Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Cloud Forensics with F-Response

Like many great inventions, the idea behind F-Response is so simple and elegant it is hard not to punish yourself for not thinking of it. Using the iSCSI protocol to provide read-only mounting of remote devices opens up a wealth of options for those of us working in geographically dispersed environments. I have used it for everything from remote imaging to fast forensic triage to live memory analysis. F-Response is vendor-neutral and tool independent, essentially opening up a network pipe to remote devices and allowing the freedom of using nearly any tool in your kit. The product is so good, I really wouldn't blame them for just sitting back and counting their money. Luckily, counting money gets boring fast, so instead the folks at F-Response have kept innovating and adding value. Their latest additions are new "Connector" tools: Database, Cloud, and Email.

Now is the time to start planning how to acquire forensic copies of all that data your organization is pushing to cloud providers. Hopefully you already have established agreements and processes in place with your top tier providers. But what about all of the cloud providers you allow your employees to use? Those Gmail accounts used by the remote sales team that are now subject to a discovery order or the Amazon S-3 storage your engineering team is building upon? Nearly every law firm I have worked with recently has needed to acquire at least some form of data from a web provider without having the tools to do so. Depending on your circumstances, an F-Response Connector may be just the simple tool you need to get the job done.

F-Response Cloud Storage Connector


The F-Response Cloud Connector allows remote mounting of Amazon S3, Rackspace Cloud Files, HP Public Cloud, OpenStack Cloud Files, and Windows Azure storage. The Email Connector currently interfaces with Gmail, Yahoo! Email, and any other provider supporting the IMAP protocol, including Microsoft Office 365. Finally, the Database connector appears to be in its infancy, only supporting Microsoft Sharepoint databases at this time. The connectors are all currently included with the purchase of any F-Response product (Tactical through Enterprise Edition). The examples shown here were accomplished using the F-Response Tactical dongle provided in the SANS Forensics 508course. Since all of the connectors essentially work the same, I'll use this post to demonstrate the Email Connector tool.


First, we need to configure the account credentials.


After entering credentials, there is a handy "Test Credential" option. Also, keep in mind that you can input more than one set of credentials, allowing collection from multiple accounts simultaneously. Amazingly, Google two-factor authentication doesn't impede the process; just use the account's "Application Password" instead of login credentials.

Once credentials are in place, use the Scan tab to connect to the account(s), and the remote store will be made available as a locally mounted device (in this example, we see the Google Mail store mounted as "J:"). Behind the scenes, a local cache is created, and we now have read-only access to the remote account data via the J: mount point.


For those of you familiar with the simplicity of the F-Response model, you know what to do from here. If you are new to F-Response, a few use cases are in order.

Triage String Searching


Let's assume I do not really want to review the thousands of messages in a given email store and instead just care about the few that have a specific key word involved. Since I have a direct mount point to the email, I can use built-in tools (or better yet, a script) to perform the search. The "find" command in Windows is surprisingly useful for searching text. Here I did a simple case-insensitive search, and each line containing "gmail" is displayed. Notice how hits are grouped by file (each Gmail message is exported in the .EML format).

Forensic Acquisition


Now that we have verified that there is relevant data in our email archive, the next logical step might be to create a forensic image of the entire email archive. I employed FTK Imager using the option to acquire the "Contents of a Folder" -- in this case everything present under J:\. The result is a logical image (.ad1 format). Looking at the contents of that image shows just how much information the Email Connector collected from Gmail. Sent files, the spam folder, and even data within the account trash folder were acquired.

Data Analysis in a Full Forensics Suite


For my final example, I decided to point a commercial forensics suite (Access Data Forensic Toolkit) at the mounted email archive to perform a more complete analysis (my recommended procedure would be to create a forensic image first, and then analyze the image). I was able to index everything for fast searching, use FTK email features to drill down into mail domains (shown here), sort by mail addresses and dates, review email attachments, track replies and mail forwards, etc.


In all of these examples, the F-Response Email Connector did its job providing read-only access to the data and then getting out of the way. Use cases are only limited by your imagination (and available tools). If you have accomplished something interesting with F-Response or the new connectors, let us know in the comments!

Chad Tilbury, GCFA, has spent over twelve years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teachesFOR408 Windows Forensics and FOR508 Advanced Computer Forensic Analysis and Incident Responsefor the SANS Institute. Find him on Twitter @chadtilburyor at http://forensicmethods.com.

5 Comments

Posted July 18, 2013 at 9:22 AM | Permalink | Reply

Kush

Hi Chad,

This one is interesting. I was just wondering if we can simply use Outlook or any email application to configure IMAP accounts to downlaod the emails. Post that, the imaging can be done for the desired email box (pst, mbox etc.).

Is this option not valid forensic procedure. Just thinking aloud on this. Need your opinion on this.

Regards,
Kush

Posted July 31, 2013 at 3:50 AM | Permalink | Reply

Chad Tilbury

Kush - what you describe is how some organizations do web-based email collection. With a strict process and good documentation using Outlook to grab mail via IMAP is viable. However, I think the F-Response cloud connectors offer an easier alternative.

Posted July 30, 2013 at 4:40 PM | Permalink | Reply

Huub

Hi Chad,

Thanks for this interesting blog. Unfortunately the IMAP connector works fine, but Gmail/Google Apps is really sloooow. During the acquisitions last week the E-mail connector hung at every 40 messages and throttled for 10 minutes, with 9000 messages to go, this is not nice. I guess Google is throttling the bandwidth of IMAP.

Any suggestions?

Regards,
Huub

Posted July 31, 2013 at 3:46 AM | Permalink | Reply

Chad Tilbury

Huub - I would recommend reaching out to F-Response customer service to see if they have run into this issue. F-Response is renown for having amazing customer service and I am sure they can help you sort it out.

Posted September 19, 2013 at 3:36 PM | Permalink | Reply

Deron Galloway

Hi...was there an update to the gmail imap speed issue?

My company is looking at this particular solution.

Regards

Post a Comment






* Indicates a required field.