Do you have a response plan for dealing with data stored in the cloud? Do you have the necessary accounts, access, logging, and knowledge on what to do if you need to collect evidence stored in AWS, Azure, or other provider or service? Maybe your organization has fully shifted to a cloud first approach or perhaps it’s still thinking about it (likely somewhere in the middle) but understanding and preparing for that time is best done beforehand and not during an incident. Does it make sense to preserve and download all the relevant data and conduct your investigation completely on-premise or is there a time where you may want to do your analysis in the cloud? Your answer is likely somewhere in the middle for that as well.
In this talk, Jamie McQuaid will detail the various sources of evidence that may reside in the cloud, the prerequisites needed to access it, and discuss the best ways to collect and analyze that data to ensure integrity is maintained and you get all the relevant data you need for your investigation. The focus will be on data sources stored in AWS and Azure but we will also call out situations where cloud data may need to be collected elsewhere as well. As with anything in DFIR, there isn’t always one answer that fits every situation so we’ll discuss several options and will likely say “it depends” a lot.