As organizations increasingly adopt cloud services, it's important to have a plan in place for how to investigate incidents that may occur in these environments. AWS, in particular, offers an increasingly wide range of tools and services that can be leveraged for forensics investigations. In this blog, we'll explore the key considerations and best practices for conducting forensic investigations in AWS. Recently they've added tools such as further improvements to AWS Detective and AWS GuardDuty, extending beyond vritual machines and further into containers. First, let's define what we mean by "forensics." In the context of computer systems, forensics refers to the process of identifying, collecting, and analyzing digital evidence for the purpose of uncovering the truth about a particular incident. This can be used for a variety of purposes, including cybersecurity investigations, compliance audits, and legal proceedings. When it comes to AWS, there are several key considerations to keep in mind when conducting a forensic investigation. First, it's important to understand the unique challenges that cloud environments present. For example, in a traditional on-premises environment, it's easier to physically secure and control access to servers and storage devices. In the cloud, however, you don't have the same level of physical control, and you may be sharing infrastructure with other organizations. Another challenge is that cloud environments can be highly dynamic, with resources being created and destroyed on a regular basis. This can make it difficult to track down and preserve evidence, especially if you don't have a solid understanding of your organization's cloud architecture and the tools that are in use. So, what can you do to prepare for forensic investigations in AWS? Here are a few best practices to keep in mind: Develop a clear incident response plan: Having a clear, documented incident response plan in place will help you respond to incidents quickly and effectively. This should include procedures for identifying and responding to incidents, as well as guidelines for preserving evidence and conducting investigations. Use AWS services and tools: AWS offers a number of tools and services that can be used for forensic investigations. For example, Amazon CloudWatch can be used to monitor resource usage and log activity, while Amazon S3 can be used to store and access forensic evidence. Understand your organization's cloud architecture: It's important to have a good understanding of your organization's cloud architecture and the tools that are in use. This will help you identify and preserve evidence, and will also make it easier to track down the root cause of an incident. Follow best practices for evidence preservation: In order to preserve evidence for forensic investigations, it's important to follow best practices such as creating forensic images of relevant devices and using write-blockers to prevent tampering.

1. AWS Forensics

2. Preserve Intrusion Evidence
Zero-impact to
production systems
Easy data collection from anywhere:
✓ Cloud
✓ Containers
✓ On-prem systems

3. Investigate at Cloud Speed
Quick automated data processing:
✓ Fast
✓ Efficient
✓ Effective
Patent-pending
cloud-based architecture

4. Understand the Full Picture
Complete
visibility and context
Seamless investigation of
multiple data sources:
✓ Host
✓ Logs
✓ Memory

5. Identify Root Cause
Patent-pending
analytics engine
Powerful analytics that saves:
✓ Time
✓ Resources
✓ Money

6. Cado Use Cases
● Conduct forensics
investigations across
complex & expansive cloud
environments
● Investigate cloud incidents
that span multiple cloud
platforms, regions, systems,
and accounts with ease
● Capture incident data
before it’s gone across
virtualization technologies
that continuously grow,
shrink and recycle data
● Process and investigate
container environments and
auto scaling groups
● Ensure optimal security
even where an agent-based
detection solution can’t be
deployed
● Conduct threat hunts
across high-availability
production systems with
zero impact
Cloud Forensics Container Forensics Cloud Threat Hunting