Cloud Forensics Demystified : Decoding Cloud Investigation Complexities for Digital Forensic Professionals / Ganesh Ramakrishnan and Mansoor Haqanee.

Format:

Book

Author/Creator:

Ramakrishnan, Ganesh, author.

Haqanee, Mansoor, author.

Language:

English

Subjects (All):

Computer crimes--Investigation.

Computer crimes.

Forensic sciences--Data processing.

Forensic sciences.

Cloud computing.

Information storage and retrieval systems.

Physical Description:

1 online resource (384 pages)

Edition:

First edition.

Place of Publication:

Birmingham, England : Packt Publishing, [2024]

Biography/History:

Ramakrishnan Ganesh: Ganesh Ramakrishnan is a senior manager at KPMG Canada's Incident Response team, with over 12 years of incident response experience. He leads a dynamic team focused on responding to and managing incidents for organizations across various industry sectors, working with KPMG's incident response teams globally. He has led numerous incident response cases, including high-profile ones, and collaborated with law enforcement agencies worldwide. Apart from assisting organizations during crises, Ganesh also helps them prepare for incidents and educates them on handling them. Ganesh has a master's in computer application and an MSc in network and information security. He also holds CISSP, SANS GCFA, and SANS GNFA certifications. Haqanee Mansoor: Mansoor Haqanee is a manager with KPMG Canada's Forensic Technology team, with over six years of experience in software development, computer forensics, and incident response. Mansoor has a background in electrical engineering with a bachelor of engineering from Toronto Metropolitan University (formerly Ryerson University). Combining his education with both software development and computer forensic experience, he is equipped to provide organizations with insights into the security of their assets. Mansoor has provided technology consulting services to a wide range of industries in the education, financial services, healthcare, telecommunications, manufacturing, and government sectors, to name a few.

Summary:

Enhance your skills as a cloud investigator to adeptly respond to cloud incidents by combining traditional forensic techniques with innovative approaches Key Features Uncover the steps involved in cloud forensic investigations for M365 and Google Workspace Explore tools and logs available within AWS, Azure, and Google for cloud investigations Learn how to investigate containerized services such as Kubernetes and Docker Purchase of the print or Kindle book includes a free PDF eBook Book Description As organizations embrace cloud-centric environments, it becomes imperative for security professionals to master the skills of effective cloud investigation. Cloud Forensics Demystified addresses this pressing need, explaining how to use cloud-native tools and logs together with traditional digital forensic techniques for a thorough cloud investigation. The book begins by giving you an overview of cloud services, followed by a detailed exploration of the tools and techniques used to investigate popular cloud platforms such as Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP). Progressing through the chapters, you'll learn how to investigate Microsoft 365, Google Workspace, and containerized environments such as Kubernetes. Throughout, the chapters emphasize the significance of the cloud, explaining which tools and logs need to be enabled for investigative purposes and demonstrating how to integrate them with traditional digital forensic tools and techniques to respond to cloud security incidents. By the end of this book, you'll be well-equipped to handle security breaches in cloud-based environments and have a comprehensive understanding of the essential cloud-based logs vital to your investigations. This knowledge will enable you to swiftly acquire and scrutinize artifacts of interest in cloud security incidents. What you will learn Explore the essential tools and logs for your cloud investigation Master the overall incident response process and approach Familiarize yourself with the MITRE ATT&CK framework for the cloud Get to grips with live forensic analysis and threat hunting in the cloud Learn about cloud evidence acquisition for offline analysis Analyze compromised Kubernetes containers Employ automated tools to collect logs from M365 Who this book is for This book is for cybersecurity professionals, incident responders, and IT professionals adapting to the paradigm shift toward cloud-centric environments. Anyone seeking a comprehensive guide to investigating security incidents in popular cloud platforms such as AWS, Azure, and GCP, as well as Microsoft 365, Google Workspace, and containerized environments like Kubernetes will find this book useful. Whether you're a seasoned professional or a newcomer to cloud security, this book offers insights and practical knowledge to enable you to handle and secure cloud-based infrastructure.

Contents:

Cover

Title Page

Copyright and Credits

Contributors

Table of Contents

Preface

Part 1: Cloud Fundamentals

Chapter 1: Introduction to the Cloud

Advantages and disadvantages of cloud computing

An overview of cloud services

Cloud deployment models

Cloud adoption success stories

Impact of the cloud and other technologies

Summary

Further reading

Chapter 2: Trends in Cyber and Privacy Laws and Their Impact on DFIR

The role of a breach counselor (breach coach)

General legal considerations for cloud adoption

eDiscovery considerations and legal guidance

Digital forensics challenges

Legal frameworks for private data

Contractual private data

Regulated private data

Jurisdictional requirements in relation to private data

Legal implications for data retention and deletion

Responsibilities and liabilities of the cloud and their implications for incident response

Jurisdiction and cross-border data transfers

Chapter 3: Exploring the Major Cloud Providers

Amazon Web Services (AWS)

Amazon Elastic Compute Cloud (EC2)

Amazon Virtual Private Cloud (VPC)

Amazon Simple Storage Service (S3)

AWS Identity and Access Management (IAM)

Amazon Relational Database Service (RDS)

Microsoft Azure

Microsoft Azure virtual machines

Microsoft Azure Virtual Network

Microsoft Azure Blob Storage

Microsoft Azure Active Directory (Azure AD)

Microsoft Azure SQL Database

Google Cloud Platform (GCP)

Google Compute Engine (GCE)

Google Virtual Private Cloud (VPC)

Google Cloud Storage (GCS)

Google Cloud SQL

Other cloud service providers

Chapter 4: DFIR Investigations - Logs in AWS

VPC flow logs

VPC basics

Sample VPC flow log

DFIR use cases for VPC flow logging

S3 access logs.

