the two products together provide a compelling and cost effective solution.
Page 5
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
EXAMPLE CREATE THE CLOUD SER VER The following example is presented using Rackspace Cloud Servers, the same process would largely apply to other Cloud Server providers (Amazon Web Services, Azure, HP Public Cloud, etc). The first step is to create a Forensic/IR server within the same region as your target server(s). In this example we created a basic Windows 2008 R2 Server and outfitted it with the minimum resources necessary to perform the basic example. Be sure to note the Administrative password set by the provider, you will need this password to access your machine via RDP.
Rackspace Cloud Servers provides a number of options when deploying a server, be sure to pay close attention to the Region your server will be placed in as there is often no internal network access between regions.
Page 6
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
DEPLOY TOOLS TO THE CLOUD SERVER Once the remote Cloud Server is operational you will need to connect to that server using Remote Desktop and configure it with your Forensic Tools (F-Response, X-Ways, and USB-Over-Ethernet). In many cases the Windows servers are hardened to make it difficult to download files from remote sites, especially if those sites are SSL encrypted (as is the case with F-Response). As such you’ll want to confirm the Security Setting in Internet Explorer (Advanced->Security->Do not save Encrypted pages to Disk) is unchecked.
Many Windows Server configurations have additional controls configured which make it challenging to download files, the above setting must be disabled to allow F-Response to be downloaded. You will want to download and install the following applications:
USB over Ethernet Client F-Response Enterprise X-Ways Forensics
Specific details on configuring each individual product is outside the scope of this whitepaper, additional details on configuration and usage can be found on the F-Response Mission Guides and Documentation page on the F-Response Website (www.f-response.com/support/missionguides).
Page 7
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
CONNECT TO MULTIPLE FORENSIC DONGLES WITH USB OVER ETHERNET Using the USB Over Ethernet Client and Server we can share out and connect to multiple licensing dongles.
The above screen capture shows connecting to a USB-Over-Ethernet hosted F-Response Enterprise dongle.
Page 8
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
CONFIGURE F-RESPONSE NETWORKING In our example, the newly deployed Cloud Server is configured with both an externally facing IP address and an internally facing IP address. We will be using the internal network interface to interact with other subject computers in the Cloud, as such we will want to configure the F-Response License Manager to bind to the internal network interface.
F-Response License Manager bound to the internal network interface of the examiner cloud server.
Page 9
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
CONFIGURE TARGET CLOUD SERVER(S) FIREWALLS TO ALLOW EXAMINER ACCESS In order to access the target Cloud Server(s) we will make Windows Firewall exceptions to allow for remote access and deployment. The most efficient way to do this is by applying a Firewall rule allowing inbound access to the remote servers from your newly created forensic examiner server.
The above screen capture shows the creation of a custom rule allowing access from the examiner cloud hosted server.
Page 10
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
INSTALL/START F-RESPONSE ON ONE OR MORE CLOUD SERVERS The following represents abbreviated steps from our F-Response Enterprise Mission Guides. You will find more detailed steps for different operating systems and configurations on the F-Response website (www.fresponse.com/support/missionguides). Using the supplied credentials for the remote server(s) we install/start F-Response on one or more Cloud Servers, then select one or more F-Response Targets and Login.
The above screen capture shows an F-Response attached remote machine “disk-0” attached to our examiner hosted forensic server as PhysicalDrive2.
Page 11
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
PERFORM ANALYSIS ON ONE OR MORE F-RESPONSE CONNECTED CLOUD SERVERS Using X-Ways Forensics it’s now possible to perform imaging or analysis on the data residing on one or more subject Cloud Servers.
The above screen capture shows X-Ways Forensics performing analysis live on the newly attached PhysicalDrive2.
Page 12
8/19/2013
PROVIDING CLOUD FORENSICS VIA F-RESPONSE
LEGAL NOTICES Copyright Copyright © 2013 Agile Risk Management, LLC. All rights reserved. This document is protected by copyright with all rights reserved. Trademarks F-Response is a trademark of Agile Risk Management, LLC. All other product names or logos mentioned herein are used for identification purposes only, and are the trademarks of their respective owners. Statement of Rights Agile Risk Management, LLC products incorporate technology that is protected by U.S. patent and other intellectual property (IP) rights owned by Agile Risk Management LLC, and other rights owners. Disclaimer While Agile Risk Management LLC has committed its best efforts to providing accurate information in this document, we assume no responsibility for any inaccuracies that may be contained herein, and we reserve the right to make changes to this document without notice.
Page 13
8/19/2013
