EC2 DFIR Workshop

Lab 2: Preparing the Forensic Workstation

GOAL:

Provision a SIFT Workstation with updated tools to be able to analyze evidence from a compromised EC2 Workstation.

SUMMARY OF STEPS:

1. Create an EC2_Responder Role
2. Launch a SIFT Workstation Instance from the AMI
3. Update the Instance
4. Install the AWS Command Line Interface

Step 1: Create an Instance Profile

Create an Instance Profile (Role) named “EC2_Responder”

Attach the following two IAM Policies:

• AmazonEC2FullAccess
• AmazonS3FullAccess

VIDEO: Lab 2 Step 1 - Create an Instance Profile

Step 2: Launch a SIFT Workstation Instance

Click AMI’s in the EC2 Console and Search for ami-09106f5dc4f9a4496 with the Public AMIs filter. Make sure the Region is set to N. Virginia. Select the single result from the list of Community AMIs.

Launch a t2.xlarge Instance based on this AMI with a boot drive of at least 100 GB

Attach the EC2_Responder Role Role that was made in the previous step.

Attach a security group that only allows SSH from your source IP address

Tag this EC2 Instance with the “Name” set to “SIFT Workstation“

Accept the other defaults and launch the instance

NOTE: For the purposes of this lab and to save time, we are trusting the SIFT Workstation AMI that the author has shared from his AWS Account. To make your own SIFT Workstation AMI from scratch, follow this procedure.

VIDEO: Lab 2 Step 2 - Launch a SIFT Workstation Instance

STEP 3: Update the SIFT Workstation

• SSH into the SIFT Workstation. Note that the user name is “sansforensics” and the password is “forensics”

ssh sansforensics@[YOUR_IP_ADDRESS]

• Next, run the following commands to update the SIFT Workstation:

  sudo apt -y update && sudo DEBIAN_FRONTEND=noninteractive apt -y upgrade
  

NOTE: Because this is the exact image for a local install of the SIFT Workstation, it does not require certificate-based SSH authentication. Even though the current configuration does not require it, it is highly recommended to change the configuration so that certificate-based SSH authentication is required. Changing this configuration is an exercise left to the student. See:

• SSH.com - How to configure Key-Based Authentication
• AWS Guidelines for Shared Linux AMIs

VIDEO: Lab 2 Step 3 - Update the SIFT Workstation

STEP4: Install the AWS Command Line Interface

Install the AWS CLI using the following command:

sudo pip install awscli

NOTE: Do not use apt to install the AWS CLI as it is an older version

VIDEO: Lab 2 Step 4 - Install the AWS Command Line Interface