Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Module Overview: File System Forensics - Part 2

Keys on a Compromised System

While sorting and classifying the files on the compromised volume, analysts should look in the .ssh and .aws hidden directories for the presence of private keys.

If SSH keys are needed on an EC2 instance, they should be protected with a long passphrase.

It is also recommended to list the public keys that are used to SSH to the instance. In conjunction with the syslog, this information helps to determine who is accessing system. This information is in the authorized_keys file

Is Security Software Installed?

Knowing if security software is installed may provide additional ideas for investigation, some examples:

Virus Scanning

ClamAV is an open-source anti-malware scanner that comes preinstalled on the SIFT Workstation. Ensure that SIFT workstation is updated to keep the signatures current.

We can use an AV scan can help identify malware in the file system as well as in the recovered unallocated space.

It is also important to identify if any artifacts extracted from the system under analysis are dangerous

Indicators of Compromise

An Indicator of Compromise (IOC) is an artifact that is observable on the file system that indicates that an intrusion or compromise has occurred.


One of the goals of forensic analysis is to identify IOCs that can be used to search across the entire fleet, using a tool like AWS SSM or GRR Rapid Response, etc.