Forensics in AWS

Forensics in AWS

Forensics in AWS

Forensics in AWS

An important part of any cybersecurity program, especially for organizations that have an infrastructure presence in the cloud, is having a robust incident response process. NIST SP 800-61 is a common standard for defining such an incident response process. An important part of the Detection & Analysis phase of the process is to have the ability to acquire evidence for forensics purposes.

Figure 3-1. The Incident Response Lifecycle from NIST SP 800-61

Figure 3-1. The Incident Response Lifecycle from NIST SP 800-61

Acquiring evidence in the cloud has proven to have its own challenges. The offloading of undifferentiated heavy lifting provided by the shared responsibility model has proven to be a double-edged sword when it comes to incident handling in the cloud. For example, in a traditional setting, it was easy to simply “grab” a disk drive since one would have access to the hardware in a data center. Gathering other data such as memory was as easy as plugging in a USB drive preloaded with forensic tooling into the physical hardware. No longer is this the case when it comes to the cloud! Fortunately, the cloud makes it comparatively easy to codify and programmatically trigger the aforementioned forensic processes. Unlocking the power of the cloud when it comes to this category can lead to great benefits for organizations that are looking to grow their forensics capabilities in the cloud.

Further Reading from ScaleSec on the Shared Responsibility Model:

Modernizing Security: AWS Series - Security Best Practices for Serverless Applications on AWS

Modernizing Security: AWS Series - Security Best Practices for Serverless Applications on AWS

Managing PCI Compliance in the Cloud

Managing PCI Compliance in the Cloud

Disk Acquisitions

Let us revisit the use case of “grabbing the disk drive” wherein a traditional data center, removal of the disk drive can require running a process to eject the media or (particularly in the case of a boot disk) require the machine to be powered off. In the cloud, this process is simpler and less disruptive than an eject or boot action. In AWS, the drive can simply be snapshotted to an S3 bucket.

Here’s an example command of how to perform a disk acquisition in AWS:

aws ec2 create-snapshot --volume-id vol-1234567890abcdef0 --description 'Forensics snapshot' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=purpose,Value=forensics},{Key=costcenter,Value=123}]'

This snapshot can then be copied to an S3 bucket, where it can reside for future forensic analysis. Note that the region can be different than that of the source instance:

aws ec2 copy-snapshot  --region us-east-1 --source-region us-west-2 --source-snapshot-id snap-066877671789bd71b --description "Forensics copied snapshot."

Memory Acquisitions

At this point, one could surmise that acquiring memory is not as straightforward of a task as performing a disk acquisition. This assumption would be correct, as AWS does not currently have a native command-line capability to run such memory acquisitions. In most environments, the use of AWS Systems Manager can be employed to run such commands on a machine. Note that a third-party tool such as AVML (for Linux) or WinPmem (for Windows) would have to be pre-installed or installed on the fly to run the following commands.

For Linux (Shell script):

aws ssm send-command \
    --document-name "AWS-RunShellScript" \
    --targets '[{"Key":"InstanceIds","Values":["instance-id"]}]' \
    --parameters '{"commands":["#!/bin/bash","avml --compress output.lime.compressed && aws s3 cp output.lime.compressed s3://forensics-artifacts-bucket"]}'

For Windows (Powershell):

aws ssm send-command ^
    --document-name "AWS-RunPowerShellScript" ^
    --targets '[{"Key":"InstanceIds","Values":["instance-id"]}]' ^
    --parameters '{"commands":["Start-Process -FilePath winpmem_mini_x64.exe physmem.raw"]}'

Other Types of Acquisitions

The use of AWS Systems Manager for custom incident response functionality creates a versatile toolset that can be leveraged on the fly and orchestrated via automation. That is to say, the commands used for memory acquisitions above can be extended to acquire other types of acquisitions, such as a full disk dump and system logs.

Forensic Evidence Analysis

This blog has intentionally focused on the acquisition of forensic evidence, and not necessarily the analysis of it. This is mainly because tools that have been classically used for forensic analysis are still relevant in the analysis of cloud evidence. It is left as an exercise to the reader as to what the best tool is for performing these analytics.

Automating Security Operations

With the use of AWS Lambda, and particularly Step Functions, robust incident response workflows can be created. Our AWS SecOps Kickstart is a great way to use cloud-native services such as these to detect threats and anomalies and kick off workflows for forensics purposes. Go check it out!


ScaleSec AWS SecOps Kickstart

ScaleSec AWS SecOps Kickstart


The information presented in this article is accurate as of 10/28/2021. Follow the ScaleSec blog for new articles and updates.

About ScaleSec

ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.

Get in touch!

Identity Federation for GitHub Actions on AWS

Securing access to AWS resources for GitHub Actions workflows with OpenID Connect identity federation

Next article

Here for you

Have questions? Leverage our expertise to help you meet your business goals with a strong security posture.

Join us

ScaleSec is a well-connected, fully remote team. We thrive in the great undocumented beyond. We’re hiring in most US metros.

Get in touch

Considering cloud? Want to optimize and transform your existing digital portfolio?
Reach out to us.

Gap Assessment

Get perspective. Address security comprehensively.

Prepare for compliance.

ScaleSec
San Diego, CA 92120, United States

619-SCALE15

© 2021 ScaleSec. All rights reserved. | Privacy Policy