Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Lab 2: Preparing the Forensic Workstation


Provision a SIFT Workstation with updated tools to be able to analyze evidence from a compromised EC2 Workstation.


  1. Create an EC2_Responder Role
  2. Launch a SIFT Workstation Instance from the AMI
  3. Update the Instance
  4. Install the AWS Command Line Interface

Step 1: Create an Instance Profile

Create an Instance Profile (Role) named “EC2_Responder”

Attach the following two IAM Policies:

VIDEO: Lab 2 Step 1 - Create an Instance Profile

Step 2: Launch a SIFT Workstation Instance

Click AMI’s in the EC2 Console and Search for ami-0b9ef98f6dbcfe23d with the Public AMIs filter. Make sure the Region is set to N. Virginia. Select the single result from the list of Community AMIs.

Launch a t2.xlarge Instance based on this AMI with a boot drive of at least 100 GB

Attach the EC2_Responder Role Role that was made in the previous step.

Attach a security group that only allows SSH from your source IP address

Tag this EC2 Instance with the “Name” set to “SIFT Workstation“

Accept the other defaults and launch the instance

NOTE: For the purposes of this lab and to save time, we are trusting the SIFT Workstation AMI that the author has shared from his AWS Account. To make your own SIFT Workstation AMI from scratch, follow this procedure.

VIDEO: Lab 2 Step 2 - Launch a SIFT Workstation Instance

STEP 3: Update the SIFT Workstation

ssh sansforensics@[YOUR_IP_ADDRESS]

NOTE: Because this is the exact image for a local install of the SIFT Workstation, it does not require certificate-based SSH authentication. Even though the current configuration does not require it, it is highly recommended to change the configuration so that certificate-based SSH authentication is required. Changing this configuration is an exercise left to the student. See:

VIDEO: Lab 2 Step 3 - Update the SIFT Workstation

STEP4: Install the AWS Command Line Interface

Install the AWS CLI using the following command:

sudo pip install awscli

NOTE: Do not use apt to install the AWS CLI as it is an older version

VIDEO: Lab 2 Step 4 - Install the AWS Command Line Interface