FUSION Forensics is a solution for digital forensics that allows capturing and archiving of operation logs from public clouds. It supports capturing protocols like SSH, RDP and client software like PuTTY. The system includes jump servers that record all command responses, archive servers to store original logs, and a management console for administrators to search, manage and generate audit reports of operator activities. A demo was shown where operators accessed external servers on a public cloud through FUSION Forensics using SSH and RDP, and administrators searched the captured logs through the management console. FUSION Forensics aims to help companies securely handle critical information when migrating systems to public clouds.
AWS Community Day CPH - Three problems of Terraform
[RakutenTechConf2013] [E-4] FUSION Forensics - A Critical Information Handling Method on Public Clouds -
1. 1
FUSION Forensics
- A Critical Information Handling Method on Public Clouds -
Isao Okazaki
FUSION Communications Corporation
October 26 2013
2. 2
Agenda
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
3. 3
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
Summary of this part:
I would like to talk about our company overview and our services.
4. 4
What is FUSION? – Corporate Overview
Name
FUSION COMMUNICATIONS
Corporation
Established March 13 2000
President Takahito Aiki
Business in brief Telecommunications carrier
Major shareholders
Rakuten Inc. (54.78%)
Marubeni Corporation (38.00%)
Our company, FUSION Communications corporation (FUSION) was established in
2000 as an telecommunications carrier.
Now FUSION is a subsidiary company of Rakuten and Marubeni, respectively.
5. 5
What is FUSION? – Service Line-ups
Phone Service
FUSION has provided Phone Service since 2001.
7. 7
Mobile Service
ISP Service
We have expanded service category to ISP and Mobile.
What is FUSION? – Service Line-ups
Telephony Service
8. 8
Cloud Service
Cloud Service is the newest category of FUSION.
What is FUSION? – Service Line-ups
Mobile Service
ISP Service
Telephony Service
9. 9
What is FUSION? – Cloud Service (IaaS)
We firstly started Public Cloud Service, “FUSION Cloud” (IaaS) in 2012.
Carrier grade Service Quality of FUSION
IaaS (Apr.2012)
10. 10
What is FUSION? – Broadening Cloud Service
We have launched New Cloud Services, PaaS & SaaS since October, 2012.
Original and unique services
IaaS (Apr.2012)
PaaS for RMS (Oct.2012)
SaaS for File Sharing (Feb.2013)
SaaS for Log Audit (May,2013)
11. 11
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
Summary of this part:
I have talked about our company overview and our services.
We are one of the Rakuten group company and we launched unique
cloud services like FUSION Forensics.
12. 12
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
Summary of this part:
I would like to talk about Digital Forensics and to show you how to
handle critical information on “systems” using Digital Forensics.
13. 13
What are Digital Forensics? – Forensics
Forensic science is generally defined as the application of science to the law (*).
(*)NIST SP800-86 (http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf)
For example, regarding criminal investigation, it is considered as follows:
Examine
Data
Analyze
Information
Report
Evidence
Forensic science can find or deduce who did the crime.
That’s why they contribute to deter crimes.
Collect
Marks
Smell
Finger
Print
14. 14
What are Digital Forensics? – Digital Forensics
The process of Digital Forensics is the same as in a criminal investigation.
Generally, Digital Forensics is considered the application of science to the following
process (*).
(*)In reference to NIST SP800-86 (http://csrc.nist.gov/publications/nistpubs/800-
86/SP800-86.pdf), FUSION made this figure.
Collect
Media
Examine
Data
Analyze
Information
Report
Evidence
Digital Forensics can find or deduce who operates the information.
That’s why they contribute to suppress security incident including
information leakage.
15. 15
What happens if we don’t have the system for digital forensics and if security
incident occurred?
In these cases, a lot of problems occur in the process of digital forensics.
C
R
A
E
There aren’t enough information
to report.
Are there any Logs?
Where are the Logs?
Which Log should I look at?
Is the Log correct?
How to analyze the Logs?
It takes for a long time.
Security
Incident
What are Digital Forensics? – Handling Critical Information(1)
16. 16
What are Digital Forensics? – Handling Critical Information(2)
Therefore, we need the system for digital forensics to suppress security incident
and to handle critical information on systems.
