Hiding in Cloud, you can run but not hide

Moving to the cloud is giving organisations of all shapes and sizes the ability to move faster, be more agile, and innovate their businesses. The shift to cloud computing has completely transformed how we work, communicate, and collaborate—and is fast becoming a necessity to stay competitive in today’s digital world.

If you are considering moving to cloud-based services and solutions, it’s not only important to understand the basics of cloud computing and how it can help you accelerate your digital transformation, but also its advantages and limitations. The digital transformation has raised the need for integrated forensic analytics in the cloud.

Growing digital data volumes are driving the need for more sophisticated software solutions and infrastructure to support digital investigations. Leveraging the cloud can help law enforcement agencies and other investigative bodies to adapt quickly, enabling secure, scalable solution deployments while at the same time helping to maintain data security and regulatory compliance.

Cloud services have advanced a lot in recent years. Cloud service models are better understood and supported, and governments are beginning to develop cloud usage policies and guidelines.

Risk Diversion uses AXIOM Cloud to triage fast and simple by retrieving selected data from the Cloud using Office 365 administrative credentials, finding important evidence faster, and recovering more evidence from deleted or unallocated space — including evidence of malicious acts of deletion. Key pieces of evidence in these cases include email, Google Suite, Microsoft® Office® 365 documents, and messaging services such as Skype for Business and Slack. However, obtaining forensic artifacts from these data sources isn’t without its challenges. Obtaining data from cloud services or encrypted machines/devices, along with demonstrating malicious intent vs. inadvertent access, can be especially difficult.

AXIOM’s ability to retrieve selected data from the Cloud using Office 365 administrative credentials has been crucial to finding important evidence faster. So, too, is AXIOM’s ability to recover more evidence from deleted or unallocated space — including evidence of malicious acts of deletion.

Malicious intent is easier to establish using Connections in AXIOM. The graphically linked connections between artifacts found in the cloud and those found on computers (e.g. jump lists, LNK files, MRU lists, etc.) helps examiners to visualise file activity, including creation, access, transfer, and deletion. Finally, showing this kind of activity through AXIOM’s flexible exporting and reporting options help examiners to present case findings to stakeholders such as HR or legal teams.

Increased data from mobile devices is being stored in the cloud, from 3rd party apps storing data in the cloud-to-cloud backups. And mobile devices are offering more access to the cloud via login tokens for cloud account acquisitions. But how can you tell if there may be data available in the cloud? How do you utilise data from the phone to obtain additional data from the cloud? How do you leverage mobile data from cloud sources when you don’t have access to the phone?

As cloud services become the new normal for nearly all businesses, it’s critical that your forensic tools support the ever-evolving landscape. Learn about how Magnet AXIOM Cyber can help accelerate your internal investigations across Office 365, Slack and more. Risk Diversion will demonstrate how AXIOM can work directly with Office 365 for the collection of email, OneDrive data, SharePoint, and Audit Logs. We will also demonstrate how to incorporate Microsoft Teams conversations into the AXIOM investigations through the Office 365 Security and Compliance Centre. In addition, we will discuss methods for investigations involving Slack using both direct acquisition as well as Slack Corporate export packages.

Computing in the cloud is remarkably similar to utilizing locally hosted computers, and you can expect similar levels of performance. A cloud-hosted machine can be configured to perform similarly to a high-end forensic workstation deployed on-premises. One major advantage of cloud-hosted machines is more flexible resource allocation. With cloud-hosted solutions, you can dynamically scale up your resources and performance as your needs change. For example, you easily can allocate multiple VMs to handle different tasks with different processing requirements to optimise performance and reduce costs. Additional resources can also be quickly and easily added so you can maintain consistent performance as data volumes grow—achieving this on-premises will require you to purchase, install, and maintain additional hardware resources yourself. Cloud-hosted solutions also allow you to maintain high availability and uptime and enable simple disaster recovery procedures more easily.

Cloud billing is flexible, but that flexibility comes with a lot of information and gives an organisation a lot of room to reduce overall complexity and costs. Your proposed budgets would no longer need to consider items like emergency hardware maintenance or replacement—only usage. Much like your monthly electric bill, costs for cloud services can go up or down depending on usage. As you understand your usage—for example, how much data you need to upload per month—it becomes easy to forecast your organisation’s short and long-term costs. The difficulty is often how to estimate costs before average usage is known. For this reason, cloud service providers usually offer a variety of billing tools to not only estimate monthly billing, but also cap and even reduce costs. If usage increased dramatically for a particular month these billing tools make it easy to see why and estimate costs going forward. You could then use such data to justify additional budget or limit service usage for that billing cycle.

Part of the Risk Diversion and Magnet Digital Investigation Suite, Magnet REVIEW enables digital forensic labs to securely share and collaborate on the review of all digital forensic evidence with investigators and other agency stakeholders from anywhere via a single platform. Easily find the evidence that matters with an intuitive interface and powerful analytics views and collaborate agency-wide to complete your investigations more efficiently and effectively. Deploy REVIEW on Microsoft Azure to easily scale up resources while maintaining security and compliance.

Gone are the days when the forensics investigator could pop out the hard drive of an on-premises server for a forensic image and simply analyse it for clues on what happened. Hands-on evaluations of physical evidence, formerly the norm in forensic investigations, are now the exception. Today’s cloud-based network can be located anywhere — for cloud infrastructures, servers must be in the same country as where the data was created, but that’s as specific as the law gets.

Risk Diversion has recognized the need that new digital forensics tools and techniques are necessary to uncover electronic evidence for processing into actionable intelligence for cloud-based data breaches, ransomware attacks, and other cases of malfeasance.