While some may ask if this is a poor attempt at humor, we must recognize that Cloud computing has evolved from its early stages where large-scale virtual servers were created to execute multiple tasks to smaller, more readily deployable self-contained applications which consume far less resources. Single board computers such as the popular Raspberry Pi are now able to function as an extension of the Cloud by gathering data such as room temperature, humidity levels, water pressure, or power levels from attached sensors; analyzing it and sending the results to a Docker or Kubernetes container running in the Cloud to ensure the flow of normal operations.
The COVID-19 outbreak disrupted these operations when businesses disallowed their employees to work on-site and needed to rapidly shift to the Cloud, leveraging its capabilities to give their workers the ability to remotely monitor these data flows. Yet it did not come without risk as many corporations suffered a significant security incident as a result of this forced migration. Nearly three years after the start of the pandemic, some important questions can be raised when needing to conduct a digital forensic investigation in a Cloud environment: How does one gather the evidence from the connected IoT devices and virtual instances, especially when physical access is restricted or not feasible? How does one recognize when an attacker has gained a foothold in the environment? How can the environment be locked down to prevent further abuse, but still be accessible to key personnel? What tools and techniques are used in the investigation? Moreover, what goes into the final report?
After completing a successful training session at the BSidesKC 2022 conference, the Cloud Forensics Challenge team has incorporated the feedback from their students and are pleased to offer the newest edition of their training dubbed the “Lab Rat Edition” by updating the course to feature an all-day hands-on lab that simulates a traditional Cloud environment and giving attendees training on tools commonly found in the field. This training session will also teach attendees how to recognize IoCs (Indicators of Compromise), how to lock down an environment to prevent further lateral movement, how to extract the data from compromised instances and examine it for artifacts, and what should go into the final report (including post-incident analysis). Furthermore, we will go over key similarities and differences between three of the largest Cloud Service Providers.
Minimum Requirements / Student Prerequisites:
Attendees will need to have some knowledge of digital forensics and/or prior experience in Cloud computing, and we highly encourage them to bring their laptops. Minimum specs should be at least an 8th or 9th generation Intel i5 processor (or AMD equivalent) and 16GB of RAM. A Windows environment is preferred, but attendees are welcome to use MacOS or their personal flavor of Linux.
Information security professionals currently working in an Incident Response or Remediation role or are looking to expand their depth of knowledge to conduct a digital forensics investigation in a Cloud environment.
Trainer Biography / About the Instructor:
Kerry Hazelton has spent the last twenty-five years of his career between Information Technology and Security, developing a deep knowledge of systems and network support, data center operations, Cloud computing, digital forensics, and incident response. As such, he considers himself a “cybersecurity enthusiast” due to his desire and motivation to read up on the latest trends within the industry, to learn about a new exploit or tool, or his willingness to teach and share with others his experiences over the years. He is the creator of the Cloud Forensics Workshop and CTF Challenge which he has run since 2017, which is a technical workshop that focuses on learning about the science of cloud forensics and its real-world applications, followed by a CTF competition to gauge his students’ comprehension and critical-thinking skills by solving multiple puzzles in a race against each other within the allotted amount of time.
He can be found posting his random thoughts on gaming, hacking, or life in general via Twitter under the handle of @ProfKilroy.