System for
Digital
Forensics
If we don’t have the system for digital forensics, security incident takes so much
effort and time to solve the problem.
Furthermore, the company would lose their customers’ trust.
Security
Incident
System for
Digital
Forensics
17. 17
Actually, IPA (Information-technology Promotion Agency, Japan) announced that
regarding technical side introducing digital forensics is effective for attacking
measures from inside the company (*).
(*)http://www.ipa.go.jp/security/fy23/reports/insider/documents/insider_report.pdf
Security Incidents
SecurityIncidents
from
Outside
Company
from
Inside
Company
Conventional
Information Security
Confidentiality
Availability
integrity
Technical Side:
Introducing Digital
Forensics
Operation Side:
Setting Appropriate
Access Authority
Information Security Measures
IPA announced they are
effective for attacking
measures from inside the
company.
What are Digital Forensics? – Handling Critical Information(3)
18. 18
Generally, there are 3 collecting methods on Digital Forensics.
①Jump Server
②Log Server
③Network Traffic Capturing
Operators
②Log Server
Network ①Jump Server
③ Network Traffic
Capturing
We adopted ①Jump Server because it can directory record all the commands
and their responses of operations.
LogLog
Log
Log
What are Digital Forensics? – Handling Critical Information(4)
Servers
Log
19. 19
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
Summary of this part:
I have talked about Digital Forensics and show you how to handle critical
information on “systems” using Digital Forensics.
20. 20
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
Summary of this part:
I would like to talk about FUSION Forensics and show you how to handle
critical information on “public clouds” using FUSION Forensics.
21. 21
What are FUSION Forensics? – Backgrounds(1)
On-premises
Enterprise
Systems
Advantages in
- Cost Effectiveness
- System Elasticity
- BCP measures
more…
Public Cloud
The trend from on-premises enterprise systems to public cloud has been
growing sharply over the past few years.
22. 22
What are FUSION Forensics? – Backgrounds(2)
Public Cloud
The demand of handling critical information on public cloud has been
increasing as well as on-premises enterprise systems.
Demand of Handling
Critical Information
On-premises
Enterprise
Systems
Advantages
- Cost Effectiveness
- System Elasticity
- BCP measures
more…
Demand of Handling
Critical Information
23. 23
What are FUSION Forensics? – Backgrounds(3)
Public Cloud
I will explain FUSION Forensics and show you how to handle critical information
on “public clouds” using FUSION Forensics.
On-premises
Enterprise
Systems
Advantages
- Cost Effectiveness
- System Elasticity
- BCP measures
more…
Demand of Handling
Critical Information
Demand of Handling
Critical Information
24. 24
What are FUSION Forensics? – Introduction(1)
FUSION Forensics provide the environment to handle critical information.
Operation Log Capturing
Archiving original logs
Searching Logs on Management Console
Reporting Audit Evidence Automatically
FUSION developed and commercialized one of the solution for digital forensics.
C
R
A
E
25. 25
What are FUSION Forensics? – Introduction(2)
Operators Servers
Log
FUSION Forensics adopted ①Jump Server for collecting method because it
can directory record all the commands and their responses of operations.
①Jump Server
All the operation logs of the operators are captured in the jump server.
26. 26
What are FUSION Forensics? – System Image(1)
VMs
VMs
Physical
Servers
On-premises
Ent. Systems
Clouds
Public
Cloud
FUSION
Operation
SSH, etc.
Admin
Audit
Operators
Auditors
Administrators
Jump Servers
Log Capturing
Log
Archive Servers
Operation
SSH, etc.
Original
PrivateLinesInternetVPC,etc.
Collecting Servers
Key for User
Key for User Key for Server
Key for Server
Log
User Original
Log
Reference
Registration
Client Software
TeraTerm/PuTTY
Supporting various systems.
Management Console
Web Servers
27. 27
What are FUSION Forensics? – System Image(2)
VMs
VMs
Physical
Servers
On-premises
Systems
Clouds
Public
Cloud
FUSION
Operation
SSH, etc.
Admin
Audit
Auditors
Administrators
Jump Servers
Log Capturing
Log
Archive Servers
Operation
SSH, etc.
Original
PrivateLinesInternetVPC,etc.
