Book Image

Cloud Forensics Demystified

By : Ganesh Ramakrishnan, Mansoor Haqanee
Book Image

Cloud Forensics Demystified

By: Ganesh Ramakrishnan, Mansoor Haqanee

Overview of this book

As organizations embrace cloud-centric environments, it becomes imperative for security professionals to master the skills of effective cloud investigation. Cloud Forensics Demystified addresses this pressing need, explaining how to use cloud-native tools and logs together with traditional digital forensic techniques for a thorough cloud investigation. The book begins by giving you an overview of cloud services, followed by a detailed exploration of the tools and techniques used to investigate popular cloud platforms such as Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP). Progressing through the chapters, you’ll learn how to investigate Microsoft 365, Google Workspace, and containerized environments such as Kubernetes. Throughout, the chapters emphasize the significance of the cloud, explaining which tools and logs need to be enabled for investigative purposes and demonstrating how to integrate them with traditional digital forensic tools and techniques to respond to cloud security incidents. By the end of this book, you’ll be well-equipped to handle security breaches in cloud-based environments and have a comprehensive understanding of the essential cloud-based logs vital to your investigations. This knowledge will enable you to swiftly acquire and scrutinize artifacts of interest in cloud security incidents.

Related Content you might be interested in

Current Title:

Small book image
Cloud Forensics Demystified
Ganesh Ramakrishnan | Mansoor Haqanee
Feb, 2024 | 384 pages
Small book image
Windows Forensics Analyst Field Guide
Muhiballah Mohammed
Oct, 2023 | 318 pages
Small book image
Mastering Cloud Security Posture Management (CSPM)
Qamar Nomani
Jan, 2024 | 472 pages
Small book image
The Cloud Computing Journey
Divit Gupta
Jan, 2024 | 440 pages
Table of Contents (18 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
Free Chapter
1
Part 1: Cloud Fundamentals
Part 1: Cloud Fundamentals
2
Chapter 1: Introduction to the Cloud
Chapter 1: Introduction to the Cloud
Advantages and disadvantages of cloud computing
An overview of cloud services
Cloud deployment models
Cloud adoption success stories
Impact of the cloud and other technologies
Summary
Further reading
3
Chapter 2: Trends in Cyber and Privacy Laws and Their Impact on DFIR
Chapter 2: Trends in Cyber and Privacy Laws and Their Impact on DFIR
The role of a breach counselor (breach coach)
General legal considerations for cloud adoption
eDiscovery considerations and legal guidance
Digital forensics challenges
Legal frameworks for private data
Legal implications for data retention and deletion
Responsibilities and liabilities of the cloud and their implications for incident response
Jurisdiction and cross-border data transfers
Summary
Further reading
4
Chapter 3: Exploring the Major Cloud Providers
Chapter 3: Exploring the Major Cloud Providers
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
Other cloud service providers
Summary
Further reading
5
Chapter 4: DFIR Investigations – Logs in AWS
Chapter 4: DFIR Investigations – Logs in AWS
VPC flow logs
S3 access logs
AWS CloudTrail
AWS CloudWatch
Amazon GuardDuty
Amazon Detective
Summary
Further reading
6
Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics
Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics
7
Chapter 5: DFIR Investigations – Logs in Azure
Chapter 5: DFIR Investigations – Logs in Azure
Azure Log Analytics
Azure Virtual Networks
Azure Virtual Machines log analysis
Microsoft Sentinel
Summary
Further reading
8
Chapter 6: DFIR Investigations – Logs in GCP
Chapter 6: DFIR Investigations – Logs in GCP
GCP core services
GCP IAM
Policy Analyzer
GCP Logs Explorer
VPC Flow Logs
Packet Mirroring
Compute Engine logs
Logging Dataflow pipelines
GCP storage logs
Cloud Security Command Center (Cloud SCC)
GCP Cloud Shell
Summary
Further reading
9
Chapter 7: Cloud Productivity Suites
Chapter 7: Cloud Productivity Suites
Overview of Microsoft 365 and Google Workspace core services
IAM in Microsoft 365 and Google Workspace
Auditing and compliance features in Microsoft 365 and Google Workspace
Google Workspace Admin console and security features
Summary
Further reading
10
Part 3: Cloud Forensic Analysis – Responding to an Incident in the Cloud
Part 3: Cloud Forensic Analysis – Responding to an Incident in the Cloud
11
Chapter 8: The Digital Forensics and Incident Response Process
Chapter 8: The Digital Forensics and Incident Response Process
The basics of the incident response process
Tools and techniques for digital forensic investigations
Live forensic analysis and threat hunting
Network forensics
Malware investigations
Traditional forensics versus cloud forensics
Summary
Further reading
12
Chapter 9: Common Attack Vectors and TTPs
Chapter 9: Common Attack Vectors and TTPs
MITRE ATT&CK framework
Forensic triage collections
Host-based forensics
Misconfigured virtual machine instances
Misconfigured storage buckets
Cloud administrator portal breach
Summary
Further reading
13
Chapter 10: Cloud Evidence Acquisition
Chapter 10: Cloud Evidence Acquisition
Forensic acquisition of AWS instance
Forensic acquisition of Microsoft Azure Instances
Forensic acquisition of GCP instances
Summary
Further reading
14
Chapter 11: Analyzing Compromised Containers
Chapter 11: Analyzing Compromised Containers
What are containers?
Detecting and analyzing compromised containers
Summary
Further reading
15
Chapter 12: Analyzing Compromised Cloud Productivity Suites
Chapter 12: Analyzing Compromised Cloud Productivity Suites
Business email compromise explained
Initial scoping and response
Microsoft 365 incident response
Google Workspace incident response
Summary
Further reading
16
Index
Index
Why subscribe?
17
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Initial scoping and response

When responding to a BEC attack as an incident responder, the initial scoping phase is critical for understanding the breadth and depth of the incident. This phase involves gathering as much information as possible to assess the situation accurately. This initial scoping involves talking with the cloud productivity suite (Microsoft 365 or Google Workspace) IT administrators, organization general counsel, C-suite, and accounting staff to better understand the following, even before any technical forensic analysis:

  • Timeline of the attack: Understanding when the attack started is crucial. Ask when the first signs of compromise were noticed and at what point users noticed anything suspicious. This could include unusual email activity, reports of suspicious emails from within or outside the organization, or financial transactions that were flagged as anomalous. If attackers were successful in transferring any unauthorized funds, note these dates in the...
Previous Section
End of Section 3
Next Section