Are there any Shadow Cloud Accounts? Could be the first place to look when investigating.
A ‘without-reboot’ snapshot is equivalent to a live acquisition, and a snapshot with a reboot is more like a traditional powered-off. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 175). BCS Learning & Development Limited. Kindle Edition.
EC2 instance metadata
Expand …
Some sensitive information can be stored in IMDS if it’s not configured properly. T1522 (MITRE). Not the case with service-managed accounts.
ssh -i "PUBLIC_KEY.pem" USERNAME@INSTANCE_PUBLIC_IP_OR_DOMAIN
curl –s "http://169.254.169.254/latest/meta-data/security-groups/"
⛔️ If you get curl: (6) Could not resolve host: xn–s-5gn, ✍🏻 Refer to this issue https://stackoverflow.com/questions/43734502/curl-command-could-not-resolve-xn-x-5gn-post-on-ubuntu. Try typing all dashes manually.
Case #1. Capital One In 2019, Capital One, there was a SSRF + IMDS. See here. CLOUD SECURITY - ATTACKING THE METADATA SERVICE https://pumasecurity.io/resources/blog/cloud-security-instance-metadata/. IMDSv2 has several protections in place to ensure SSRF is not possible: TTL=1, require PUT request (most WAF don’t support it), deny all requests with X-Forwarded-For, X-aws-ec2-metadata-token-ttl-seconds and X- aws-ec2-metadata-token custom headers are required. One only needs to make sure they have IMDSv2 instead of version 1.
Amazon EBS disk snapshots
Expand …
Prerequisites
- Separate account for forensic acquisition and analysis was created (you’d need a root access to your AWS organization).
- Source Account – The IAM user or role in the source account needs to be able to call the
ModifySnapshotAttribute
function and to perform theDescribeKey
andReEncypt
operations on the key associated with the original snapshot. - Target Account – The IAM user or role in the target account needs to be able perform theDescribeKey
,CreateGrant
, andDecrypt
operations on the key associated with the original snapshot. The user or role must also be able to perform theCreateGrant
,Encrypt
,Decrypt
,DescribeKey
, andGenerateDataKeyWithoutPlaintext
operations on the key associated with the call toCopySnapshot
. - One has root privileges to perform EBS snapshotting.
- Recycling is enabled in case of accidental deletion.
Acquisition Steps
A very high-level: an investigator needs to create a snapshot of a EBS volume and then share it with the forensic account and make a copy of this EBS volume from the forensic account.
-
EC2 → Volumes → Check the volume for snapshotting. Click Actions → Create Snapshot from the drop-down menu in the top-right corner.
-
In the description field put the name that follows this convention:
incnum-forensic-copy-YYYY-MM-DD-HH-MM
. -
Share KMS keys with the forensic account (if these are not shared already).
-
Go to EC2 → Snapshots → choose the snapshot and click Actions → Go to EC2 → Snapshots → choose the snapshot and click Actions → Modify Permissions from the drop-down menu in the top-right corner.
-
Enter the forensic account’s number.
-
In the forensic account go to Snapshots → Private Snapshots.
-
Locate the snapshot shared, check it and click Actions → Copy snapshot from the drop-down menu in the top-right corner.
Copy snapshot functionality, AWS
-
Select an encryption key for the copy of the snapshot and create the copy.
Retainment Steps
In order to save space and money and preserve the evidence until it’s agreed that the evidence is no longer needed, the snapshot can be copied to an archive until it’s needed.
-
From the forensic account (where the snapshot was copied to) go to EC2 → Snapshots.
-
Choose the snapshot to archive.
-
Check it and click Actions → Archive snapshot from the drop-down menu in the top-right corner.
EBS disks streamed to S3
How to stream logs/data to forensic account?
Memory dumps
Memory hibernation
Memory hibernation captured through hibernation on the root EBS volume
CloudTrail logs
Stores most of the information about the things that happened in the Cloud (loggin, creating instances etc). Full logs are only seen in json
format.
How to stream logs/data to forensic account?
AWS Config rule findings
Amazon Route 53
https://aws.amazon.com/route53/
DNS resolver query logs
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-getting-started.html
VPC Flow Logs
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
AWS Security Hub findings
https://aws.amazon.com/security-hub/
Elastic Load Balancing access logs
https://aws.amazon.com/elasticloadbalancing/
AWS WAF logs
Custom application logs
System logs
Security logs
Any third-party logs
EC2 snapshots
📘 BTFM
S3 Buckets. Download bucket contents
$ aws s3api list-buckets
# choose the bucket you want to and ...
# ... download bucket contents
$ aws s3 sync s3://juicy-staff /tmp/juicy-staff-on-attackers-pc
Connect to EC2
SSM
aws ssm start-session --target [enter instance id]
SSH via Identity
ssh -i "~/.ssh/identity.pem" ec2-user@192.168.1.87
SSH via user/password
ssh ec2-user@192.168.1.87
> enter the password
References
[0] Forensic investigation environment strategies in the AWS Cloud
[1] Cross-account copy of EBS snapshot
[2] Copy EBS snapshot
[3] Create EBS snapshot