Collecting Servers
Key for User Key for Server
Key for Server
Log
User Original
Log
Reference
Registration
Supporting SSL and key pairs on both sides of users and servers
for secure access to public clouds.
.
Management Console
Web Servers
Key for User
Client Software
TeraTerm/PuTTY
Operators
28. 28
What are FUSION Forensics? – System Image(3)
VMs
VMs
Physical
Servers
On-premises
Systems
Clouds
Public
Cloud
FUSION
Operation
SSH, etc.
Admin
Audit
Auditors
Administrators
Jump Servers
Log Capturing
Log
Archive Servers
Operation
SSH, etc.
Original
PrivateLinesInternetVPC,etc.
Collecting Servers
Key for User Key for Server
Key for Server
Log
User Original
Log
Reference
Registration
Supporting various client software such as TeraTerm, PuTTY and more.
So, operators don’t need to install specific software.
Management Console
Web Servers
Key for User
Operators
Client Software
TeraTerm/PuTTY
29. 29
What are FUSION Forensics? – System Image(4)
VMs
VMs
Physical
Servers
On-premises
Systems
Clouds
Public
Cloud
FUSION
Operation
SSH, etc.
Admin
Audit
Auditors
Administrators
Jump Servers
Log Capturing
Management Console
Web Servers
Log
Archive Servers
Operation
SSH, etc.
Original
PrivateLinesInternetVPC,etc.
Collecting Servers
Key for User Key for Server
Key for Server
Log
User Original
Log
Reference
Registration
Supporting management console. So, administrators or auditors
can manage and audit operators.
Key for User
Client Software
TeraTerm/PuTTY
Operators
30. 30
What are FUSION Forensics? – Features (1)
Capturing Protocol: SSH, Telnet, FTP, SCP, SFTP,
RDP(Coming in Nov.)
Client Software: Tera Term, PuTTy, OpenSSH,
WinSCP, FileZilla, SFTP
Connecting to: public clouds, on-premises systems,
network equipment
SSH Authentication Method: 2 step, menu
C
Collection
(Media)
Examination
(Data)
Analysis
(Information)
Reporting
(Evidence)
31. 31
What are FUSION Forensics? – Features(2)
User/Server Maintenance:
User Maintenance, Server Maintenance,
User/Server Access Control, Log Volume
Dashboard: Access Summary, Announcement
Log Type: Command Line, Command Response
Log Search: Time Interval, User Name, Server Name,
User/Server IP Address, Protocol,
Commands, Searching Option
Log reporting for Audit:
Periodical Reporting of the specific format
Log Download: Generating CSV formatted Log,
Log Compression with Password
R
A
E
Collection
(Media)
Examination
(Data)
Analysis
(Information)
Reporting
(Evidence)
32. 32
Internal operators access to their internal on-premises systems through
FUSION Forensics.
What are FUSION Forensics? – Use Cases(1)
Operators
Log
From Internal to Internal connection
Internal Internal
Critical
Information
①Access
②Manage and
audit operators
Auditors
Administrators
On-premises
Systems
①Access
33. 33
What are FUSION Forensics? – Use Cases(2)
Internal operators access to their external servers on Public Clouds
through FUSION Forensics.
From Internal to External connection
Operators
Log
Internal External
Servers
Public Clouds
Critical
Information
Auditors
Administrators
②Manage and
audit operators
①Access①Access
34. 34
What are FUSION Forensics? – Use Cases(3)
External Vendor Engineers access to customers’ internal on-premises
servers through FUSION Forensics.
Engineers
Vendor
Log
From External to Internal connection
External Internal
Critical
Information
Auditors
Administrators
On-premises
Systems
②Manage and
audit operators
①Access①Access
35. 35
What are FUSION Forensics? – Use Cases(4)
From External to External connection
Log
External
Servers
Public CloudsEngineers
Vendor
External
External Vendor Engineers access to customers’ external servers on
Public Clouds through FUSION Forensics.
Critical
Information
Auditors
Administrators
②Manage and
audit operators
①Access①Access
36. 36
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
Summary of this part:
I have talked about FUSION Forensics and show you how to handle
critical information on “public clouds” using FUSION Forensics.
