DOCSLIB.ORG

Digital Forensics for Infrastructure-As-A-Service Cloud Computing

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Digital Forensics for Infrastructure-As-A-Service Cloud Computing APPROVAL SHEET Title of Dissertation: Digital Forensics for Infrastructure-as-a-Service Cloud Computing Name of Candidate: Josiah Alexander Bradford Spoor Dykstra Doctor of Philosophy, 2013 Dissertation and Abstract Approved: Alan T. Sherman Associate Professor Department of Computer Science and Electrical Engineering Date Approved: CURRICULUM VITAE Name: Josiah Alexander Bradford Spoor Dykstra. Degree and date to be conferred: Doctor of Philosophy, May 2013. Secondary Education: Heelan High School, Sioux City, IA, 1998. Collegiate institutions attended: Hope College, B.S., computer science, 2002. Hope College, B.A., music, 2002. Iowa State University, M.S., information assurance, 2004. Major: computer science. Professional publications: 1. Dykstra, J. and A.T. Sherman, “Design and Implementation of FROST: Digital Forensic Tools for the OpenStack Cloud Computing Platform,” DFRWS Annual Digital Forensics Research Conference, August, 2013, Monterey, CA (paper accepted). 2. Dykstra, J. “Search Warrant Language for Cloud Computing,” In Proceedings of the Annual Meeting of the American Academy of Forensic Sciences, Vol. 19, February, 2013, Washington, DC. 3. Dykstra, J, “Seizing Electronic Evidence from Cloud Computing Environments,” Cybercrime and Cloud Forensics: Applications for Investigation Processes. Ed. Keyun Ruan. Hershey: IGI Global, 2013. 156-85. 4. Dykstra, J. and D. Riehl, “Forensic Collection of Electronic Evidence from Infrastructure-As-A-Service Cloud Computing,” In Richmond Journal of Law and Technology, Vol. 19, Issue 1, 2012. 5. Dykstra, J. and A.T. Sherman, “Acquiring Forensic Evidence from Infrastructure-as-a-Service Cloud Computing: Exploring and Evaluating Tools, Trust, and Technique,” In Proceedings of the DFRWS Annual Digital Forensics Research Conference, August, 2012, Washington, DC., S90-S98. 6. Dykstra, J. “Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies,” In Proceedings of the Annual Meeting of the American Academy of Forensic Sciences, Vol. 18, February, 2012, Atlanta, GA. 7. Dykstra, J. and A.T. Sherman, “Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies,” In Proceedings of the 2011 ADSFL Conference on Digital Forensics, Security, and Law, 2011, Richmond, VA, 191-206. 8. Dykstra, J. and A.T. Sherman, “Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies,” In Journal of Network Forensics , Vol. 3, Issue 1, 2011, 19-31. 9. Dykstra, J., “A framework for network covert channel detection.” Thesis (M.S.)–Iowa State University, 2004. Professional positions held: United States Department of Defense. Global Network Exploitation and Vulnerability Analyst. (2004–Present). Iowa State University. Research Assistant. (2002–2004). ABSTRACT Title of Dissertation: Digital Forensics for Infrastructure-as-Service Cloud Computing Josiah Alexander Bradford Spoor Dykstra, Doctor of Philosophy, 2013 Dissertation directed by: Alan T. Sherman, Associate Professor Department of Computer Science and Electrical Engineering We identify important issues in the application of digital forensics to Infrastructure- as-a-Service cloud computing and develop new practical forensic tools and techniques to facilitate forensic exams of the cloud. When investigating suspected cases involving cloud computing, forensic examiners have been poorly equipped to deal with the technical and legal challenges. Because data in the cloud are remote, distributed, and elastic, these challenges include understanding the cloud environment, acquiring and analyzing data remotely, and applying the law to a new domain. Today digital forensics for cloud computing is challenging at best, but can be performed in a manner consistent with federal law using the tools and techniques we developed. The first problem is understanding how and why criminal and civil actions in and against cloud computing are unique and difficult to prosecute. We analyze a digital forensic inves- tigation of crime in the cloud, and present two hypothetical case studies that illustrate the unique challenges of acquisition, chain of custody, trust, and forensic integrity. Understand- ing these issues introduces legal challenges which are also important for federal, state, and local law enforcement who will soon be called upon to conduct cloud investigations. The second problem is the lack of practical technical tools to conduct cloud forensics. We examine the capabilities for forensics today, evaluate the use of existing tools including EnCase and FTK, and discuss why these tools are incapable of trustworthy cloud acquisition. We design consumer-driven forensic capabilities for OpenStack, including new features for acquiring