⛅️ AWS Evidence Collection

Some sensitive information can be stored in IMDS if it’s not configured properly. T1522 (MITRE). Not the case with service-managed accounts.

ssh -i "PUBLIC_KEY.pem" USERNAME@INSTANCE_PUBLIC_IP_OR_DOMAIN
curl –s "http://169.254.169.254/latest/meta-data/security-groups/"

⛔️ If you get curl: (6) Could not resolve host: xn–s-5gn, ✍🏻 Refer to this issue https://stackoverflow.com/questions/43734502/curl-command-could-not-resolve-xn-x-5gn-post-on-ubuntu. Try typing all dashes manually.

Case #1. Capital One In 2019, Capital One, there was a SSRF + IMDS. See here. CLOUD SECURITY - ATTACKING THE METADATA SERVICE https://pumasecurity.io/resources/blog/cloud-security-instance-metadata/. IMDSv2 has several protections in place to ensure SSRF is not possible: TTL=1, require PUT request (most WAF don’t support it), deny all requests with X-Forwarded-For, X-aws-ec2-metadata-token-ttl-seconds and X- aws-ec2-metadata-token custom headers are required. One only needs to make sure they have IMDSv2 instead of version 1.

Prerequisites

• Separate account for forensic acquisition and analysis was created (you’d need a root access to your AWS organization). - Source Account – The IAM user or role in the source account needs to be able to call the ModifySnapshotAttribute function and to perform the DescribeKey and ReEncypt operations on the key associated with the original snapshot. - Target Account – The IAM user or role in the target account needs to be able perform the DescribeKey, CreateGrant, and Decrypt operations on the key associated with the original snapshot. The user or role must also be able to perform the CreateGrant, Encrypt, Decrypt, DescribeKey, and GenerateDataKeyWithoutPlaintext operations on the key associated with the call to CopySnapshot.
• One has root privileges to perform EBS snapshotting.
• Recycling is enabled in case of accidental deletion.

Acquisition Steps

A very high-level: an investigator needs to create a snapshot of a EBS volume and then share it with the forensic account and make a copy of this EBS volume from the forensic account.

1. EC2 → Volumes → Check the volume for snapshotting. Click Actions → Create Snapshot from the drop-down menu in the top-right corner.

2. In the description field put the name that follows this convention: incnum-forensic-copy-YYYY-MM-DD-HH-MM.

3. Share KMS keys with the forensic account (if these are not shared already).

4. Go to EC2 → Snapshots → choose the snapshot and click Actions → Go to EC2 → Snapshots → choose the snapshot and click Actions → Modify Permissions from the drop-down menu in the top-right corner.

5. Enter the forensic account’s number.

6. In the forensic account go to Snapshots → Private Snapshots.

7. Locate the snapshot shared, check it and click Actions → Copy snapshot from the drop-down menu in the top-right corner.

   Copy snapshot functionality, AWS

8. Select an encryption key for the copy of the snapshot and create the copy.

Retainment Steps

In order to save space and money and preserve the evidence until it’s agreed that the evidence is no longer needed, the snapshot can be copied to an archive until it’s needed.

1. From the forensic account (where the snapshot was copied to) go to EC2 → Snapshots.

2. Choose the snapshot to archive.

3. Check it and click Actions → Archive snapshot from the drop-down menu in the top-right corner.