Forensic Collection of Electronic Evidence from Infrastructure-As-a-Service Cloud Computing

As cloud computing becomes ubiquitous, the criminal targeting and criminal use of cloud computing is inevitable and imminent. Similarly, the need for civil forensic analyses of cloud computing has become more prevalent. Forensic investigation of cloud computing matters first requires an understanding of the technology and issues associated with the collection of electronically stored information (“ESI”) in the cloud. The misuse of the broad term “cloud computing” has caused some confusion and misinformation among legal and technology scholars, leading to a muddied and incomplete analysis of cloud-based discovery issues. Cases and academic analyses have dealt primarily with popular online services such as Gmail and Facebook, but they omit discussions of commercial cloud computing providers’ fundamental infrastructure offerings

Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies

The inevitable vulnerabilities and criminal targeting of cloud environments demand an understanding of how digital forensic investigations of the cloud can be accomplished. We present two hypothetical case studies of cloud crimes; child pornography being hosted in the cloud, and a compromised cloudbased website. Our cases highlight shortcomings of current forensic practices and laws. We describe significant challenges with cloud forensics, including forensic acquisition, evidence preservation and chain of custody, and open problems for continued research. Keywords: Cloud computing, cloud forensics, digital forensics, case studie

Privacy, Security, and Usability Tradeoffs of Telehealth from Practitioners' Perspectives

The COVID-19 pandemic has significantly transformed the healthcare sector, with telehealth services being among the most prominent changes. The adoption of telehealth services, however, has raised new challenges, particularly in the areas of security and privacy. To better comprehend the telehealth needs and concerns of medical professionals, particularly those in private practice, we conducted a study comprised of 20 semi-structured interviews with telehealth practitioners in audiology and speech therapy. Our findings indicate that private telehealth practitioners encounter difficult choices when it comes to balancing security, privacy, usability, and accessibility, particularly while caring for vulnerable populations. Additionally, the study revealed that practitioners face challenges in ensuring HIPAA compliance due to inadequate resources and a lack of technological comprehension. Policymakers and healthcare providers should take proactive measures to address these challenges, including offering resources and training to ensure HIPAA compliance and enhancing technology infrastructure to support secure and accessible telehealth

Battle Ground: Data Collection and Labeling of CTF Games to Understand Human Cyber Operators

Industry standard frameworks are now widespread for labeling the high-level stages and granular actions of attacker and defender behavior in cyberspace. While these labels are used for atomic actions, and to some extent for sequences of actions, there remains a need for labeled data from realistic full-scale attacks. This data is valuable for better understanding human actors' decisions, behaviors, and individual attributes. The analysis could lead to more effective attribution and disruption of attackers. We present a methodological approach and exploratory case study for systematically analyzing human behavior during a cyber offense/defense capture-the-flag (CTF) game. We describe the data collection and analysis to derive a metric called keystroke accuracy. After collecting players' commands, we label them using the MITRE ATT&CK framework using a new tool called Pathfinder. We present results from preliminary analysis of participants' keystroke accuracy and its relation to score outcome in CTF games. We describe frequency of action classification within the MITRE ATT&CK framework and discuss some of the mathematical trends suggested by our observations. We conclude with a discussion of extensions for the methodology, including performance evaluation during games and the potential use of this methodology for training artificial intelligence.Comment: 9 pages, accepted to 2023 Workshop on Cyber Security Experimentation and Test (CSET

Systemic Risk and Vulnerability Analysis of Multi-cloud Environments

With the increasing use of multi-cloud environments, security professionals face challenges in configuration, management, and integration due to uneven security capabilities and features among providers. As a result, a fragmented approach toward security has been observed, leading to new attack vectors and potential vulnerabilities. Other research has focused on single-cloud platforms or specific applications of multi-cloud environments. Therefore, there is a need for a holistic security and vulnerability assessment and defense strategy that applies to multi-cloud platforms. We perform a risk and vulnerability analysis to identify attack vectors from software, hardware, and the network, as well as interoperability security issues in multi-cloud environments. Applying the STRIDE and DREAD threat modeling methods, we present an analysis of the ecosystem across six attack vectors: cloud architecture, APIs, authentication, automation, management differences, and cybersecurity legislation. We quantitatively determine and rank the threats in multi-cloud environments and suggest mitigation strategies.Comment: 27 pages, 9 figure