37. 37
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
38. 38
FUSION Forensics Demo – SSH /w Key Pair
Operators
Log
Servers
Critical
Information
①Access
(SSH and Key Pair)
②Manage and
audit operators
Auditors
Administrators
First, operators access to their external servers on FUSION Cloud through
FUSION Forensics using SSH client and key pair.
After that, administrators search and check the log through management
console.
Internal External
Start Demo
Start Demo
①Access
(SSH and Key Pair)
39. 39
FUSION Forensics Demo – RDP
Operators
Log
Servers
Critical
Information
Auditors
Administrators
Second, operators access to their external servers on FUSION Cloud through
FUSION Forensics using RDP.
After that, administrators search and check the log through management
console.
Internal External
Start Demo
①Access
(RDP)
②Manage and
audit operators
①Access
(RDP)
40. 40
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
Summary of this part:
I talked about FUSION Forensics Demo using SSH and RDP.
41. 41
1) What is FUSION?
2) What are Digital Forensics?
3) What are FUSION Forensics?
4) FUSION Forensics Demo
5) Conclusion
Agenda
42. 42
In this presentation, we will introduce FUSION Forensics and show you
how to handle the critical information on public cloud using FUSION
Forensics.
Conclusion
Collection
(Media)
Examination
(Data)
Analysis
(Information)
Reporting
(Evidence)
44. 44
For more information,
Booth: RT1 13F Cafeteria
Web Site: www.fusioncom.co.jp/forensics/
E-mail: cloud_plan@fusioncom.co.jp
Please visit and contact us!
Hinweis der Redaktion
Good afternoon everyone!
Thank you for coming to my presentation.
My name is Isao Okazaki, from FUSION Communications Corporation.
I’d like to talk to you today about FUSION Forensics, a critical information handling method on public clouds.
This is today’s Agenda.
So, let’s get started what is FUSION.
In this part, I would like to talk about our company overview and our services.
Our company, FUSION Communications corporation, in short FUSION, was established in 2000 as an telecommunications carrier.
Now FUSION is the subsidiary company of Rakuten and Marubeni, respectively.
Next, I would like to talk about our service line-ups.
First, FUSION has provided Phone Service since 2001.
And we have Broadened B2B Telephony service such as call center solution, pay-per call service and Asterisk solution.
Asterisk is one of the open source based IP-PBX and very special service in Japan.
Next, We have expanded service category to ISP and Mobile.
And now, Cloud Service is the newest category of FUSION.
These are our service line-ups.
Now, let’s focus on this cloud service.
We firstly started public cloud service, FUSION Cloud (IaaS) in 2012.
One of the features is Carrier grade Service Quality of FUSION.
And after that, we have been launched PaaS for RMS, SaaS for File Sharing and SaaS for Log Audit since 2012.
They are all our original and unique services and last one is the FUSION Forensics.
To sum up, I have talked about our company overview and our services.
Especially, we are one of the Rakuten group company and we launched unique cloud services like FUSION Forensics.
The second item is about Digital Forensics.
In this part, I would like to talk about Digital Forensics and to show you how to handle critical information on systems using Digital Forensics.
Let’s move on to the definition of Forensics.
Forensic science is generally defined as the application of science to the law.
For example, regarding criminal investigation, it is considered as follows:
First, collect marks such as smell or fingerprint of a suspected person and make data.
Next, examine the data and make information.
Third, analyze the information and make evidence. Finally, report the evidence.
So, Forensics can find or deduce who did the crime, and that’s why they contribute to deter crime.
The process of Digital Forensics is the same as in a criminal investigation.
Generally, Digital Forensics is considered the application of science to the following process.
First, collecting media and make data.
Next, examine the data and make information.
Third, analyze the information and make evidence. Finally, report the evidence.
So, Digital Forensics can find or deduce who operate the information.
That’s why they contribute to suppress security incident including information leakage.
Then let’s think about what happens if we don’t have the system for digital forensics and if security incident occurred.
In these cases, a lot of problems occur in the process of digital forensics as shown in this page.
Regarding collection, the problems are …., …..
Regarding examination, the problems are …., …..
Regarding analysis, the problems are …., …..
And regarding reporting, the problems is …., …..
So, if we don’t have the system for digital forensics, security incident takes so much effort and time to solve the problem.
