Pulling an image for forensic analysis is not the hardest thing in the world, and thinks to Kenneth Hartmann anyone can quickly learn how! I have long admired Ken since sitting his SANS SEC545 training. When he announced that he was working on a workshop/tutorial on how to perform forensics on EC2, I was pretty excited. I wish I would have had time to dive in sooner than now, but now is as good as ever!
Forensicate.cloud describes itself:
forensicate.cloud home pageThis is an open source project devoted to the learning and communication of forensic tools and practices in the cloud. My intention is to provide resources that cover all of the common Cloud Service Providers.
It is definitely a work-in-progress. That said, we are pleased to offer a few resources:
Directions on how to create a SIFT Workstation Amazon Machine Image – Have you been trying to figure out how to get the SIFT CLI Installer to exit cleanly without errors when installing to an Ubuntu EC2 Instance? If so, check out my alternate method.
WORKSHOP – Step by Step Walkthrough of Forensic Analysis of Amazon Linux on EC2 for Incident Responders – This is a step-by-step walkthrough of techniques that can be used to perform forensics on Amazon Linux Instances running in AWS Elastic Cloud Compute (EC2). We use various open-source tools and perform the analysis itself in the cloud. Try the workshop.
Let’s dive right into the workshop.
Ken has broken this workshop up into a few different modules so far, and each module introduction gives a solid overview of what the labs cover and why you are doing each one. For example, the first module contains no labs, but simply is an overview on you should be conducting forensics as part of your incident response plan.
Probably the best part of this lab, is that a SIFT workstation has already been provisioned for use. If anyone has ever tried to setup a SIFT workstation themselves, they know it takes quite some time. The AMI method allows you to run and
apt-get update and you’re off to the races. Which definitely helps mitigate one of my major complaints on labs and tutorials; half the time spent in the learning is just setting up an environment!
I highly recommend folks go check out this project, especially if you have just never tried out forensics in an AWS environment. It really only took a few hours to knock out, and will maybe show you some different ideas of how you can manage your incident response and forensics procedures.