View a markdown version of this page

(Optional) Additional configuration: Cloud9 environment setup - Automated Forensics Orchestrator for Amazon EC2 and EKS

(Optional) Additional configuration: Cloud9 environment setup

  1. Ensure Python version is 3.8 and above.

  2. Set up Python version 3.8 if it is not available (link:https://docs.aws.amazon.com/cloud9/latest/user-guide/sample-python.html).

    sudo amazon-linux-extras enable python3.8 sudo yum install python3.8 sudo update-alternatives --install /usr/bin/python python alias python='python3.8' sudo python -m pip install pip-tools python -m pip install pip-tools
  3. (Optional) Update /source/lambda/requirements.txt as cloud9 does not support specific versions.

    arnparse aws-xray-sdk boto3 botocore certifi charset-normalizer codeguru-profiler-agent future idna jmespath jsonpickle python-dateutil python2-secrets requests s3transfer six urllib3 wrapt

Guidance customizations

Forensic investigation instance

We recommend using M5.2Xlarge instance to perform memory and disk investigation, and initial mount disk volume size as 512 GB to support up to 512 GB of memory. Based on the forensic tools, you can modify the instance type post deployment.

You can update this configuration based on the memory of the compromised instance.

  1. Download the CLI tool to manage a SIFT install.

    wget link:https://github.com/teamdfir/sift-cli/releases/download/v1.13.1/sift-cli-linux wget link:https://github.com/teamdfir/sift-cli/releases/download/v1.13.1/sift-cli-linux.sig wget link:https://github.com/teamdfir/sift-cli/releases/download/v1.13.1/sift-cli.pub
  2. Replace the Image Builder document in san-sift.yml with S3 copy commands.

    Sample S3 command:

    aws s3 cp s3://mybucket/san-sift
Note

The Guidance uses SANS SIFT to build necessary tools required to perform forensic investigation, and the Amazon EC2 Image Builder to build SANS SIFT image.

AWS Systems Manager documents

The Guidance uses SSM documents to perform memory acquisition, memory investigation, and disk investigation. You can update the tools leveraged in memory acquisition, memory investigation, and disk investigation with other tools based on forensic requirements.

Memory acquisition

For memory acquisition, the Guidance provides a sample SSM document, which leverages Linux Memory Extractor (LiME) to perform memory acquisition.

You can update the memory acquisition step with other tools by updating the SSM commands. The sample command clones the GitHub link to set up LiME in the compromised instance. The updated SSM command below downloads the LiME components from an internal S3 bucket to the AWS account.

In SSM document linux_lime-memory-acquisition.json, change the following sample command from:

git clone link:https://github.com/504ensicsLabs/LiME

to:

aws s3 cp s3://mybucket/Lime

Memory investigation

You can update the memory investigation step with other tools by updating the SSM commands. The sample command clones the GitHub link to set up Volatility in the compromised instance. The updated command below downloads the Volatility components from an internal S3 bucket to the AWS account. The Guidance depends on the Volatility symbol table of the OS and kernel version of the compromised instance. The Volatility symbol table is a prerequisite to perform memory investigation.

For memory investigation, the Guidance provides a sample SSM document which leverages Volatility 3 to perform memory investigation.

In SSM document lime-memory-load-investigation.json, change the following command from:

git clone link:https://github.com/volatilityfoundation/volatility.git

to the sample command:

aws s3 cp s3://mybucket/volatility

Disk investigation

For disk investigation, the Guidance provides the sample command leveraging log2timeline to perform disk investigation.

You can update the memory investigation step with other tools by updating the SSM commands. The current sample leverages the SANS SIFT image which contains Plaso in the forensic instance.

Note

The forensic tools code shared in the section are example codes. You are responsible for managing and maintaining the tools used in the Guidance.

Customization of CDK context configurations

CDK config Default value Description

diskSize

512

Determines the disk size of forensic investigation instance. We recommend allocating the disk size more than RAM for the compromised instance.

vol3-symboltables-bucket

n/a - leverages the bucket created

Bucket to store Volatility symbol tables based on kernel version of the compromised instance to perform memory forensics. Ensure forensic investigation IAM role is updated to and has read-only access to S3 bucket.

vol3-symboltables-key

/volatility3/symboltables/

Prefix in the vol3-symboltables-bucket to store the symbol tables.

customerManagedCMKArns:{ forensicsnsEncryptionKey: ""}

n/a

KMS key to encrypt the messages sent to SNS topic.

customerManagedCMKArns:{ forensicBucketEncryptionKey: ""}

n/a

KMS key to encrypt the objects stored in Amazon S3.

customerManagedCMKArns:{ ebsVolumeKey: ""}

n/a

KMS key to encrypt to EBS Volume.

ssmExecutionTimeout

1800

SSM timeout to perform forensic operation. It is set to 1800 seconds by default.

forensicBucketComplianceMode

false

True sets S3 object lock retention mode to compliance else to governance. Refer to S3 Object Lock for more details.

forensicBucketRetentionDays

30

Configures the retention period that protects an object version for a fixed amount of time.

applicationAccounts

*

Contains the list of all accounts the forensic functions can assume role, and perform memory and disk acquisition.

ssm-documents-dir

–0—/ssm-documents

SSM directory in source code to load SSM documents into forensic account as part of the deployment.

ForensicImageName

sansift

Forensic AMI name stored in SSM Parameter Store. SSM Parameter Store will contain AMI ID of forensic investigation instance prebuilt with forensic tools.

ForensicIsolationInstanceProfileName

target_profile_name

Customer profile for isolation. By default it would be the profile provided by this Guidance’s CDK stack.

vpcInfo

[source,json] ---- "vpcInfo": { "vpcCidr": "10.1.0.0/16", "maxAZs": 2, "bastionInstance": false, "enableVpcFlowLog": true, "enableVPCEndpoints": true, "subnetConfig": [ { "cidrMask": 24, "name": "externalDMZ", "subnetType": "Public" }, { "cidrMask": 24, "name": "service", "subnetType": "Private" }, { "cidrMask": 24, "name": "database", "subnetType": "Isolated" }, { "cidrMask": 24, "name": "internalDMZ", "subnetType": "Isolated" } ] } ----

Contains VPC configurations to create a new VPC.

vpcConfigDetails

[source,json] ---- "vpcConfigDetails": { "isExistingVPC": false, "enableVPCEndpoints": false, "enableVpcFlowLog": false } ----

Contains details about existing VPC configurations

[source,json] ---- "isExistingVPC": false, "vpcID": "vpc-1234567890", ----

deployApi

false

Setting it to true deploys GraphQL API.

Setting it to false will not deploy GraphQL API.

apiNotifications

false

Setting it to true turns on GraphQL API notification.

Setting it to false turns off GraphQL API notification.

apiAllowedIps

[]

Provides list of all IPs allowed to access AppSyncAPI. WAF is configured to restrict the IP address.

apiRateLimit

1000

WAF is configured with ratelimit.