forensicate.cloud

Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Module Overview: File System Forensics - Part 2

Determine if keys are present on compromised system
Determine if any security software is installed
Perform Virus Scans
Search for Known Indicators of Compromise

Keys on a Compromised System

While sorting and classifying the files on the compromised volume, analysts should look in the .ssh and .aws hidden directories for the presence of private keys.

SSH Private Keys
AWS Access Keys

If SSH keys are needed on an EC2 instance, they should be protected with a long passphrase.

It is also recommended to list the public keys that are used to SSH to the instance. In conjunction with the syslog, this information helps to determine who is accessing system. This information is in the authorized_keys file

Is Security Software Installed?

Knowing if security software is installed may provide additional ideas for investigation, some examples:

AWS Systems Manager (SSM) provides the ability to patch, configure, and audit EC2 instances to a baseline. It also allows administrators to inventory the software on EC2 instances. If the AWS Systems Manager is found, there will be additional information available via the AWS Console. SSM may be installed by default on recent images.
AWS Inspector is Amazon’s vulnerability scanner. Finding this tool on an EC2 instance indicates that there may be vulnerability scans available via the Inspector console. Any information regarding known vulnerabilities on the EC2 instance can help focus the investigation.
The Splunk Universal Forwarder is used by many organizations to collect and archive system logs

Virus Scanning

ClamAV is an open-source anti-malware scanner that comes preinstalled on the SIFT Workstation. Ensure that SIFT workstation is updated to keep the signatures current.

We can use an AV scan can help identify malware in the file system as well as in the recovered unallocated space.

It is also important to identify if any artifacts extracted from the system under analysis are dangerous

Indicators of Compromise

An Indicator of Compromise (IOC) is an artifact that is observable on the file system that indicates that an intrusion or compromise has occurred.

Examples:

Virus Signatures
IP Addresses known to be malicious
Malicious domain names
Cryptographic hashes of malicious files

One of the goals of forensic analysis is to identify IOCs that can be used to search across the entire fleet, using a tool like AWS SSM or GRR Rapid Response, etc.