EC2 DFIR Workshop

Module Overview: Acquiring EBS Volumes

• Elastic Block Store (EBS) Volumes
• Snapshots
• Attaching an EBS Volume
• Mounting an EBS Volume

Elastic Block Store (EBS) Volumes

• The virtual hard drives used by an EC2 virtual machine are referred to as an Elastic Block Store (EBS) volume.
• An EBS volume is used to boot the operating system, but an EC2 instance can have one more than one volume.
• Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability.
• EBS Volumes reside in a single Availability Zone (“Data Center”)
• EBS Encryption encrypts the Volume using a Key from the AWS Key Management Service and it transparent to the Host OS

Snapshots

• The EBS Service provides the ability to save point-in-time snapshots of your volumes to Amazon S3
• Snapshots are stored incrementally, only the blocks changed since last snapshot are saved.
• Snapshots of an encrypted EBS volume are encrypted with the same Key
• Snapshots can be shared across regions and with other AWS Accounts or to the public (all accounts).
• If you share an encrypted snapshot it will be useless unless you have the key. In KMS, keys are unique local to a specific region in an individual AWS account.
  • Therefore, insert your key into KMS and use that to encrypt the EBS Volumes and Snapshots so you will have the key material to use in another account.
• Snapshots (for forensic purposes) can be made while the system is running with no performance impact to the host.
• Snapshots of a compromised EC2 instance should be shared with another AWS Account that is dedicated to DFIR purposes to protect the evidence.
• Snapshots should never be shared publicly, unless great care is taken. This common mistake is an easy way to leak sensitive data and keys
• The EBS Service also provides the ability to make a volume out of a snapshot
  • NOTE: It is necessary to make the Volume in the same availability zone as the EC2 instance you plan to attach it to.
• Use Tags to label the snapshot with the case number or ticket and other important data.

Attaching an EBS Volume

• The AWS Console makes it easy to attach the volume to an EC2 instance in the same availability zone.
• The console will report which device (on the EC2 instance) the volume will be attached to. For example: /dev/xvdf
• The lsblk command can be used to show the device to which the EBS Volume has been attached as shown below in IMAGE 4:

IMAGE 4: Output of the lsblk Command

Mounting an EBS Volume

Use the file command to determine the format of the partition: IMAGE 5: Using the file command to determine the format of the partition

Make a directory as the Mount Point and Mount it as read only: IMAGE 6: Using the mkdir and mount commands