Law enforcement has been working to recover case-related information from encrypted files and artifacts. Two computer images contain encrypted files that law enforcement has been trying to decrypt. The use of Access Data’s Forensic Toolkit (FTK) and Password Recovery Toolkit (PRTK) can decrypt some of the encrypted files. Additionally, the organization seeks to evaluate and understand some of the challenges in cloud computing and identify trends that can solve them. This report examines the challenges presented by Cloud Computing, its solutions, and shows the results of FTK and PRTK to decrypt two computer images labeled Mantooth and Washer.
Cloud Computing Overview
Cloud computing is a process of storing data and accessing it over the internet instead of using a local hard drive. It can be divided into different services, such as Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Infrastructure-as-a-Service (IaaS) (“U.S. Department of Commerce, NIST”, 2011). PaaS having sharing resources, tools, and processes and mainly targets developers. IaaS offers data storage and host application services, while SaaS involves the provider offering software applications to the host organization. The advantage of cloud services is that it allows organizations to improve their productivity without substantial additional costs. Virtual environments provide additional resources at a fraction of traditional costs. While cloud computing has several advantages, it can have multiple challenges.
Delegate your assignment to our experts and they will do the rest.
Challenges Cloud Computing Creates for Digital Forensics
The challenges of cloud computing in digital forensics include the possibility of deletion in the cloud, data location, and difficulty in data acquisition. Data stored in the cloud is stored in the form of nodes that points to a specific data. Recovering data after the nodes have been deleted make it difficult to carry out any forensic investigation (“U.S. Department of Commerce, NIST”, 2013). Reading and analyzing log data in cloud computing is also challenging for forensic examiners. Data in the cloud could be stored in different locations in the world. Other countries have different privacy regulations. In case the data is dispersed in a country where privacy laws have not been enforced, it will result in challenging legal issues. Data transfer and movement in different geographic locations present multiple uncertainties in distribution boundaries and transparencies when retrieving it (Burney et al., 2016). Additionally, each service provider is different in the way they control their logs. The lack of a universal format for log data makes it difficult for forensic investigators to identify logs and successfully investigate a cybercriminal activity. Cybercriminals can also use multiple providers when carrying out an attack. In a large system, the data can change and disappear rapidly and examiners may not know the data's location or storage.
Cloud computing can also create several digital forensics challenges as there has been no established digital forensic guideline for the investigation of cloud computing systems. For instance, the cloud environment could be backed up to preserve computing data. However, such data migration would only represent a snapshot of information sent to the cloud (Aminnezhad et al., 2013). Additionally, it is not possible or practical to image all the data from computers in the cloud. Establishing a chain of custody for data stored in the cloud can also be challenging. These challenges make the admissibility of the data in a courtroom can difficult causing further legal challenges.
The acquisition of data stored in the cloud could also be challenging. Each cloud server contains different files from various clients. Once data from a particular suspect or victim has been identified, separating the data from all other clients is difficult causing privacy concerns (Nachiket, 2020). Linking specific evidence in a data file to a particular suspect is also only possible through the cloud service provider's help. There are three sources that evidence from the cloud could be extracted: the network layer, the client-side, and the cloud service provider (Gupta et al., 2019). The most critical and most difficult to gather evidence from the three sources is the cloud service provider. The service provider is outside the investigators' jurisdiction and will often require international collaboration that is time-consuming and costly.
Tools and Techniques Used to Combat Cloud Challenges
Some of the tools available combat cloud challenges include AccessData FTK, Oxygen, XRY, and Axiom. All these digital forensics tools support cloud services. The tools also provide a web-based point to manage and monitor cloud infrastructure (Mikhaylov, 2017). Forensics OpenStack tools (FROST) is an existing cloud forensic tool that communicates with the virtual machines' operating system. FROST is made available by the cloud service provider that integrates it into the IaaS (Naaz & Siddiqui, 2016). Traditional methods of collecting cloud evidence such as FTK and Encase can also collect cloud evidence and handle the disparities between traditional computing environments and cloud infrastructure. However, the existing tools, techniques, and frameworks to resolve cloud computing challenges in digital forensics are limited. The tools and procedures need to undergo continual developments.
Recommendations for Handling Encrypted Data in the Cloud
Encryption is the process of converting data from plain text into an unreadable format. The selected encryption is usually dependent on the amount of information, storage type, threats to be mitigated, and location environment (Vorakulpipat et al., 2017). When handling data stored in the cloud, organizations should encrypt their data to prevent access from attackers and cybercriminals. Organizations can first establish policies that should guide employees on how to handle encryption data. The guidelines should articulate how storage encryption should be enforced and designed. Users that access data in the cloud should also be trained on how to handle sensitive encrypted data. The training can further protect physical computers and mobile devices used to access data in the cloud.
