The advantages of cloud computing for forensic analysis (an OSDFCon presentation)


Google team members are back on our blog this week for another installment of our blog series on the speakers and topics we’re offering at OSDFCon this coming October. This time, Cory Altheide and Johan Berggren, who are responsible for cloud forensics preparedness and response at Google, talked with us about the Turbinia tool they’ll be presenting Oct. 28:

BT: Your talk topic this year is “Turbinia: Cloud-scale forensics.” What drove you to research this topic, and to develop the Turbinia tool?

CA: “The Cloud” has been, well, a cloud over many forensics & incident response discussions. In the spirit of “everyone complains about the weather but nobody does anything about it,” a few years ago I began speaking about the possible *benefits* to forensics analysis the cloud could bring about. Recently, Johan & I started brainstorming how we could make these ideas a reality — not just for us, but for the broader forensics community. Turbinia is the natural evolution of that line of thought — “how can we leverage the cloud to improve forensics?”

BT: What is the 2-line reason why a practitioner should attend your talk — what will they learn?

CA: We’ll be releasing and demonstrating an open source framework for deploying, managing, and running forensic workloads on cloud platforms. It’s also ludicrously fast.

BT: What brought you into the digital forensics domain?

CA: Dumb luck. At a previous company, I had the opportunity to read a server compromise breach report provided by a third-party consultant. Coming from a Linux administration background, I noticed similarities between the process I would take to troubleshoot system issues and the process the examiner used to determine the initial point of compromise. I began experimenting with The Coroner’s Toolkit and file system debugging utilities, which was the style at the time. In due time, I managed to convince myself I knew what I was doing.

JB: The challenge to explore and understand what took place on a compromised system caught my interest early on. The university that I worked for at the time needed someone to “help take care of security” and I took on the challenge. Having a background in system administration gave me a head start on understanding how systems are supposed to work and I could apply this knowledge when doing digital forensics. The chance to learn new stuff every day is priceless.

BT: What is your favorite aspect of digital forensics?

CA: I love investigations that take me off the map into “Here Be Dragons” land. Having to research new file systems, data structures, file formats, or artifacts while under a deadline is the one aspect of digital forensics (particularly when practiced during incident response) that I don’t think I could do without.

JB: The feeling when you truly understand how a system got compromised and when you find new artifacts to back up your theories. The methodical thinking and puzzle solving.

BT: How do open source digital forensics tools make your research and/or your investigative work easier?

CA: The freedom that comes with open source tools is very… well… freeing! Proprietary tools bring proprietary workflows. Open source gives us the freedom to learn from the tool, adapt it and alter it to apply to a problem the original authors may have never encountered or conceived of.

And shipping a dongle to the cloud is still… problematic.

BT: Besides presenting, what are you looking forward to most about OSDFCon 2015?

CA: The people. OSDFCon is relatively small, and has a very intimate, non-intimidating feel. It is always nice to see friends and colleagues from previous years, and engage with folks new to the field (or just new to OSDFCon).

JB: This is my first time at the conference and I am really looking forward to meeting people in the community; people that I have heard of, but never met in person. I’m also looking forward to discussing new interesting problems we can tackle with open source tools.

BT: What’s next for your research?

CA: We’d like to expand Turbinia to support more cloud platforms, and push more analysis modules into the framework. Figuring out more ways distribute additional forensic tasks without creating bottlenecks is probably going to be the biggest challenge.

Learn more about Turbinia and the wealth of other research being presented at OSDFCon — register to attend here. We look forward to seeing you October 28!