Logging options

DFIR use cases for S3 monitoring

AWS CloudTrail

Creating a trail

Event data stores

Investigating CloudTrail events

DFIR use cases for CloudTrail logging

AWS CloudWatch

CloudWatch versus CloudTrail

Setting up CloudWatch logging

Querying CloudWatch logs on the AWS console

DFIR use cases for CloudWatch

Amazon GuardDuty

Amazon Detective

Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics

Chapter 5: DFIR Investigations - Logs in Azure

Azure Log Analytics

Azure Virtual Networks

NSG flow logs

Azure Storage

Azure Monitor

Azure Virtual Machines log analysis

Microsoft Defender for Cloud

Microsoft Sentinel

Chapter 6: DFIR Investigations - Logs in GCP

GCP core services

GCP IAM

GCP's IAM roles and identities

Policy Analyzer

DFIR use cases for Policy Analyzer

GCP Logs Explorer

Overview of log buckets

DFIR use cases for using Logs Explorer

Familiarizing with Logs Explorer

VPC Flow Logs

Enabling VPC Flow Logs

Hunting VPC Flow Logs for malicious activities

Packet Mirroring

Compute Engine logs

GCP's logging platform

GCP's default logging

Logging Dataflow pipelines

GCP storage logs

Storage permissions

Storage object logging

Investigating GCP Cloud storage logs

Cloud Security Command Center (Cloud SCC)

IAM roles

Threats and Findings dashboards

GCP Cloud Shell

Chapter 7: Cloud Productivity Suites

Overview of Microsoft 365 and Google Workspace core services

Microsoft 365

Google Workspace

IAM in Microsoft 365 and Google Workspace

Auditing and compliance features in Microsoft 365 and Google Workspace.

Microsoft 365's Security and Compliance Center (Microsoft Purview)

Google Workspace Admin console and security features

Part 3: Cloud Forensic Analysis - Responding to an Incident in the Cloud

Chapter 8: The Digital Forensics and Incident Response Process

The basics of the incident response process

Tools and techniques for digital forensic investigations

Prerequisites

Cloud host forensics

Memory forensics

Live forensic analysis and threat hunting

EDR-based threat hunting

Hunting for malware

Common persistence mechanisms

Network forensics

Basic networking concepts

Cloud network forensics - log sources and tools

Network investigation tools

Malware investigations

Setting up your malware analysis lab

Working with packed malware

Binary comparison

Traditional forensics versus cloud forensics

Chapter 9: Common Attack Vectors and TTPs

MITRE ATT&amp

CK framework

Forensic triage collections

Host-based forensics

Evidence of intrusion

Prefetch analysis

AmCache analysis

ShimCache analysis

Windows Event Logs

Analyzing memory dumps

Misconfigured virtual machine instances

Unnecessary ports left open

Default credentials left unchanged

Outdated or unpatched software

Publicly exposed sensitive data (or metadata)

Misconfigured storage buckets

Public permissions

Exposed API keys or credentials

Improper use of IAM policies

Cloud administrator portal breach

Chapter 10: Cloud Evidence Acquisition

Forensic acquisition of AWS instance

Step 1 - creating EC2 volume snapshots

Step 2 - acquiring OS memory images

Step 3 - creating a forensic collector instance

Step 4 - creating and attaching infected volume from snapshots.

Step 5 - exporting collected images to AWS S3 for offline processing

Forensic acquisition of Microsoft Azure Instances

Step 1 - creating an Azure VM Snapshot

Step 2 - exporting an Azure VM snapshot directly

Step 3 - connecting to an Azure VM for memory imaging

Forensic acquisition of GCP instances

Step 1 - creating a snapshot of the compute engine instance

Step 2 - attaching a snapshot disk for forensic acquisition

Step 3 - connecting to the GCP compute engine instance for memory acquisition

Chapter 11: Analyzing Compromised Containers

What are containers?

Docker versus Kubernetes

Types of containers and their use cases

Detecting and analyzing compromised containers

About the Kubernetes orchestration platform

Acquiring forensic data and container logs for analysis

Chapter 12: Analyzing Compromised Cloud Productivity Suites

Business email compromise explained

BEC attack phases

Common types of BECs

Initial scoping and response

Remediation steps

Microsoft 365 incident response

Tooling

Analysis

Google Workspace incident response

Index

Other Books You May Enjoy.

Notes:

Description based on print version record.

ISBN:

9781800560833

1800560834

OCLC:

1423295266