forensicate.cloud

Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Module Overview: Workstation Preparation

The Lab Environment
Preparing the Demonstration Host Target
Preparing the Forensic Workstation Lab
Collecting Evidence in S3

The Lab Environment

The lab environment for this workshop consists of the following systems:

Demonstration Target Host – This is the system that will be analyzed during the lab exercises
Forensic Workstation – This is the system that will be used to perform the Forensic Analysis on the evidence acquired from the Demonstration Target by the Incident Response Workstation

Demonstration Host Target

This EC2 Instance will be launched from an AMI according to instructions provided in an upcoming Lab Module.

This Host will contain a variety of artifacts for us to discover during the forensic analysis labs.

Forensic Workstation

This EC2 Instance will be launched and configured according to instructions provided in the Preparing the Forensic Workstation Lab Module.

This Host is a modified version of the SANS Investigative Forensic Toolkit (SIFT). This EC2 Instance will contain the tools that we will use to analyze the evidence.

Collecting Evidence in S3

Throughout this workshop we will be moving data to an S3 bucket for preservation. As part of our preparation we will make a S3 bucket that we can use to store our evidence. S3 has two features that have value for forensics:

Versioning - bit.ly/FC-Versioning
Object Lock (WORM) - bit.ly/FC-ObjectLock

Understanding Object Lock

Amazon S3 Object Lock provides two retention modes: Governance and Compliance. These retention modes apply different levels of protection to your objects.

In Governance mode, users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions. Governance mode enables you to protect objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if necessary.
In Compliance mode, a protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account. Once an object is locked in Compliance mode, its retention mode can’t be changed and its retention period can’t be shortened.