I am not sure if isolating a cloud instance can be the key way of avoiding potential digital evidence contamination. If we choose to capture information relating to evidence, why cant we create hashes? Is there a standardized way of doing this?
Isolating a cloud instance (I interpret this as removing network connectivity to a VM to prevent installed malware from receiving command and control info - assuming it has been used for criminal/illegal purposes) may not help as malware can clean up after itself, destroying logs and other evidence of its existence without needed any kind of connectivity. Moreover, a corrupted hypervisor or a dishonest system administrator could destroy evidence on the VM. A hash would not prevent contamination of files but it could detect it. It could also be worked around by a smart attacker who could see how hashing is done.
It may be possible to log critical data by using software protected in enclaves such as secured by SGX (Secure Guard Extensions) , which could be signed or even encrypted without interference from VM OS software or the hypervisor. The protected software could do things like sign log files with a key not visible to a VM's OS or hypervisor or ship logs securely to a known secure location outside of the VM or even the specific cloud.
I have put a link to SGX below.
https://software.intel.com/en-us/blogs/2013/09/26/protecting-application-secrets-with-intel-sgx
Thank you for your very informative answer @Jeff Sedayao. @Victor R Kebande, if you want more details about this very important event, please do check this International event http://sdiwc.net/conferences/icgcti2015
Thanks @ Natalie, i will go through and probably i will be a participant.
- Badges
- Science method