EC2 DFIR Workshop
Module Overview: File System Forensics - Part 2
- Determine if keys are present on compromised system
- Determine if any security software is installed
- Perform Virus Scans
- Search for Known Indicators of Compromise
Keys on a Compromised System
While sorting and classifying the files on the compromised volume, analysts should look in the .ssh and .aws hidden directories for the presence of private keys.
- SSH Private Keys
- AWS Access Keys
If SSH keys are needed on an EC2 instance, they should be protected with a long passphrase.
It is also recommended to list the public keys that are used to SSH to the instance.
In conjunction with the syslog, this information helps to determine who is accessing
system. This information is in the
Is Security Software Installed?
Knowing if security software is installed may provide additional ideas for investigation, some examples:
- AWS Systems Manager (SSM) provides the ability to patch, configure, and audit EC2 instances to a baseline. It also allows administrators to inventory the software on EC2 instances. If the AWS Systems Manager is found, there will be additional information available via the AWS Console. SSM may be installed by default on recent images.
- AWS Inspector is Amazon’s vulnerability scanner. Finding this tool on an EC2 instance indicates that there may be vulnerability scans available via the Inspector console. Any information regarding known vulnerabilities on the EC2 instance can help focus the investigation.
- The Splunk Universal Forwarder is used by many organizations to collect and archive system logs
ClamAV is an open-source anti-malware scanner that comes preinstalled on the SIFT Workstation. Ensure that SIFT workstation is updated to keep the signatures current.
We can use an AV scan can help identify malware in the file system as well as in the recovered unallocated space.
It is also important to identify if any artifacts extracted from the system under analysis are dangerous
Indicators of Compromise
An Indicator of Compromise (IOC) is an artifact that is observable on the file system that indicates that an intrusion or compromise has occurred.
- Virus Signatures
- IP Addresses known to be malicious
- Malicious domain names
- Cryptographic hashes of malicious files