Virtualizing Your Forensics Lab in the Cloud Part 1: Leveraging IaaS for Your Lab
You’re most likely already using it, and you’re pretty sure that you can be using it more.
The Cloud can be unknown and it can be daunting, but it doesn’t have to be.
We’ve put together a series of articles together that will hopefully shine some light on how the cloud can be used to virtualize your forensics lab. We know it’s a journey to get there, we’ve helped some of our customers on that path and we want to share the map with you too.
In this series we’ll cover some high-level concepts when it comes to leveraging cloud platforms for your lab in addition to some practical tools that you can use for setting up your environment. Here’s what you can expect to see from this series we’re calling: Virtualizing Your Forensics Lab in the Cloud:
- Reasons to leverage IaaS for your forensics lab
- Benefits of running a lab in the cloud
- A practical guide to setting up an AWS EC2 instance for Magnet AXIOM Cyber
- Security settings to keep in mind when using the cloud for your lab
- Considerations for how to work with evidence in a virtual lab
- A look forward into how the cloud can be used in the future
Part 1: Four Reasons to Leverage IaaS for Your Lab
Traditionally we think of the digital forensics lab consisting of a series of ultra-fast, and often ultra-expensive desktop based hardware designed to meet the demands of growing case sizes and the complexity of those cases. Adding lab capacity can be an expensive proposition (e.g. more hardware or more people), and while the volume of cases continues to grow and budgets are almost always a variable at play, forensic labs need to look for alternative approaches.
In this post we look at how organizations can leverage the power and scalability of cloud-based Infrastructure-As-A-Service (IaaS) platforms such as Amazon Web Services or Microsoft Azure to create a virtual forensics lab that can quickly adapt and scale to demand as required, without the need to purchase expensive hardware.
We will then introduce the impact that we see the cloud having on digital forensics now and into the future in further installments in this series.
What Is Infrastructure-as-A-Service?
IaaS is a cloud service model where users can deploy and access virtual machines on physical hardware owned by a cloud service provider such as Microsoft Azure or Amazon Web Services. Both Azure and AWS offer hundreds of cloud-based services providing a wealth of possibilities to build and deploy applications in the cloud.
For the purpose of this article, we will specifically be focused on AWS Elastic Compute Cloud (EC2) and Microsoft Azure Virtual Machines. These services are the closest thing to managing physical servers or desktop systems, with the major difference being that the hardware is owned and managed by the service provider. The end user is only responsible for configuring and maintaining the operating system and software deployed within the environment.
Although there are many reasons why you’d want to leverage an IaaS platform to virtualize your lab, here are the top four:
- Potential Cost Savings: Users only pay for the processing time they use. The price of running a system is based on the power of the system (typically CPU, RAM, and storage). Effectively, you are renting a computer from the provider, and you only pay for the time that you need the system, often at rates of less than $1/hour of use1
- Flexible hardware options: Cloud service providers offer a broad variety of hardware and operating system configurations allowing the user to select the right system for their job.
- Speed: Virtual machines can often be provisioned and deployed in a matter of minutes and offer tools for deploying any number of VMs from scratch or based on pre-defined system templates.
- Global locations: IaaS offers a high degree of flexibility when deploying virtual machines including the ability to choose what region to deploy the system to, complete control over networking and security, redundancy, and disaster recovery. The benefits of deploying your forensic workstation close to your target endpoints includes more reliable collection and, in some cases, you may be able to avoid data residency issues.
While this list only scratches the surface, there are many great resources and training programs for getting started in the cloud:
How to Leverage the Cloud for Your Forensics Lab?
Many of the benefits above can be applied directly to expanding your Digital Forensics lab to the cloud. As an example, using AWS you can create a new virtual machine running Windows Server. Once the virtual machine has been started (often taking less than five minutes) you simply use remote desktop to login to the machine and you can begin using the system like any other server on your network. This includes installing Magnet AXIOM Cyber, and any other tools that you may typically use in your Forensics Lab. This can be considerably faster than procuring, installing, and configuring a physical server.
Cloud platforms also allow you to snapshot your configurations. These snapshots can be used as a template for future deployments. Once you have a template with all your tools pre-installed, you can spin up as many virtual machines from that template as you need.
Remember that you only pay for systems while they are in use, so you can build out as many different configurations as you need. This model provides a ton of flexibility to deploy systems that meet the job, rather than buying a one size fits all desktop system. For example, you might configure a more powerful system for processing evidence: a task that could take longer but the cost of a more powerful system is worth it so you can get to the evidence faster. Whereas you might configure a lower powered system to do your examinations since it’s not a resource intensive task.
Now that we’ve covered the high-level benefits of using an IaaS platform like AWS or Azure, in our next installment of Virtualizing Your Forensics Lab in the Cloud we’ll go over some of the specific benefits of virtualizing your lab including enabling the capability to perform remote collections of endpoints not connected to your corporate network.