Checklist
π§Ό Media Sterilisation
Before copying evidence or making a disk image, one needs to sterilise the target media to ensure that data on that disk before this operation would not meddle with the evidence data. Several rounds of writing 0s are usually enough.
β οΈ AWS Evidence Collection
Are there any Shadow Cloud Accounts? Could be the first place to look when investigating.
A βwithout-rebootβ snapshot is equivalent to a live acquisition, and a snapshot with a reboot is more like a traditional powered-off. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 175). BCS Learning & Development Limited. Kindle Edition.
EC2 instance metadata
Expand …
Some sensitive information can be stored in IMDS if it’s not configured properly. T1522 (MITRE). Not the case with service-managed accounts.