An important part of any cybersecurity program, especially for organizations that have an infrastructure presence in the cloud, is having a robust incident response process. NIST SP 800-61 is a common standard for defining such an incident response process. An important part of the Detection & Analysis phase of the process is to have the ability to acquire evidence for forensics purposes.
Figure 3-1. The Incident Response Lifecycle from NIST SP 800-61
Acquiring evidence in the cloud has proven to have its own challenges. The offloading of undifferentiated heavy lifting provided by the shared responsibility model has proven to be a double-edged sword when it comes to incident handling in the cloud. For example, in a traditional setting, it was easy to simply “grab” a disk drive since one would have access to the hardware in a data center. Gathering other data such as memory was as easy as plugging in a USB drive preloaded with forensic tooling into the physical hardware. No longer is this the case when it comes to the cloud! Fortunately, the cloud makes it comparatively easy to codify and programmatically trigger the aforementioned forensic processes. Unlocking the power of the cloud when it comes to this category can lead to great benefits for organizations that are looking to grow their forensics capabilities in the cloud.
Further Reading from ScaleSec on the Shared Responsibility Model:
Modernizing Security: AWS Series - Security Best Practices for Serverless Applications on AWS
Managing PCI Compliance in the Cloud
Disk Acquisitions
Let us revisit the use case of “grabbing the disk drive” wherein a traditional data center, removal of the disk drive can require running a process to eject the media or (particularly in the case of a boot disk) require the machine to be powered off. In the cloud, this process is simpler and less disruptive than an eject or boot action. In AWS, the drive can simply be snapshotted to an S3 bucket.
Here’s an example command of how to perform a disk acquisition in AWS:
aws ec2 create-snapshot --volume-id vol-1234567890abcdef0 --description 'Forensics snapshot' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=purpose,Value=forensics},{Key=costcenter,Value=123}]'
This snapshot can then be copied to an S3 bucket, where it can reside for future forensic analysis. Note that the region can be different than that of the source instance:
aws ec2 copy-snapshot --region us-east-1 --source-region us-west-2 --source-snapshot-id snap-066877671789bd71b --description "Forensics copied snapshot."
Memory Acquisitions
At this point, one could surmise that acquiring memory is not as straightforward of a task as performing a disk acquisition. This assumption would be correct, as AWS does not currently have a native command-line capability to run such memory acquisitions. In most environments, the use of AWS Systems Manager can be employed to run such commands on a machine. Note that a third-party tool such as AVML (for Linux) or WinPmem (for Windows) would have to be pre-installed or installed on the fly to run the following commands.
For Linux (Shell script):
aws ssm send-command \ --document-name "AWS-RunShellScript" \ --targets '[{"Key":"InstanceIds","Values":["instance-id"]}]' \ --parameters '{"commands":["#!/bin/bash","avml --compress output.lime.compressed && aws s3 cp output.lime.compressed s3://forensics-artifacts-bucket"]}'
For Windows (Powershell):
aws ssm send-command ^
--document-name "AWS-RunPowerShellScript" ^
--targets '[{"Key":"InstanceIds","Values":["instance-id"]}]' ^
--parameters '{"commands":["Start-Process -FilePath winpmem_mini_x64.exe physmem.raw"]}'
Other Types of Acquisitions
The use of AWS Systems Manager for custom incident response functionality creates a versatile toolset that can be leveraged on the fly and orchestrated via automation. That is to say, the commands used for memory acquisitions above can be extended to acquire other types of acquisitions, such as a full disk dump and system logs.
Forensic Evidence Analysis
This blog has intentionally focused on the acquisition of forensic evidence, and not necessarily the analysis of it. This is mainly because tools that have been classically used for forensic analysis are still relevant in the analysis of cloud evidence. It is left as an exercise to the reader as to what the best tool is for performing these analytics.
Automating Security Operations
With the use of AWS Lambda, and particularly Step Functions, robust incident response workflows can be created. Our AWS SecOps Kickstart is a great way to use cloud-native services such as these to detect threats and anomalies and kick off workflows for forensics purposes. Go check it out!