Sonification with music for cybersecurity situational awareness

Presented at the 25th International Conference on Auditory Display (ICAD 2019) 23-27 June 2019, Northumbria University, Newcastle upon Tyne, UK.Cyber defenders work in stressful, information-rich, and highstakes environments. While other researchers have considered sonification for security operations centers (SOCs), the mappings of network events to sound parameters have produced aesthetically unpleasing results. This paper proposes a novel sonification process for transforming data about computer network traffic into music. The musical cues relate to notable network events in such a way as to minimize the amount of training time a human listener would need in order to make sense of the cues. We demonstrate our technique on a dataset of 708 million authentication events over nine continuous months from an enterprise network. We illustrate a volume-centric approach in relation to the amplitude of the input data, and also a volumetric approach mapping the input data signal into the number of notes played. The resulting music prioritizes aesthetics over bandwidth to balance performance with adoption

Invisible Security: Protecting Users with No Time to Spare

Presented online via Bluejeans Events and in-person in the CODA Building, 9th floor atrium on November 5, 2021 at 12:30 p.m.Dr. Josiah Dykstra is a Technical Fellow in the Cybersecurity Collaboration Center at the National Security Agency (NSA). He advises leadership and employees on technical matters for integrated cybersecurity operations and provides overall technical direction on projects and programs that enable high impact operational effects in the cyber domain and deny adversaries the ability to influence, exploit, or threaten cyber and information infrastructure domains.Runtime: 45:11 minutesFor over 50 years, the cybersecurity community has sought to protect vulnerable systems and users from victimization. Despite ongoing and valiant work at adoption and usability, some users cannot or will not avail themselves of necessary cybersecurity measures. Average, non-expert users—particularly those in small businesses—cannot afford to devote time to cybersecurity. Instead of accepting the risk of no security, alternatives are possible which achieve both security outcomes and conservation of time. In this talk, we explore the paradigm of invisible security focused on creating cyber defenses that occur automatically without end user intervention. We present examples consistent with this approach in existence today, including automatic software updates and protective DNS. Then we describe how invisible defenses may aid potential beneficiaries in health care, the defense industrial base, and the general public. Finally, we present benefits and limitations of the approach and propose areas of future research and innovation

Digital Forensics for Infrastructure-as-a-Service Cloud Computing

We identify important issues in the application of digital forensics to Infrastructure-as-a-Service cloud computing and develop new practical forensic tools and techniques to facilitate forensic exams of the cloud. When investigating suspected cases involving cloud computing, forensic examiners have been poorly equipped to deal with the technical and legal challenges. Because data in the cloud are remote, distributed, and elastic, these challenges include understanding the cloud environment, acquiring and analyzing data remotely, and applying the law to a new domain. Today digital forensics for cloud computing is challenging at best, but can be performed in a manner consistent with federal law using the tools and techniques we developed. The first problem is understanding how and why criminal and civil actions in and against cloud computing are unique and difficult to prosecute. We analyze a digital forensic investigation of crime in the cloud, and present two hypothetical case studies that illustrate the unique challenges of acquisition, chain of custody, trust, and forensic integrity. Understanding these issues introduces legal challenges which are also important for federal, state, and local law enforcement who will soon be called upon to conduct cloud investigations. The second problem is the lack of practical technical tools to conduct cloud forensics. We examine the capabilities for forensics today, evaluate the use of existing tools including EnCase and FTK, and discuss why these tools are incapable of trustworthy cloud acquisition. We design consumer-driven forensic capabilities for OpenStack, including new features for acquiring trustworthy firewall logs, API logs, and disk images. The third problem is a deficit of legal instruments for seizing cloud-based electronically-stored information. We analyze the application of existing policies and laws to the new domain of cloud computing by analyzing case law and legal opinions about digital evidence discovery, and suggest modifications that would enhance cloud the prosecution of cloud- based crimes. We offer guidance about how to author a search warrant for cloud data, and what pertinent data to request. This dissertation enhances our understanding of technical, trust, and legal issues needed to investigate cloud-based crimes and offers new tools and techniques to facilitate such investigations