Towards the Forensic Identification and Investigation of Cloud Hosted Servers through Non-Invasive Wiretaps Hessel Schut∗, Mark Scanlony, Jason Farinaz and Nhien-An Le-Khacx ∗Korps Landelijke Politiediensten, Driebergen, Netherlands. yzxSchool of Computer Science and Informatics, University College Dublin, Ireland. Email: ∗[email protected], [email protected], [email protected], [email protected] Abstract—When conducting modern cybercrime investigations, where the networking devices such as switches and firewalls, evidence has often to be gathered from computer systems located are also owned by the customer of the data centre. An at cloud-based data centres of hosting providers. In cases where investigator may find themselves in a situation where the the investigation cannot rely on the cooperation of the hosting provider, or where documentation is not available, investigators hosting provider or data centre itself cannot be trusted to can often find the identification of which distinct server among provide accurate information. In these cases the investigator is many is of interest difficult and extremely time consuming. To confronted with multiple servers without any documentation address the problem of identifying these servers, in this paper about these servers. This poses a challenge in identifying the a new approach to rapidly and reliably identify these cloud computer system of interest to the investigation. hosting computer systems is presented. In the outlined approach, a handheld device composed of an embedded computer combined One approach available to the investigator is the use of with a method of undetectable interception of Ethernet based the European criminal process law which provides for the communications is presented. This device is tested and evaluated, interception of network traffic [1]. Because of the impact this and a discussion is provided on its usefulness in identifying of may have on privacy, a warrant for interception can only be server of interest to an investigation. given by an investigative judge. Analysis of intercepted traffic to the individual computer systems could reveal identifying I. INTRODUCTION information about these systems such as upstream source IP- The National High Tech Crime Unit (NHTCU) in a Euro- address and Ethernet MAC address and HTTP headers like pean country conducts investigations to crimes targeted at ICT Server and Host. So while the interception of network infrastructure, committed using new technology or methods traffic may be possible in many cases, the investigator needs that have the potential to be incapacitating to society or have a to consider the impact this activity will have on privacy. This high impact. This impact can be quantified in terms of financial is especially true when the discovery process may require the losses, incurred business continuity or recovery costs and loss interception of traffic from computer systems that are unrelated of goodwill in the form of public trust or confidence. Today, to the investigation. This impact may be considered dispro- in its investigations the NHTCU often conducts searches in portionate and therefore a less reliable method of identifying cloud-based data centres to collect evidence by preserving servers would be utilised. The argument can be made, that, arXiv:1510.00664v1 [cs.DC] 2 Oct 2015 stored data on hosted computer systems or to conduct wiretaps when performing discovery and, when the objective is the on these computer systems. preservation of data, the identification of servers and the traffic In most cases these computer systems are owned by a metadata, as permitted by criminal process law [1],that needs trusted hosting company that leases these computer systems to be gathered to do so is an integral part of this search. to end-users. Under subpoena, the hosting company locates Following this interpretation, it follows that Article 125n [2] the exact computer of which data is requested and hands this applies too, which states that all information gathered during server over to the investigators who will assert some other a search that is of no interest to the investigation needs to be investigative power such as the creation of a forensic copy of destroyed and that a written report of the destruction needs to data, placing a wiretap on the system or conducting live data be compiled. When applied to the problem of identification forensics. of servers, this means that an audit trail of all identification However, the assistance of the hosting provider is not always attempts needs to be kept, where the investigator can mark possible. Several times each year the NHTCU is confronted identifying information as either relevant, or irrelevant. In the with co-located servers on cloud platforms ( computer systems latter case data can be destroyed immediately, but a record owned by a third party that are hosted in a data centre). Often of destruction needs to be kept. Preferably no information is these co-located servers are part of a larger infrastructure, displayed to the investigator at all, other than a confirmation that a pre-determined identification is recognised. relative timestamps of activities and discoveries need to be Recent approaches in literature are concerned with the logged. creation of wiretaps for Ethernet networks by placing de- vices inline [3][4][5][6], or requiring administrative access II. RELATED WORK to configure a switch for port mirroring [7]. To place a In this section, related work on wiretaps for Ethernet wiretap in-line with the connection to the observed device, the networks is discussed. This work can be divided in to main connection to that device needs to be interrupted. This poses categories: passive and active approaches. no problems when creating a long-term wiretap for network management or security purposes, e.g., to connect an Intrusion A. Active Approaches Detection System (IDS) sensor [3]. However, interruption of Switch Port Analyser or SPAN [7] is a method of inter- an Ethernet link can be signalled and logged at either side of cepting (wiretapping) Ethernet traffic for purposes such as the connection. This may pose a problem for law enforcement network monitoring. SPAN is a technique where a switch as this can alert an adversary that the connection has been has one or more ports defined as mirror ports to which tampered with. monitoring devices can be connected. A network administrator Therefore, a new technical solution is sought for to intercept can set up a mirroring policy that identifies types of traffic Ethernet traffic for the purpose of identification of computer that is being copied by the switch from the receiving port(s) servers. For this, a method needs to be developed that is to one or more mirror ports for analysis. In [7] the mirrored undetectable by the operator of the computer system. In most traffic is distributed to mirror ports in a round-robin manner, network investigation, most computer systems are identified thus distributing traffic over multiple ports to make it more by the public IP address. The solution must at least allow the likely that the mirror ports can handle the copied data without investigator to determine the IP-addresses used by a computer dropping traffic. system. Extending to other properties of network traffic, the [4] proposed a forensics evidence collection device called new solution should allow users to add other identifying PNFEC. The proposed device uses an embedded computer properties of the network traffic that are more appropriate to with multiple network interfaces and open-source software to identify the computer system. collect live network evidence from single hosts. The PNFEC The rest of this paper is organised as follows: Section II is placed inline between a network node of interest and the shows the related work of this research on different approaches rest of the network. After being placed inline between the on wiretaps for Ethernet networks. A new approach for the network node and the network, the device acts as a transparent identification of computer server using temporary wiretap s Ethernet bridge [8] between the observed network node and is presented in Section III. The software components of our the rest of the network. The bridge is created using the device is outlined in Section IV. A discussion is provided brconfig command in the OpenBSD operating system, thus on the wiretap attachment in Section V. An evaluation of the using the bridge kernel driver to forward traffic from one proposed device and an analysis of its performance is provided network interface to another. in Section VI. The conclusion and a discussion on future work An inline wiretap device is proposed in [6]. The proposed is outlined in Section VII. device is connected in parallel with the network cable to the observed device using alligator clips. A faster and more robust A. Aim and Contribution of this Work way of connecting to the network cable is left for further work. The parallel connection through the proposed device is The aim of the work presented as part of this paper is to routed through electromechanical switches (relays) for each expedite digital investigations in a cloud data centre environ- wire. These relays are in a normal closed state; therefore the ment. This can be achieved by focusing the investigation at original cable can be cut safely when the relays are unpowered. an early stage to pertinent servers through the identification of When power is applied to the relays, the relay contacts divert suspicious or targeted network traffic. the Ethernet signals to two network adapters that are operating In this paper, a device implementing a method for un- in a transparent bridge, as described in [4]. Should power to detectable interception of Ethernet network traffic for the the device fail, the relays fall back to a state where the cable purpose of identification of computer systems is presented.