(Optional) Additional configuration: Cloud9 environment setup
-
Ensure Python version is 3.8 and above.
-
Set up Python version 3.8 if it is not available (link:https://docs.aws.amazon.com/cloud9/latest/user-guide/sample-python.html).
sudo amazon-linux-extras enable python3.8 sudo yum install python3.8 sudo update-alternatives --install /usr/bin/python python alias python='python3.8' sudo python -m pip install pip-tools python -m pip install pip-tools -
(Optional) Update
/source/lambda/requirements.txtas cloud9 does not support specific versions.arnparse aws-xray-sdk boto3 botocore certifi charset-normalizer codeguru-profiler-agent future idna jmespath jsonpickle python-dateutil python2-secrets requests s3transfer six urllib3 wrapt
Guidance customizations
Forensic investigation instance
We recommend using M5.2Xlarge instance to perform memory and disk investigation, and initial mount disk volume size as 512 GB to support up to 512 GB of memory.
Based on the forensic tools, you can modify the instance type post deployment.
You can update this configuration based on the memory of the compromised instance.
-
Download the CLI tool to manage a SIFT install
. wget link:https://github.com/teamdfir/sift-cli/releases/download/v1.13.1/sift-cli-linux wget link:https://github.com/teamdfir/sift-cli/releases/download/v1.13.1/sift-cli-linux.sig wget link:https://github.com/teamdfir/sift-cli/releases/download/v1.13.1/sift-cli.pub -
Replace the Image Builder document in
san-sift.ymlwith S3 copy commands.Sample S3 command:
aws s3 cp s3://mybucket/san-sift
Note
The Guidance uses SANS SIFT to build necessary tools required to perform forensic investigation, and the Amazon EC2 Image Builder to build SANS SIFT image.
AWS Systems Manager documents
The Guidance uses SSM documents to perform memory acquisition, memory investigation, and disk investigation. You can update the tools leveraged in memory acquisition, memory investigation, and disk investigation with other tools based on forensic requirements.
Memory acquisition
For memory acquisition, the Guidance provides a sample SSM document
You can update the memory acquisition step with other tools by updating the SSM commands. The sample command clones the GitHub link to set up LiME in the compromised instance. The updated SSM command below downloads the LiME components from an internal S3 bucket to the AWS account.
In SSM document linux_lime-memory-acquisition.json, change the following sample command from:
git clone link:https://github.com/504ensicsLabs/LiME
to:
aws s3 cp s3://mybucket/Lime
Memory investigation
You can update the memory investigation step with other tools by updating the SSM commands. The sample command clones the GitHub link to set up Volatility in the compromised instance. The updated command below downloads the Volatility components from an internal S3 bucket to the AWS account. The Guidance depends on the Volatility symbol table of the OS and kernel version of the compromised instance. The Volatility symbol table is a prerequisite to perform memory investigation.
For memory investigation, the Guidance provides a sample SSM document which leverages Volatility 3 to perform memory investigation.
In SSM document lime-memory-load-investigation.json, change the following command from:
git clone link:https://github.com/volatilityfoundation/volatility.git
to the sample command:
aws s3 cp s3://mybucket/volatility
Disk investigation
For disk investigation, the Guidance provides the sample command leveraging log2timeline to perform disk investigation.
You can update the memory investigation step with other tools by updating the SSM commands.
The current sample leverages the SANS SIFT image which contains Plaso
Note
The forensic tools code shared in the section are example codes. You are responsible for managing and maintaining the tools used in the Guidance.
Customization of CDK context configurations
| CDK config | Default value | Description |
|---|---|---|
|
diskSize |
|
Determines the disk size of forensic investigation instance. We recommend allocating the disk size more than RAM for the compromised instance. |
|
vol3-symboltables-bucket |
|
Bucket to store Volatility symbol tables based on kernel version of the compromised instance to perform memory forensics. Ensure forensic investigation IAM role is updated to and has read-only access to S3 bucket. |
|
vol3-symboltables-key |
|
Prefix in the vol3-symboltables-bucket to store the symbol tables. |
|
customerManagedCMKArns:{ forensicsnsEncryptionKey: ""} |
n/a |
KMS key to encrypt the messages sent to SNS topic. |
|
customerManagedCMKArns:{ forensicBucketEncryptionKey: ""} |
n/a |
KMS key to encrypt the objects stored in Amazon S3. |
|
customerManagedCMKArns:{ ebsVolumeKey: ""} |
n/a |
KMS key to encrypt to EBS Volume. |
|
ssmExecutionTimeout |
|
SSM timeout to perform forensic operation. It is set to |
|
forensicBucketComplianceMode |
|
True sets S3 object lock retention mode to compliance else to governance. Refer to S3 Object Lock for more details. |
|
forensicBucketRetentionDays |
|
Configures the retention period that protects an object version for a fixed amount of time. |
|
applicationAccounts |
* |
Contains the list of all accounts the forensic functions can assume role, and perform memory and disk acquisition. |
|
ssm-documents-dir |
|
SSM directory in source code to load SSM documents into forensic account as part of the deployment. |
|
ForensicImageName |
|
Forensic AMI name stored in SSM Parameter Store. SSM Parameter Store will contain AMI ID of forensic investigation instance prebuilt with forensic tools. |
|
ForensicIsolationInstanceProfileName |
|
Customer profile for isolation. By default it would be the profile provided by this Guidance’s CDK stack. |
|
vpcInfo |
[source,json] ---- "vpcInfo": { "vpcCidr": "10.1.0.0/16", "maxAZs": 2, "bastionInstance": false, "enableVpcFlowLog": true, "enableVPCEndpoints": true, "subnetConfig": [ { "cidrMask": 24, "name": "externalDMZ", "subnetType": "Public" }, { "cidrMask": 24, "name": "service", "subnetType": "Private" }, { "cidrMask": 24, "name": "database", "subnetType": "Isolated" }, { "cidrMask": 24, "name": "internalDMZ", "subnetType": "Isolated" } ] } ---- |
Contains VPC configurations to create a new VPC. |
|
vpcConfigDetails |
[source,json] ---- "vpcConfigDetails": { "isExistingVPC": false, "enableVPCEndpoints": false, "enableVpcFlowLog": false } ---- |
Contains details about existing VPC configurations [source,json] ---- "isExistingVPC": false, "vpcID": "vpc-1234567890", ---- |
|
deployApi |
|
Setting it to Setting it to |
|
apiNotifications |
|
Setting it to Setting it to |
|
apiAllowedIps |
[] |
Provides list of all IPs allowed to access AppSyncAPI. WAF is configured to restrict the IP address. |
|
apiRateLimit |
|
WAF is configured with |