Step by Step Walkthrough of Forensic Analysis of Amazon Linux on EC2 for Incident Responders
This workshop will be a step-by-step walkthrough of techniques that can be used to perform forensics on Amazon Linux Instances running in AWS Elastic Cloud Compute (EC2). We use various open-source tools and perform the analysis itself in the cloud.
The purpose of this workshop is to equip security engineers with the skills necessary to investigate compromised Linux EC2 instances and discover Indicators of Compromise (IOC), the Tools, Tactics, and Procedures (TTP) used in the attack, as well as information that can help one reconstruct the timeline, determine the scope of the incident, and scope of the incident.
To get the most out of this workshop, each participant should:
- Have their own account in Amazon Web Services and have experience managing virtual machines in the EC2 service.
- Have the AWS Command Line Interface (CLI) installed and configured. See this link for installing the CLI and this link to configure it for full administrative access to one’s account.
- Be comfortable with the tasks covered in the Using Amazon EC2 with CLI tutorial and be able to SSH into Linux virtual machines launched in EC2.