View a markdown version of this page

Prerequisites - Automated Forensics Orchestrator for Amazon EC2 and EKS

Prerequisites

Tools

  • The latest version of the AWS CLI (2.2.37 or newer), installed and configured.

  • The latest version of the AWS CDK V2 (2.2 or newer).

  • A CDK bootstrapped forensic AWS account and Security Hub account.

  • NodeJS version 16.

  • Ensure GraphQL - AppSync is activated in the forensic AWS account.

  • AWS SSM agent is installed in EC2 instances or EKS clusters (Application Instances).

  • AWS Security Hub must be activated as the Guidance creates custom action in AWS Security Hub.

  • Python version 3.8 or above

Forensic AMI

Build a forensic AMI and update the AWS Systems Manager Parameter Store with AMI ID. For more details, refer to Sample steps to create Forensic AMI using EC2 Image Builder. Be sure to replace the image builder component yml with the sample san-sift.yml provided in the forensic Guidance.

Note

This Guidance requires knowledge of SAN SIFT, LiME and Volatility tools to customize deployment the Guidance based on your forensic requirements. For more information, refer to the Post deployment: Plugin points section.

Compromised instance memory size and investigation instance mount disk volume

The investigation instance mount volume must always be greater than the memory of the compromised instance. This ensures that memory loaded into investigation instance does not error out. The Guidance uses M5.2Xlarge Amazon EC2 instance type by default.

CDK context configurations

CDK config Description

ec2ForensicImage

Forensic AMI name stored in SSM Parameter Store. SSM Parameter Store will contain AMI ID of forensic investigation instance prebuilt with forensic tools. Guidance is tested with Ubuntu AMI.