Tuesday, April 22, 2014

SIFT in EC2

I'm working with Paul Henry (@phenrycisssp) on the new Cloud Forensics course, FOR559.  So far it's been a blast.  On the exciting news front, I've deployed built a SIFT workstation in AMI in EC2. The SIFT workstation can be found by searching for 'sift' in community AMIs, or you can reference it directly as ami-25879c4c" if using the command line to launch instances. While this was primarily for course development, I've made it public so everyone can benefit.

Why do you need SIFT in EC2?  Well, first and foremost, I prefer to do forensics investigations of IaaS cloud assets in the cloud itself.  There's usually no data transfer cost to moving data within the same region of a given service.  I can do my analysis and then only copy the data I need from the cloud service saving big money on bandwidth costs.  The other issue is time.  It takes time to move whole images out of the cloud.  That's time I could better spend answering the client's questions.  Maybe we can solve the "were we hacked" or "what's the damage" questions without moving data out. 

We'll cover the steps to performing forensics in the cloud, as well as moving data out of the cloud, in the upcoming Cloud Forensics course.

Some notes on the SIFT:
  • The username is ubuntu.  This is the standard for Ubuntu based AMIs and I decided not to change it.  You need to know this username to SSH into the machine after you launch it.
  • The VNC password is password.  Since your firewall rules shouldn't allow you to directly VNC to the machine, I figured that's not a big deal.  You should be using SSH forwarding to get there.
  • The desktop is installed, but not tested.  I built this primarily for command line use and the tools I needed work.  
  • If you find issues, please let me know and I'll work to correct them.
Look for similar base images to pop up in Azure and Rackspace in the coming months.

1 comment:

  1. This is really great. Did you do anything special to get the scripts working on an instance? I'm working my way through the diff between the original script you left in the home dir, the updated one, and the latest from GitHub (https://github.com/sans-dfir/sift-bootstrap/commit/fc29dee2a4703d4cfebe22dd0fe76791943a8594 currently).

    I tried running the boostrap script straight from https://github.com/sans-dfir/sift-bootstrap and all it did was drop a bunch of symlink's to nowhere. I'd love to help get a more official AMI going and get it listed on http://digital-forensics.sans.org/community/downloads or the Github page.

    ReplyDelete

Note: Only a member of this blog may post a comment.