EC2 DFIR Workshop

Conclusion

In this workshop we have:

• Provided an understanding of how to investigate compromised Linux EC2 Instances
• Provided an investigative methodology that works in AWS
• Demonstrated the use of popular open source forensic tools on EC2

Resources

An Incident Report Template is available at: bit.ly/KGH-IR-Report

This workshop assumes a basic understanding of incident response procedures, covered by documents such as:

• The SANS paper titled, Incident Handler’s Handbook.
• NIST SP 800-61R2 Computer Security Incident Handling Guide

For prerequisite knowledge on incident handling in AWS, the following two documents are recommended:

• Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud
• Hardening AWS Environments and Automating Incident Response for AWS Compromises