trustworthy firewall logs, API logs, and disk images. The third problem is a deficit of legal instruments for seizing cloud-based electronically- stored information. We analyze the application of existing policies and laws to the new domain of cloud computing by analyzing case law and legal opinions about digital evidence discovery, and suggest modifications that would enhance cloud the prosecution of cloud- based crimes. We offer guidance about how to author a search warrant for cloud data, and what pertinent data to request. This dissertation enhances our understanding of technical, trust, and legal issues needed to investigate cloud-based crimes and offers new tools and techniques to facilitate such investigations. Digital Forensics for Infrastructure-as-a-Service Cloud Computing by Josiah Alexander Bradford Spoor Dykstra Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, Baltimore County in partial fulfillment of the requirements for the degree of Doctor of Philosophy 2013 c Copyright Josiah Alexander Bradford Spoor Dykstra 2013 To Alicia ii ACKNOWLEDGMENTS Alan Sherman has been a helpful advisor, knowledgeable guide, and ardent supporter. He never failed to encourage me to strive for perfection in my writing and research. My work is better because of him. Thank you to my distinguished committee for guidance and wisdom—Dr. Forno; Dr. Nicholas; Mr. Flynn; Dr. Garfinkel. Thanks also to the UMBC Cyber Defense Lab for listening to my presentations and giving thoughtful feedback. I am particularly indebted to Timothy Leschke, who shared many successes and frustrations with me along the way. My academic work was made entirely possible through the support and encouragement of the Department of Defense. I appreciate their dedication to continuing education. Thanks especially to supervisors and colleagues who were flexible in allowing me to take the time to work on my research. Thanks to many friends, colleagues, teachers, and mentors that have reviewed papers and offered helpful advice, especially Matt Georgy, Eoghan Casey, and Mark Rasch. Damien Riehl was a brilliant co-author on Chapter6 and advisor on legal issues. More than anyone else, my deepest gratitude and love goes to my wife, Alicia, who encouraged and supported me through this process. She endured many hours of me at the computer and technical conversations over dinner. iii Contents 1 Introduction1 1.1 Motivation...................................2 1.2 Thesis Statement...............................4 1.3 Contributions of this Dissertation.......................4 1.3.1 Identification of Cloud-Specific Forensic Issues Using Two Hypo- thetical Case Studies.........................5 1.3.2 Evaluation of Existing Tools for Cloud Forensics and Analysis of Trust in Cloud Evidence.......................5 1.3.3 Development of Three Forensic Tools for OpenStack........6 1.3.4 Analysis of Legal Challenges in Cloud Forensics and a Sample Search Warrant............................7 1.4 Outline....................................8 2 Background and Related Work9 2.1 Cloud Computing...............................9 2.1.1 Background..............................9 2.1.2 Related Work............................. 12 2.2 Digital Forensics............................... 12 iv 2.2.1 Background.............................. 12 2.2.2 Related Work............................. 15 2.3 Law...................................... 19 2.3.1 Background.............................. 19 2.3.2 Related Work............................. 21 2.4 Cryptography................................. 22 I Issues and Solutions for Digital Forensics of Cloud Computing 23 3 Two Hypothetical Case Studies 24 3.1 Existing Forensic Frameworks........................ 24 3.2 Case Studies.................................. 25 3.2.1 Case Study 1............................. 26 3.2.2 Case Study 2............................. 32 3.3 Analysis.................................... 35 3.4 Conclusions.................................. 38 4 Acquiring Forensic Evidence from Infrastructure-as-a-Service Cloud Comput- ing 39 4.1 Previous and Related Work.......................... 41 4.2 The Cloud Forensic Examination....................... 42 4.2.1 Layers of Trust............................ 42 4.2.2 Choices in Cloud Forensics..................... 45 4.3 Cloud Forensics Using Today’s Tools.................... 47 4.3.1 Motivation.............................. 47 4.3.2 Extracting Data From Amazon EC2................. 48 v 4.3.3 Methods............................... 49 4.3.4 Results................................ 51 4.4 Discussion................................... 54 4.5 Alternatives for Forensic Acquisition..................... 56 4.5.1 Rooting Trust with TPMs...................... 56 4.5.2 Collection from the Management Plane............... 57 4.5.3 Forensic Support as a Service...................
