forensicate.cloud

Open Source Resources for Forensics in the Cloud

Make a SIFT Workstation AMI

It is assumed the user has an AWS Account and has installed and configured the AWS CLI.

STEP 1: Launch an Ubuntu Desktop 16.04 Amazon Machine Image

  1. Click the Launch Instance wizard
  2. Paste “Ubuntu Desktop 16.04 LTS (HVM)” in the Search for an AMI… field and hit enter to search.
  3. Select a result from the AWS Marketplace and if you trust the provenance of the image, launch it.
  4. Choose an instance type based on the AWS Marketplace vendor’s recommendation or larger.
  5. Accept the defaults on “Step 3: Configure Instance Details.”
  6. Change the size of the root drive to 40GB or larger. (Additional drives can be added for data later. At least 30 GB is needed for the SIFT Workstation boot drive.)
  7. Launch the VM into a Security Group with inbound allowed only to port 22 (SSH) from your source IP address. For now, the outbound rules need to be allow all.
  8. Finish the launch wizard by selecting your SSH key
  9. SSH into the Instance
  10. Install the updates: sudo apt-get update && sudo apt-get upgrade
  11. Download and install the latest SIFT-CLI Tool by following these install instructions here: https://github.com/sans-dfir/sift-cli#installation (Reference: https://digital-forensics.sans.org/community/downloads). The Latest Release will have the curl command to use. For example: 
    curl -Lo /usr/local/bin/sift https://github.com/sans-dfir/sift-cli/releases/download/v1.8.1/sift-cli-linux
chmod +x /usr/local/bin/sift
  12. To launch the installer, run sift install --user ubuntu