Virtualizing Your Forensics Lab in the Cloud Part 2: Benefits of Virtualizing Your Forensics Lab
In Part 1 of this series, we looked at four reasons why you’d want to virtualize your forensics lab by leveraging an IaaS such as AWS or Azure: Virtualizing Your Forensics Lab in the Cloud Part 1: Leveraging IaaS for Your Lab.
In this post, we’ll take a look at some of the benefits for your lab specifically that are gained when your lab is virtualized. So without further ado, let’s get right to it!
Off-Network Collection
As workforces are becoming more and more geographically dispersed, it has become more challenging to collect from remote end points. Deploying Magnet AXIOM Cyber into a virtual cloud environment, allows the system to easily be configured with an external IP (often a major challenge for desktop systems), while also being completely isolated from the rest of the lab network creating a secure environment for collecting from any internet connected end point.
To learn more about off-network collections with AXIOM Cyber, you can read this blog: Harnessing the Cloud to Collect Off-Network Endpoints using AXIOM Cyber.
Cloud Investigations – In the Cloud
As our use of cloud centric services continues to grow, so too does the need to collect data from these cloud services. Whether it is a consent-based acquisition of a user’s DropBox or Google Drive folders, or a corporate investigation requiring the acquisition of a user’s Microsoft Office 365 data, it’s critical that the forensics system has a reliable and fast internet connection. This can present a challenge, especially in labs that are used to working completely isolated from the internet or if the examiner happens to be working from home.
Deploying AXIOM Cyber to an IaaS cloud environment is ideal for collecting from cloud services and helps to get around some of the challenges that traditional physical labs may have:
Fast and reliable access to the internet: When doing cloud collections from a cloud service provider, you’re no longer limited by your internet speed. Instead you can leverage the speed available to the cloud service provider which provides options for incredibly fast and reliable connections.
System Location: Both AWS and Azure offer data centers around the world and when deploying a virtual machine you can choose which region you want to deploy to. By shortening the distance between the collection system and target you can increase the reliability of the acquisition. This can be useful when doing remote collection of a system in a different area of the world than the forensics lab. Rather than attempting to collect across long distances, organizations can deploy a VM in the same region as the target endpoint to provide a much faster and more reliable collection. This is also useful when data governance rules require data to stay within specific geographic zones.
Reducing network limitations: Forensics labs are sometimes completely sandboxed and isolated from outside network connections. By leveraging a cloud-based VM, users can spin up a clean, network connected forensics system to perform cloud collection, and then once the case has been processed simply move the case data onto a local system. Think of it as on-demand air-gapping for the forensics systems.
The Hybrid Forensics Lab
While the cloud can offer many benefits, we recognize that there are still many questions to be answered around cloud-based forensics which means that desktop forensics isn’t going away anytime soon and will inevitably give rise a hybrid forensics lab. But don’t worry, you don’t have to go all-in on the cloud to begin with; cloud services offer a lot flexibility giving lab managers the ability to be more creative with their lab configurations.
An example of this flexible approach would be to develop a hybrid lab that combines a mix of on-premise servers, and cloud based virtual machines. Managers can now start to think about offloading low risk or lower priority jobs to cost effective cloud-based hardware, freeing up local lab equipment for the more sensitive or higher priority case types. Cloud systems can also be leveraged for remote endpoint acquisition or cloud collection and analysis, while forensics of physical devices can continue to be done internally.
Example Scenario
Let’s use an example: a lab has received a large casefile that they need to process and they know it’s going to take a long time to process the evidence. Rather than grinding the entire lab to a halt, they can now setup AXIOM Cyber to run in AWS, and run the processing job in the cloud without tying up the local lab hardware. Once the job completes, they can complete their analysis directly in the cloud, or move the processed case back to a local system for analysis.
Cost, time, and resources are all optimized in this example by choosing the right system for the job!
In our next post we will do a complete walk-through of setting up an EC2 instance and things you will need to consider for AXIOM Cyber when creating your instance.