Load more

Recommended publications
  • A Reply to 57 Reading Voices on the Issue of Dyslexia Steven P. Dykstra, Phd
    In Defense of Truth: A reply to 57 Reading Voices on the Issue of Dyslexia Steven P. Dykstra, PhD Recently, a collection of professors and others wrote a letter to officials at the Public Broadcasting System, taking issue with reports on dyslexia that aired on PBS. The signers of this letter are a list of some of the best-known and most influential reading voices of the past several decades. They are past presidents and officials of the International Literacy Association, members of The Reading Hall of Fame, and authors of books and curricula found in most of the schools and nearly all of the universities in North America. The link to the letter below is hosted by the Reading Recovery Council of North America, purveyor of the widely-marketed Reading Recovery intervention program, completing the triangle with the ILA and university professors that has defined reading instruction and policy in this country for the past 40 years. The common purpose of these partners is to undermine the work of parents and grass roots organizations working to promote the science of reading in opposition to the discredited philosophies, ineffective practices, and failed products the 57 signers prefer. The letter found at this link is also included as Appendix A. https://readingrecovery.org/wp-content/uploads/2019/05/Concern-letter-to-PBS.pdf The letter makes two arguments: dyslexia is a vague and useless concept describing a condition which they imply may not be real, and there is no agreed upon treatment for dyslexia. They cite three sources in their argument: The American Psychiatric Association, Julian Elliott and Elena Grigorenko’s book, The Dyslexia Debate (2014), and the International Literacy Association.
    [Show full text]
  • ROBERT C. DYKSTRA Princeton Theological Seminary P.O. Box 821 Princeton, NJ 08542-0803 Work: 609-252-2115 Email: Robert.Dykstr
    ROBERT C. DYKSTRA Princeton Theological Seminary P.O. Box 821 Princeton, NJ 08542-0803 Work: 609-252-2115 Email: [email protected] EDUCATIONAL BACKGROUND Ph.D., Princeton Theological Seminary. September 1985 - June 1990 Area: Pastoral Theology. Dissertation: "Even Youths Shall Faint: A Pastoral Theological Investigation of Self Disorders in Adolescents, Based on Works of Jürgen Moltmann, Heinz Kohut, James F. Masterson, and Robert Jay Lifton." Master of Divinity, Princeton Theological Seminary. September 1979 - June 1982 Concentration: Biblical Studies. Bachelor of Arts, summa cum laude, Whitworth University, Spokane, WA. September 1975 - May 1979 Major: Psychology. PROFESSIONAL EXPERIENCE PRINCETON THEOLOGICAL SEMINARY, Princeton, NJ July 1997 - Present Charlotte W. Newcombe Professor of Pastoral Theology. Teaching responsibilities for pastoral theology courses in M.Div., M.A.T.S., Th.M., and Ph.D. degree programs. Chair, Department of Practical Theology, 2013-2014, 2017-2020. THE UNIVERSITY OF DUBUQUE THEOLOGICAL SEMINARY, Dubuque, IA September 1991 - June 1997 Assistant/Associate Professor of Pastoral Theology and Congregational Care. Teaching responsibilities for M.Div.-level courses in pastoral theology; administration of Clinical Pastoral Education program; director of the Native American program. Tenure, 1996. FIRST PRESBYTERIAN CHURCH, Jackson, MN April 1991 - August 1991 Interim Pastor. Solo pastoral responsibilities at a 400-member church in a small-town setting, including weekly preaching and worship leadership, celebration of the sacraments, weddings, funerals, administration, pastoral care and counseling, and visitation. THE MEDICAL CENTER AT PRINCETON, Princeton, NJ June 1986 - April 1991 Chaplain (part-time). Full range of chaplaincy duties at a 350-bed teaching hospital, including crisis intervention, worship leadership, pastoral care and counseling, on-call coverage, and staff education.