Furthermore, the company would lose their customers’ trust.
Therefore, we need the system for digital forensics to suppress security incident and to handle critical information on systems.
Actually, IPA, which is Information-technology Promotion Agency, Japan, announced that regarding technical side, introducing digital forensics is effective for attacking measures from inside the company.
Next, I will explain the methods of digital forensics.
Generally, there are 3 collecting methods on Digital forensics.
①Jump Server
Operators once log in to a jump server and re-log in to targeted servers.
In this method, all the operation logs of the operators are captured in the jump server.
②Log Server
All the record of operations are saved as “logs” in the servers or operator’s PC and a log server brings logs from them.
③Network Traffic Capturing
A log server captures logs from network. All the operations on the network are captured in the log server.
Actually, we adopted ①Jump Server for digital forensics because it can easily and correctly record all the commands and their responses of operations.
To sum up, I have talked about Digital Forensics and show you how to handle critical information on systems using Digital Forensics.
The third item is about FUSION Forensics.
In this part, I would like to talk about FUSION Forensics and show you how to handle critical information on public clouds using FUSION Forensics.
So, let’s start by looking at the backgrounds.
The trend from on-premises enterprise systems to public cloud has been growing sharply over the past few years due to advantages in cost effectiveness, system elasticity, BCP measures and more.
Therefore, the demand of handling critical information on public cloud has been increasing as well as on-premises enterprise systems.
In this part, I will explain FUSION Forensics and show you how to handle critical information on public clouds using FUSION Forensics.
FUSION developed and commercialized one of the solutions for digital forensics.
Regarding Collection, FUSION Forensics supports Operation Log Capturing.
Regarding Examination, they supports Archiving original logs.
Regarding Analysis, they supports Searching Logs on Management Console.
And regarding Reporting, they supports Reporting Audit Evidence Automatically.
So, FUSION Forensics provides the environment to handle critical information.
And FUSION Forensics adopted ①Jump Server for collecting method because it can directory record all the commands and their responses of operations.
That is to say, Operators once log in to a jump server and re-log in to targeted servers.
All the operation logs of the operators are captured in the jump server.
Next, let’s move on to the system image of FUSION Forensics.
First, FUSON Forensics supports various systems such as FUSION Cloud, other public clouds and on-premises enterprise systems.
Second, FUSION Forensics supports SSL and key pairs on both sides of users and servers for secure access to public clouds.
This is one of the most important features of this system.
Third, FUSION Forensics supports various client software such as Tera Term, PuTTY and more.
So, operators don’t need to install specific software.
Last, FUSION Forensics supports management console.
So, administrators or auditors can manage and audit operators.
Next, let’s move on to the features of FUSION Forensics.
FUSION Forensics fully supports collection process like this.
And supports examination, analysis and reporting process, respectively.
Next, let’s move on to the use cases of FUSION Forensics.
First one is from internal to internal connection which means Internal operators access to their internal On-premises systems and network equipment through FUSION Forensics.
Second one is from internal to external connection which means Internal operators access to their external servers on Public Clouds including FUSION Cloud through FUSION Forensics.
Third one is from external to internal connection which means External Vendor Engineers access to customers’ internal on-premises servers and equipment through FUSION Forensics.
And fourth one is from external to external connection which means External Vendor Engineers access to customers’ external servers on Public Clouds including FUSION Cloud through FUSION Forensics.
These are use cases of FUSION Forensics.
To sum up, I have talked about FUSION Forensics and show you how to handle critical information on public clouds using FUSION Forensics.
The fourth item is about Digital Forensics demo.
First demo is SSH with key pair.
First, operators access to their external servers on FUSION Cloud through FUSION Forensics using SSH client and key pair.
After that, administrators search and check the log through management console.
Second one is RDP.
Operators access to their external servers on FUSION Cloud through FUSION Forensics using RDP.
After that, administrators search and check the log through management console.
To sum up, Italked about FUSION Forensics demo using SSH and RDP.
The last item is about conclusion.
Thank you for listening!
Finally, for more information, we have 3 contact points:
First one is our booth in this floor!
Second one is our website.
Third one is our e-mail.
Please visit and contact us!
Again, thank you for listening!