Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Module Overview: Workstation Preparation

The Lab Environment

The lab environment for this workshop consists of the following systems:

Demonstration Host Target

This EC2 Instance will be launched from an AMI according to instructions provided in an upcoming Lab Module.

This Host will contain a variety of artifacts for us to discover during the forensic analysis labs.

Forensic Workstation

This EC2 Instance will be launched and configured according to instructions provided in the Preparing the Forensic Workstation Lab Module.

This Host is a modified version of the SANS Investigative Forensic Toolkit (SIFT). This EC2 Instance will contain the tools that we will use to analyze the evidence.

Collecting Evidence in S3

Throughout this workshop we will be moving data to an S3 bucket for preservation. As part of our preparation we will make a S3 bucket that we can use to store our evidence. S3 has two features that have value for forensics:

Understanding Object Lock

Amazon S3 Object Lock provides two retention modes: Governance and Compliance. These retention modes apply different levels of protection to your objects.