EC2 DFIR Workshop
Lab 11: Determine if any security software is installed
GOAL:
Determine if there is any security-related software installed as this can provide additional avenues to investigate.
SUMMARY OF STEPS:
- Look for AWS Systems Manager
- Look for the AWS Inspector Agent
- Look for Splunk
Step 1: Look for AWS Systems Manager
Look for AWS Systems Manager or its log:
find /mnt/linux_mount/ -name 'amazon-ssm-agen*'
VIDEO: Lab 11 Step 1 - Look for AWS Systems Manager
Step 2: Look for the AWS Inspector Agent
Look for the AWS Inspector Agent
find /mnt/linux_mount/ -name 'awsagen*'
VIDEO: Lab 11 Step 2 - Look for the AWS Inspector Agent
Step 3: Look for Splunk
Look for Splunk daemon or configuration files:
find /mnt/linux_mount/ -name 'splunk*'
VIDEO: Lab 11 Step 3 - Look for Splunk