With the continuous transition of computing technologies towards miniaturisation, thin clients and centrally coordinated infrastructures that are fed updates through the push-pull model, one thing seems certain – the cloud is the future.
This on-going adaptation will require digital investigations to adapt too: from incident response in the cloud environments, OSINT-driven investigations, to cloud-based digital forensics.
In order to investigate or respond to threats, one must first understand the environment.
Regardless of who the service provider is, the cloud is a combination of physical and virtual computing resources, spread all around the world, rented on a short term / long term basis by digital “tenants”.
Learning about it can be useful for any digital investigator. And in fact, there has never been as much free educational content available as now when it comes to cloud computing.
To start off, here are some links to official cloud documentation:
- AWS: https://docs.aws.amazon.com/
- Microsoft Azure: https://docs.microsoft.com/en-us/azure/?product=featured
- Google Cloud: https://cloud.google.com/docs/overview
Reading the documentation should be the first thing to do for anybody who is only beginning to learn about the cloud services. Ideally the next step would be to try out the cloud hands on, by availing of free demos, labs or free trial subscriptions to any of the above services.
However, since free trials are limited by time, it might make more sense to take a look at some free e-books first. That way you can remain non-committed to any expense or time investment – or you can pick and choose between whatever cloud providers interest you.
Cloud OSINT
Typical cloud OSINT investigations will most likely focus on publicly available (often unintentionally exposed) online content, deployed in cloud storage resources commonly referred to as buckets (AWS, Google Cloud) or blobs (Azure).
Publicly accessible buckets / blobs can contain and display objects in a way that a website does it – play a video or an MP3 file, display images or PDFs, etc.
Example:
https://hbfiles.blob.core.windows.net/files/127613_california_consumer_privacy_act_ccpa-is-09-20.pdf
Searching for “leaky buckets” is not just an investigative angle – it’s also done by cybersecurity experts and auditors to find gaps and eliminate non-compliance with data policies.
Here are some useful tools for searching publicly available content in the cloud:
- Grey Hat Warfare – a searchable database of files, buckets and blobs. Allows searching various cloud resources by keywords. Full search results, listings, file extensions and other options are available through paid subscription only.
- Osint.sh Public Buckets – searches for both Amazon S3 buckets and Azure blobs. Searches can be narrowed down by keyword or file extension.
- Digi Ninja’s Bucket Finder – offline tool, download required. Checks for bucket names and then checks their public / private settings and permissions.
While web and offline tools are convenient and easily accessible, the real wealth of opportunities and options lies within Github and its numerous repositories created for enumerating and identified the cloud resources that should not be made publicly available:
- https://github.com/initstring/cloud_enum
- https://github.com/nyxgeek/AzureAD_Autologon_Brute
- https://github.com/Parasimpaticki/sandcastle
- https://github.com/sa7mon/S3Scanner
- https://github.com/clario-tech/s3-inspector
- https://github.com/eth0izzle/bucket-stream
- https://github.com/cr0hn/festin
- https://github.com/awslabs/aws-config-rules
- https://github.com/awslabs/git-secrets
- https://github.com/jordanpotti/AWSBucketDump
The scope of the above resources is very wide and they will likely require some deeper understanding and study of the subject matter.
Luckily, there is no shortage of materials for that exact purpose.
Free courses and certificates!
1. Oracle Cloud Infrastructure
Oracle is trying to carve out their own portion of the cloud market and challenge the dominance of AWS, Microsoft and Google.
While not immensely popular at present, Oracle is hoping to expand the reach of their technology and gain recognition for their certification tracks.
That is why until the 31st December 2021, ALL of the Oracle Cloud Infrastructure training courses and certification exams are FREE.
Check out this link for more details.
Eligible Oracle training courses and exams:
2. Microsoft Azure (and more)
Microsoft decided to create an Ignite Cloud Skills Challenge and reward anybody who completes one challenge with a free certification exam. Eligible exams are not limited to cloud technologies – there a few more options available.
Check out more details below:
Complete one challenge and earn a free Microsoft Certification exam
There are 12 challenges available to choose from, select one that’s right for you. Once you complete that challenge you will earn a free Microsoft Certification exam that can be applied to your choice from a select list of options.
The challenge begins on November 2, 2021 at 4:00 PM UTC (16:00) and ends on November 30, 2021 at 4:00 PM UTC (16:00). Make sure all modules in your challenge are complete before time runs out.
If you complete your challenge before it ends, one Microsoft Certification exam will be associated with your Learn profile on December 7, 2021. You will be notified via email when it becomes available. To see the full list of eligible exams please refer to the official rules page for more details.
Have questions? Find answers in the challenge FAQs.
Eligible Microsoft exams:
- MS-700: Managing Microsoft Teams
- MS-720: Microsoft Teams Voice Engineer
- MD-100: Windows 10
- MD-101: Managing Modern Desktops
- MB-210: Microsoft Dynamics 365 Sales
- PL-400: Microsoft Power Platform Developer
- AZ-104: Microsoft Azure Administrator
- AZ-204: Developing Solutions for Microsoft Azure
- DP-300: Administering Relational Databases on Microsoft Azure
- AZ-800: Administering Windows Server Hybrid Core Infrastructure
- AZ-801: Configuring Windows Server Hybrid Advanced Services
- MB-330: Microsoft Dynamics 365 Supply Chain Management
- SC-200: Microsoft Security Operations Analyst
- SC-300: Microsoft Identity and Access Administrator
- SC-400: Microsoft Information Protection Administrator
3. AWS
Udemy has opened up some AWS free cloud training courses that you can access here.
But more importantly, Amazon themselves have recently created the AWS re/Start program.
This is a FREE, full-time, classroom-based training / skills development course for people interested in learning about cloud computing. Eligibility for this course differs depending on the location.
Amazon is trying to attract the unemployed (or under-employed) individuals with no prior knowledge of cloud technologies – so this is a great entry level opportunity into the world of the cloud.
4. Miscellaneous FREE resources
Here we have some more free stuff to break into the cloud computing expertise: