Forensic Investigation of Amazon Compromised EC2 Instance

Companies are shifting more and more of their business-critical workloads to the cloud and often, the choice is Amazon Web Services (AWS) Elastic (EC2). Therefore it is important to also know what happens if it gets compromised.

Methodology

If any EC2 instance is suspected to be compromised by the cloud security team, they need to perform the following steps to start the forensic investigation:

1. Isolate the compromised EC2 instance from the production environment
2. Take a snapshot of the EC2 instance
3. Provision and launch a forensic test environment
4. Create evidence volume from the snapshot
5. Attach the evidence volume to the forensic test environment
6. Mount the evidence volume onto the forensic test environment

Step 1: Isolate the compromised EC2 instance from the production environment

Once the compromised EC2 instance is identified, it is crucial to isolate it from the production environment. Isolating the compromised EC2 instance helps in preventing further damage and allows forensic investigators to examine the instance in a safe and controlled environment. For example, isolating an instance in case of malware infection can stop it from spreading further and causing more damage.

The steps required to quarantine an instance are:

1. Create a restricted security group that does not allow any outbound network traffic.
2. Configure ingress rules that only allow SSH or RDP traffic from one IP address, which can be used by forensic investigators to examine the instance Attach the security group to the compromised instance.
3. Attach the security group to the compromised instance.

Step 2: Take a Snapshot of the EC2 Instance

Amazon EC2 instances use EBS volumes that act like virtual hard drives. In the event of a security incident, investigators must take an offline snapshot of the EBS volume from the affected EC2 instance to acquire forensic evidence.

The steps required to take a snapshot of the EBS Volume of the compromised EC2 instance:

1. Stop the affected instance.
2. Now, go to the Storage tab which can be found on the EC2 Management console page where all the deployed instances are listed. Locate the volume ID of the instance under the Block Devices tab and click on it.
3. Clicking on the volume ID will redirect you to the Volumes page where it will be already selected.
4. Click on the Actions button and select the Create Snapshot option from the drop-down menu.
5. On the next page, add a description and click on the Create Snapshot button.
6. The snapshot of the EBS volume is now successfully created.
7. Take backup of the necessary data and terminate the affected EC2 instance.

Step 3: Provision and launch a forensic test environment

The steps required for the provision and launching of a forensic test environment using Amazon EC2 instance:

1. Select any base Amazon Machine Image (AMI) such as Windows or Linux that can be used as a forensic test environment.
2. While configuring the instance, set up inbound rules in the security group that allows SSH connection from one IP address.
3. Once configured, launch the EC2 instance.
4. Perform OS hardening.
5. Install the forensic software required to perform the investigation.
6. Stop the EC2 instance and create a new AMI from it. Use this AMI as a template to launch a new forensic test environment for each investigation.
7. Update the AMI with the latest software patches once in a week/month

Step 4: Create evidence volume from the snapshot

The steps required to create an evidence volume from the snapshot of the compromised EC2:

1. Click on Snapshot.
2. Select the EBS volume snapshot of the affected machine and click on Actions.
3. Select the Create Volume option from the drop-down menu.
4. Make sure that the Availability Zone of the forensic test environment and volume to be created are same.
5. Once configured, click on the Create Volume button.
6. A new evidence volume is created and can be found in the Volumes section on the console.

Step 5: Attach the Evidence Volume to the forensic test environment

The steps required to to attach the evidence volume to the forensic instance:

1. Make sure that the forensic instance to be used for analysis is in stopped state.
2. Select the Volumes option on the EC2 Management Console.
3. Select the Evidence volume created and select the Actions button.
4. Select the Attach Volume option.
5. The attach volume page would appear. Select the Instance ID.
6. Make a note of the device name.
7. Attach the evidence volume to the forensic test environment.

Step 6: Mount the Evidence Volume on the forensic test environment

Mounting the evidence volume on the forensic test environment is the last step which allows investigators to get started with the investigation. It is possible to attach and mount the evidence volume as an additional volume on the forensic test environment. However, if required for investigation, they can detach the root volume of the forensic test environment and attach the evidence volume as root volume.

Reference:

Digital Forensic Analysis of Amazon Linux EC2 Instances

Workshop Studio

Thanks, everyone for reading

If you found this informative, do not forget to clap👏 and do let me know if you have any doubts

Support me if you like my work! Buy me a coffee

tushars25

Follow me on Twitter, LinkedIn, GitHub