The different encrypting data technologies include full disk encryption, virtual disk encryption, and file encryption. Full disk encryption encrypts all data in a hard drive allowing access after it has been authenticated. Virtual disk encryption involves encrypting a folder or container with several other folders and files while file encryption encrypts individual files (Vorakulpipat et al., 2017). When handling such encrypted data, the organization should specify the type of encryption based on files' sensitivity. It is also critical to properly handle a decryption key to authenticate the data.
Forensic examiners may also find challenges with handling encrypted data. The authentication of encrypted data will only be possible when the examiner has a decryption key. The investigator can find a decryption key by encouraging criminals' collaboration where they provide the decryption key. One can also check a criminal’s devices and computer to identify the decryption key. The criminal may leave clues regarding the decryption key, or it could be located on their computer.
Trends in Mitigating Cloud Challenges for Forensic Investigators
There have been several trends and developments in forensic investigation to mitigate cloud storage issues and challenges. One of the recent trends is that investigators should develop their evidence based on an evidence-based framework along with their forensic practices (Sharma & Joshi, 2018). An iterative framework should be applied during a forensic investigation and data acquisition in the cloud. Additionally, the recent adoption of SAS 70 (II) certification is a relatively new security standard that provides clients and forensic investigators with the security features (Sharma & Joshi, 2018). However, more research should be undertaken to further improve the technical side and solve forensic investigators' challenges.
Cloud forensics is also a new trend where cloud vendors offer forensics as a service to resolve challenges in digital forensics. One of the biggest challenges identified in cloud computing and digital forensics was data acquisition from cloud service providers. Providers that offer digital forensic services can enable easy communication with third parties and improve the legal dimension of accessing the data (Roussev et al., 2016). Clients' confidentiality and privacy will not be compromised since the cloud forensic experts understand a specific cloud environment.
Steps Followed: Password Decryption Lab
Laboratory Number: Project 3 Date: 11/10/2020
Examiner’s Name: Mr. Iraimi
Examination Number: 1
Executive Summary
The requirement in the lab report is to decrypt the encrypted files in the Mantooth and Washer images. The first step involved exporting the encrypted files to a specific folder. Access Data’s Forensic Toolkit (FTK) and the Password Recovery Toolkit (PRTK) were then used to decrypt the encrypted files and identify their passwords. The approach used involved creating a word list in PRTK and then using brute force to decrypt the files
Forensic Questions
What is contained in the encrypted files of Mantooth and Washer images?
What is the list of the master password found in the encrypted files?
What contents are in the files of “X marks the spot” and “Those who owes.xsl”?
Steps Taken
The tool used for the first step was FTK. A new case was created named “MantoothWasherDecryption,” and the Mantooth and Washer images were added. The images were first verified by using their hash values. The encrypted files were then transferred from Washer and Mantooth images to a newly created encrypted files folder. The windows registry also contained accounts and passwords for information on various applications and uses. The windows registry files such as NTUSER, SECURITY, SYSTEM, and SAM were transferred from the Washer image to the newly created encrypted folder category.
The next step in the decryption was creating a wordlist in FTK and using the PRTK tool to create a dictionary. A word list was created from the Mantooth and Washer HDD and exported to a folder referred to as “FTK Export Wordlist”. After completing the wordlist, PRTK was used to create a dictionary that was later to be used in the attack profile. The word list that had been previously created in FTK was added to the dictionary.
PRTK was then used in the first attack for the decryption. A new case was created, and the two encrypted files “Those who owes.xls” and “x marks the sport.doc” were added. Other windows registry files such as NTUSER, SYSTEM, and SAM were also added to the PRTK workspace. Due to a limited time in the lab report, the number of files examined was limited. The decryption of the files in PRTK resulted in the identification of passwords. A master password list was created for later use in the decryption of other files. FTK was then used to conduct the final decryption. In the evidence tab, the option of “perform automatic decryption” was used along with the password list to decrypt the files. The results were available under decrypted files in FTK.
Results
Figure 1
Verification of Mantooth Image
Figure 2
Verification of Washer Image.
Figure 3
Contents of Mantooth’s and Washer’s encrypted files
Figure 4
Contents of Windows NT Files
Figure 5
Transferred encrypted files
Figure 6
Creation of dictionary file using PRTK
Figure 7
Creation of “MantoothWasherProfile” using PRTK
Figure 8
Retrieved passwords in Mantooth’s and Washer’s images
The password list was generated as follows
*smack
*ROOT#123
*Empty*
Meth
*camp
Molar
Figure 10
Contents in the “Those who owes.xls” decrypted file.
