We’re creating a new cloud-forensic tool — click here to sign up for the Beta and be the first to try it out.

In Amazon Web Services, forensics is a little different. Below I’ve outlined some of the core techniques:

Acquiring an EC2 Instance

Drives / Volumes

To acquire the drive of a compromised instance, you have to:

Make snapshots of the volumes attached to the compromised instance Attach the snapshots to another instance for analysis, and mount them

You can then analyse the disks as you normally would, using tools such as Encase or Log2Timeline.

Memory

Acquiring memory requires you to either run a traditional memory dumping tool within the instance it self, or to remotely run a tool such Margarita Shotgun:

margaritashotgun — server 172.1.0.10 — username root — key root_access.pem — module lime-3.13.0–74-generic.ko — filename 172.1.0.10-mem.lime

Responding

How to disable an access key

Perhaps Amazon have told you that you’ve accidentally published a key on Github — or you’ve identified a host containing the key has been compromised. You can disable the key on the AWS CLI with:

aws iam update-access-key --access-key-id EXAMPLE

--status Inactive --user-name user

How to isolate a compromised EC2 host

You may want to isolate a compromised host to isolate the infection.

There are scripts to do so here.

Further Reading

This talk provides some great additional advice on performing incident response and forensic investigations in AWS:

We’re creating a new cloud-forensic tool — click here to sign up for the Beta and be the first to try it out.