Initial Account Setup
Emerging Cloud technologies like Amazon Web Services (AWS) are going to change the face of traditional forensics forever. Soon, we will rarely get our hands on physical evidence sources attached to systems like this. This leaves a large number of uncertainties surrounding evidence handling, continuity, security and legal permissions both home and overseas.
Hopefully, this series of posts will help navigate through the acquisition and analysis of these sources.
Some quick observations on account creation:
- I used a protonmail account to sign up for AWS. (It’s quite common for online services to block protonmail accounts for signup nowadays)
- You must provide a full address and credit card details for account creation. (Amazon will have this on record if you have the legal authority to request when investigating)
- Amazon uses their own terminology for everything and there’s a bit to learn if you have no previous experience.
- It looks strangely like the Kindle store.
Anyway… AWS comes in three different flavours as you can see below: (I chose the cheapest Basic Plan, cause I’m a skinflint)
Elastic Cloud 2 (EC2) is the service I chose once I selected my plan. Although the LightSail service may provide similar capabilities, I’ll just focus on EC2.
Before you go any further, this is a good point to make some initial assessments.
1: Pricing, what is your budget going forward?
I found that information relating to this was difficult to find prior to punching in the credit card details. I have included at the end of this post the pricing (AUD) for various hardware configurations and data throughput costs as of 28 May 2018.
2: What type of evidence are you analysing and how?
This could range from large batches of server logs, another AWS instance, volume or image. Perhaps you have a forensic image that you already acquired and uploaded for analysis. You may be trying to ascertain successful logons to the AWS platform itself.
It is extremely important at this stage to determine your host OS and the physical characteristics of your instance, such as memory, VCPU’s and storage.
Gaining an understanding of your evidence sources, analysis tools, the load on system resources and the potential size of any exports will help you figure out your AWS configuration.
3: Where is your target evidence located?
Amazon splits web services into international regions and if you wish to analyse a snapshot of another AWS instance, you will need to ensure your analysis instance is hosted within that same region.
I’m not sure of the cost or time implications of transfer between regions but I have been advised this does involve a physical move of data across regions to different data centres.
4: How do you secure the environment and, in turn, your evidence?
Amazon has a number of measures in place to ensure the environment is secure. This includes sys logging for your instances, advanced monitoring (a pay for service) and EC2 key pairs where the .pem private key file can be used for SSH connectivity.
There is also multi-factor authentication through Google authenticator or similar mobile applications and the ability to lock down access to your instance by specific IP addresses and ports. These are just a few suggestions, there are many other factors you may need to consider along the way.
If at this juncture, you are wondering why on earth would I use a system in AWS to perform forensics then I’ll direct you to the general purpose pricing models below where you can check some of the tech specs of the servers!
Next up… I’ll cover how to launch an AWS instance.
AWS Pricing
General Purpose – Current Generation
| vCPU | ECU | Memory (GiB) | Instance Storage (GB) | Linux/UNIX Usage | |
|
t2.nano |
1 |
Variable |
0.5 |
EBS Only |
$0.0073 per Hour |
|
t2.micro |
1 |
Variable |
1 |
EBS Only |
$0.0146 per Hour |
|
t2.small |
1 |
Variable |
2 |
EBS Only |
$0.0292 per Hour |
|
t2.medium |
2 |
Variable |
4 |
EBS Only |
$0.0584 per Hour |
|
t2.large |
2 |
Variable |
8 |
EBS Only |
$0.1168 per Hour |
|
t2.xlarge |
4 |
Variable |
16 |
EBS Only |
$0.2336 per Hour |
|
t2.2xlarge |
8 |
Variable |
32 |
EBS Only |
$0.4672 per Hour |
|
m5.large |
2 |
10 |
8 |
EBS Only |
$0.12 per Hour |
|
m5.xlarge |
4 |
15 |
16 |
EBS Only |
$0.24 per Hour |
|
m5.2xlarge |
8 |
31 |
32 |
EBS Only |
$0.48 per Hour |
|
m5.4xlarge |
16 |
61 |
64 |
EBS Only |
$0.96 per Hour |
|
m5.12xlarge |
48 |
173 |
192 |
EBS Only |
$2.88 per Hour |
|
m5.24xlarge |
96 |
345 |
384 |
EBS Only |
$5.76 per Hour |
|
m4.large |
2 |
6.5 |
8 |
EBS Only |
$0.125 per Hour |
|
m4.xlarge |
4 |
13 |
16 |
EBS Only |
$0.25 per Hour |
|
m4.2xlarge |
8 |
26 |
32 |
EBS Only |
$0.5 per Hour |
|
m4.4xlarge |
16 |
53.5 |
64 |
EBS Only |
$1 per Hour |
|
m4.10xlarge |
40 |
124.5 |
160 |
EBS Only |
$2.5 per Hour |
|
m4.16xlarge |
64 |
188 |
256 |
EBS Only |
$4 per Hour |
|
Data Transfer IN To Amazon EC2 From |
Pricing |
|
Internet |
$0.000 per GB |
|
Another AWS Region (from any AWS Service) |
$0.000 per GB |
|
Amazon S3, Amazon Glacier, Amazon DynamoDB, Amazon SES, Amazon SQS, or Amazon SimpleDB in the same AWS Region |
$0.000 per GB |
|
Amazon EC2, Amazon RDS, Amazon Redshift and Amazon ElastiCache instances or Elastic Network Interfaces in the same Availability Zone |
|
|
Using a private IPv4 address |
$0.000 per GB |
|
Using a public or Elastic IPv4 address |
$0.010 per GB |
|
Using an IPv6 address within the same VPC |
$0.000 per GB |
|
Using an IPv6 address from a different VPC |
$0.010 per GB |
|
Amazon EC2, Amazon RDS, Amazon Redshift and Amazon ElastiCache instances or Elastic Network Interfaces in another Availability Zone or peered VPC in the same AWS Region |
$0.010 per GB |
|
Data Transfer OUT From Amazon EC2 To Internet |
Pricing |
|
First 1 GB / month |
$0.000 per GB |
|
Up to 10 TB / month |
$0.140 per GB |
|
Next 40 TB / month |
$0.135 per GB |
|
Next 100 TB / month |
$0.130 per GB |
|
Next 350 TB / month |
$0.120 per GB |
|
Next 524 TB / month |
|
|
Next 4 PB / month |
|
|
Greater than 5 PB / month |
Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
Salt Forensics 
Thaanks for this blog post
LikeLike