Inproceedings
Towards the Forensic Identification and Investigation of Cloud Hosted Servers through Noninvasive Wiretaps
Contribution Summary
This research addresses the challenge of identifying cloud-hosted servers in investigations where the hosting provider cannot be trusted or documentation is unavailable. A new approach is proposed, involving a handheld device that passively intercepts Ethernet traffic and displays identifying characteristics on an LCD. The device captures minimal information and only stores relevant data, with an audit log of operator actions for reporting. This approach is designed to be undetectable by the operator of the computer system, making it suitable for law enforcement investigations. The device is tested and evaluated, with a discussion on its usefulness in identifying servers of interest to an investigation. The proposed solution addresses the limitations of previous work, including the need for administrative access to configure switches for port mirroring and the potential for detectable physical layer changes. The handheld device is designed to be easy to operate and provides a reliable method for identifying cloud-hosted servers.
Keywords: Cloud-hosted servers; Non-invasive wiretaps; Digital forensics; Cybersecurity; Law enforcement; Cloud computing; Server identification; Network traffic analysis
Abstract
When conducting modern cybercrime investigations, evidence has often to be gathered from computer systems located at cloud-based data centres of hosting providers. In cases where the investigation cannot rely on the cooperation of the hosting provider, or where documentation is not available, investigators can often find the identification of which distinct server among many is of interest difficult and extremely time consuming. To address the problem of identifying these servers, in this paper a new approach to rapidly and reliably identify these cloud hosting computer systems is presented. In the outlined approach, a handheld device composed of an embedded computer combined with a method of undetectable interception of Ethernet based communications is presented. This device is tested and evaluated, and a discussion is provided on its usefulness in identifying of server of interest to an investigation.
BibTeX
@inproceedings{schut2015cloudwiretap,
author={Schut, Hessel and Scanlon, Mark and Farina, Jason and Le-Khac, Nhien-An},
booktitle="{Proceedings of 10th International Conference on Availability, Reliability and Security (ARES 2015)}",
title="{Towards the Forensic Identification and Investigation of Cloud Hosted Servers through Noninvasive Wiretaps}",
year=2015,
month=08,
address="Toulouse, France",
publisher={IEEE},
abstract="When conducting modern cybercrime investigations, evidence has often to be gathered from computer systems located at cloud-based data centres of hosting providers. In cases where the investigation cannot rely on the cooperation of the hosting provider, or where documentation is not available, investigators can often find the identification of which distinct server among many is of interest difficult and extremely time consuming. To address the problem of identifying these servers, in this paper a new approach to rapidly and reliably identify these cloud hosting computer systems is presented. In the outlined approach, a handheld device composed of an embedded computer combined with a method of undetectable interception of Ethernet based communications is presented. This device is tested and evaluated, and a discussion is provided on its usefulness in identifying of server of interest to an investigation.",
doi={10.1109/ARES.2015.77},
}