    [Show full text]
  • The Honorable Joseph M. Hood, United States District Judge for the Eastern District of Kentucky, Sitting by Designation
    NOT RECOMMENDED FOR FULL-TEXT PUBLICATION File Name: 08a0074n.06 Filed: January 24, 2008 Nos. 06-2315 UNITED STATES COURT OF APPEALS FOR THE SIXTH CIRCUIT ) STEPHANIE GARCIA, JOEL GARCIA, ) CHRISTINA SMITH, & BRIAN SMITH, ) ) Plaintiffs-Appellants, ) ON APPEAL FROM THE UNITED ) STATES DISTRICT COURT FOR THE v. ) WESTERN DISTRICT OF MICHIGAN ) KEVIN DYKSTRA, PAUL SMUTZ, ) JASON PAVLIGE, FRUITPORT ) CHARTER TOWNSHIP, JOANNA BETH ) DYKSTRA, ED BOOKER, JOSH ) BOOKER, WAYNE KAMP, BRIAN ) KLINGEL, RON MINOR, & SCOTT ) WENELL, ) ) Defendants-Appellees. ) ) ) Before: CLAY and GIBBONS, Circuit Judges, and HOOD, District Judge.* JULIA SMITH GIBBONS, Circuit Judge. This is an appeal from the district court’s grant of summary judgment in a civil rights action brought under 42 U.S.C. § 1983. Plaintiffs alleged that several police officers and public officials were complicit in the unlawful taking of certain personal property from their storage unit. The district court rejected plaintiffs’ claims and granted summary *The Honorable Joseph M. Hood, United States District Judge for the Eastern District of Kentucky, sitting by designation. judgment in favor of defendants. For the reasons set forth below, we affirm in part and reverse in part. I. This case arose out of a dispute between plaintiffs and defendants over the ownership of tools. On October 12, 2004, defendant Kevin Dykstra and plaintiff Stephanie Garcia entered into a purchase agreement in which Garcia agreed to purchase Dykstra’s business, True Cuts Lawn Care, LLC (“True Cuts”). Under the terms of the agreement, Garcia agreed to a purchase price of $1.00 for the True Cuts name, business goodwill, and all client lists and assumed the rights to all accounts receivables and certain assets.
    [Show full text]
  • Jfj.;!. BJC ETTP CO U-S Reviewer/D~~~
    OFFiCIAL USE' *NLY Joe Dykstra 2005 NETS, LLC National Educational Technology Solutions LLC K-25 Oral History Interview Date: 3/07/05 Interviewee: Joe Dykstra Interviewer: Connie Callan AIJ a B1C :ETTP Classification Office Unclauified-Sensitive (U~S) Information Reviewer, I have reviewed this document and determined the document does not contain U~S information (i.e. no UCNI, ECI~ information). /jfJ.;!. BJC ETTP CO U-S Reviewer/D~~~ [1:00:45] Page 1 OFFICIAL BSE ON;L Y OFFICJAJ,~ USE ONLY Joe Dykstra 2005 NETS, LLC Callan, C.: Okay. We are ready to start. This is Connie Callan. I'm doing the interviews, and today's date is 3/7/05. And this is Joe Dykstra. Now Joe, the first question is the easiest. I want you to first state your name and spell your name. We need to know how to pronounce your name if it's going to be on camera. So go ahead. · Dykstra, J.: My name is Joe Dykstra, and it's spelled D-Y-K-S-T-R-A. Callan, C.: Now I'm going to ask a question. You don't have to answer it, but ifyou could answer your date of birth and also what your title was at the plant. Dykstra, J.: I was born 6/6/21. I'm almost 84 years old. I started out in the plant as a supervisor in operations on the start up, and I held many different positions in chemical operations and later in engineering in the design of the upgraded plants in the later years.