Figure 11
Contents in the “X marks the spot” decrypted file.
Conclusions
The FTK and PRTK tools were used to successfully decrypt hidden files in Mantooth’s and Washer’s images. FTK was used to identify encrypted files and windows registry NT files. The files were exported to a specific location. PRTK was used to decrypt the passwords and created a master word list for the brute force attack. Due to a limited time, only two files were decrypted, and they include “Those who owes.xls” and “X marks the spot”. The files' contents provided information about the amount of money, specific drugs owed, and a particular meeting location.
Opinions
The contents in the files present incriminating evidence to both Mantooth and Washer. The hash values were verified, and the contents in the images are admissible in a court of law. The evidence in Mantooth’s folder showed that he owed people drug money that amounted to $8,601.42. Washer’s images revealed a location of “cooking” or manufacturing drugs. Law enforcement should investigate the place.
Findings
The two encrypted files and their hidden contents were retrieved. The file named “Those who owes.xls” listed the individuals, the types of drugs, and the amount of money owed. Washer also had the file named “X marks the spot” that identified a specific meeting location along with a map that points to the exact place. There were instructions that the file should be deleted and shredded. The information also showed that the location was a place of “cooking” the drugs, which implies that drugs will be manufactured in the area.
Summary
The report analyzed the challenges and trends in cloud computing and digital forensics and decrypted files from Mantooth’s and Washer’s images. Cloud computing had several advantages like reduction in costs and a flexible working environment. However, it presents several digital forensics challenges as the data is located in different countries that create legal issues in accessing them. Additionally, accessing the data requires cooperation from cloud service providers that is time-consuming and costly. It was also identified that organizations could handle encrypted data by having clear policies and training their staff. One of the trends in cloud computing and digital forensics is cloud forensics, where cloud service providers have a team that provides forensic services. FTK and PRTK were used to identify the encrypted images and decrypt them by first identifying a word list of possible passwords and carrying out a brute force attack. The file titled “Those who owes.xls” had the name of individuals, the drugs, and the amount of money owed. The file named “X marks the spot” provides information about a meeting and a location for “cooking” or manufacturing drugs. The two images revealed that individuals had been involved in illegal activities such as distributing and manufacturing illegal drugs.
Certification
I hereby certify that the work presented above was personally performed by me and the opinions and conclusions stated are my own and based upon the work that I performed.
Signature
References
Aminnezhad, A., Dehghantanha, A., Abdullah, M. T., & Damshenas, M. (2013). Cloud forensics issues and opportunities. International Journal of Information Processing and Management , 4 (4), 76.
Burney, A., Asif, M., & Abbas, Z. (2016). Forensics Issues in Cloud Computing. Journal of Computer and Communications , 4 (10), 63. http://dx.doi.org/10.4236/jcc.2016.410007
Gupta, S., Poonia, R. C., Singh, V., & Raja, L. (2019). Tier application in multi-cloud databases to improve security and service availability. In Handbook of research on cloud computing and Big Data applications in IoT (pp. 82-93). IGI Global.
Mikhaylov, I. (2017). Mobile Forensics Cookbook: Data acquisition, extraction, recovery techniques, and investigations using modern forensic tools . Packt Publishing Ltd.
Naaz, S., & Siddiqui, F. A. (2016). Comparative Study of Cloud Forensics Tools. Communications on Applied Electronics (CAE) ISSN , 2394-4714.
Nachiket, V. (2020). Cloud Forensics: Trends and Challenges, International Journal Of Engineering Research & Technology (Ijert) 9(9), 743-745.
Roussev, V., Ahmed, I., Barreto, A., McCulley, S., & Shanmughan, V. (2016). Cloud forensics–Tool development studies & future outlook. Digital investigation , 18 , 79-95. https://doi.org/10.1016/j.diin.2016.05.001
Sharma, S., & Joshi, N. K. (2018). Cloud computing security challenges and solutions. International Research Journal of Computer Science (IRJCS) , (02).
U.S. Department of Commerce, National Institute of Standards and Technology (NIST). (2011). Cloud Computing Reference Architecture (NIST Publication SP500-292). http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505
U.S. Department of Commerce, National Institute of Standards and Technology (NIST). (2013). Cloud Computing Standards Roadmap , volume II (NIST Publication SP500-291). Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-291r2.pdf
Vorakulpipat, C., Sirapaisan, S., Rattanalerdnusorn, E., & Savangsuk, V. (2017). A policy-based framework for preserving confidentiality in BYOD environments: A review of information security perspectives. Security and Communication Networks , 2017 . https://doi.org/10.1155/2017/2057260
