Forensics and Security Investigations in Niche Public Cloud Environments

Amazon Web Services, Microsoft Azure, and Google Cloud Platform combined currently hold a bit over 50% of the worldwide cloud market. But what about the other half? Large corporations with a global presence or a local enterprise might find that a niche cloud provider better meets their needs. Alibaba Cloud's, IBM Cloud's, and Oracle Cloud's market share are not that far behind GCP, and you might find yourself on one of these platforms while you respond to an incident. We will pick a handful of these niche cloud providers and focus on services and data that have the highest investigative value for us during this talk. Where can we find the API logs? How can we get flow logs? Is there a packet mirroring service we could turn on? Which application and endpoint logs can we get? How can we obtain and analyze disk images of cloud instances? Covering all the different cloud providers out there would not be feasible or even practical, so we will discuss a generic strategy that you can follow when looking for evidence. We will also look at security tools or lack thereof for these niche clouds, hoping to inspire others to explore further, develop new solutions, and start new projects.