    [Show full text]
  • The 2019 Chicago History Museum Annual Report
    ANNUAL REPORT JULY 2018–JUNE 2019 2019 ANNUAL REPORT TABLE OF CONTENTS 3 Board of Trustees 4 Chair’s Message 5 President’s Message 7 Auxiliary Groups 9 Year in Review 23 Spark Awards 25 Making History Awards 27 Honor Roll of Donors 31 Donors to the Collection 32 Lincoln Honor Roll Society 33 This Is Chicago Campaign 35 Treasurer’s Report 37 Volunteers 38 Staff 1601 North Clark Street Chicago, Illinois 60614 chicagohistory.org 312.642.4600 The Chicago History Museum gratefully acknowledges the support of the Chicago Park District on behalf of the people of Chicago. From top: Radio Flyer Streak-O-Lite coaster wagon on display in Modern by Design, which opened in October 2018. CHM volunteers at the April 2019 Volunteer Recognition Reception. CHM members enjoying the Members Open House in June 2019. ChicagoHistoryMuseum 2 2018–19 Annual Report BOARD OF TRUSTEES Officers Trustees Life Trustees Walter C. Carlson James L. Alexander David P. Bolger THE J. YOUNG Chair Catherine Arias Laurence O. Booth SCAMMON David D. Hiller Gregory J. Besio Stanley J. Calderon AWARD Chair Emeritus Matthew J. Blakely John W. Croghan Daniel S. Jaffee Denise R. Cade Patrick W. Dolan In 2016, the Board of First Vice Chair Paul Carlisle Paul H. Dykstra Trustees established Mary Lou Gorno Walter C. Carlson Michael H. Ebner an award to recognize Second Vice Chair Warren K. Chapman Sallie L. Gaines members of the board Tobin E. Hopkins Rita Sola Cook Sharon Gist Gilliam who have exhibited Treasurer Keith L. Crandell Barbara A. Hamel substantial, exemplary, and Denise R.
    [Show full text]
  • W88-0037.1. Dykstra, John A. (1886-1968)
    Hope College Hope College Digital Commons Collection Registers and Abstracts Archives and College History September 2012 W88-0037.1. Dykstra, John A. (1886-1968). Papers, 1915-1968. 5.00 linear ft. Western Theological Seminary Follow this and additional works at: https://digitalcommons.hope.edu/collection_registers Part of the Archival Science Commons Recommended Citation Repository citation: Western Theological Seminary, "W88-0037.1. Dykstra, John A. (1886-1968). Papers, 1915-1968. 5.00 linear ft." (2012). Collection Registers and Abstracts. Paper 325. https://digitalcommons.hope.edu/collection_registers/325 September 18, 2012. This Register is brought to you for free and open access by the Archives and College History at Hope College Digital Commons. It has been accepted for inclusion in Collection Registers and Abstracts by an authorized administrator of Hope College Digital Commons. For more information, please contact [email protected]. W88-0037.1. Dykstra, John A. (1886-1968). Papers, 1915-1968. 5.00 linear ft. Abstract Hope College class of 1909, New Brunswick Theological Seminary class of 1912, and minister of the Reformed Church in America from 1912 until 1968. Materials include sermons, prayers, radio messages, articles, and correspondence, and material on Irene Dykstra. Accession No: W88-0037.1 Provenance: John A. Dykstra Donor: Irene Dykstra Photographs 5 images (Box 1; 1 digital) Processed by: Chad A. Boorsma, March 1994 Leon Witteveen, October 2002 Biography John Albert Dykstra was born in Grand Rapids, Michigan, on June 10, 1886. After graduating from Central High School in Grand Rapids in 1905, he attended Hope College and graduated in 1909. Heeding a call to the ministry, he enrolled in New Brunswick Theological Seminary in New Jersey.
    [Show full text]