Grabbing Forensic Images from EC2/Rackspace

•Download as PPTX, PDF•

3 likes•4,616 views

This document discusses challenges with retrieving forensic images from cloud service providers Amazon EC2 and Rackspace for forensic analysis when access to the cloud account is lost. It provides recommendations for regaining administrative access and outlines procedures used by Amazon and Rackspace to export images from customer accounts for forensic purposes, noting they can be technically and logistically difficult. The document also discusses challenges of exporting images across multiple geographical zones and techniques for moving large forensic images out of EC2 using splitting and S3.

Grabbing Forensic Images out
of EC2/Rackspace
JP Bourget
Syncurity Networks
B-Sides Las Vegas 2012
@punkrokk
July 26, 2012

What I ran into while grabbing
forensic images
– What if you lose access to your amazon
account?
– What if it’s determined that you need to pull
images from EC2 in order to to forensic
analysis on them?
– Amazon makes it easy to get data in – but
tough to get data out
– Rackspace doesn’t make it much easier…

Regaining Admin account access
(Amazon)
• I called up Amazon and Rackspace –
Neither has a public procedure – the most
they will really say is “they will work with
you”
– Can I social engineer access to someone’s
cloud account?
– Best practice is to use role based access (Use
Amazon Identity + Access mgmt) (and two
factor with Google authenticator)

Regaining Access (Rackspace)
• If you have monitoring, racker (rackspace team), and
your account creds changed – you better hope you
can reset your admin creds. (drive images can be
decrypted)
• If they haven’t changed the monitoring account –
Rackspace will login to that and reset admin
passwords
• You need to authenticate to your customer cloud/billing
account and they will reset your server side account
• Best practice is to have a dedicated account which
provides granular role based access (public cloud side
– does not have robust delegation at this time) (you
can schedule account terminations)

Rack space Forensic Images
• You can: Pause the VM
• Sign off from Legal and Cloud Ops Team
• Need to prove ownership of the account
• Send in my own storage
• It’s up to you to have a strategy to get your data
out (dd, ghost, other 3rd party cloning tool)
• They will boot up a tool if it’s private storage.
• This can be a nightmare (technically and
logistically)
• Thanks Nicole Schwartz from RackSpace (@amazonv)

Geographical Zones
• Zones
– If you have data in multiple zones for
redundancy it’s a pain to pull things out
– AWS Import/Export helps – but you need to
send disks to every zone
– Rackspace – you have to send in storage
and scripts in each store zone (will not
transfer between countries)

Amazon Forensics
• If you have small images ( > 5 GB ) you
can dd them to another drive then
download them (http, sftp, etc) (amazon
linux image has all the tools you need)
• If you have large images - > 5GB and you
need to use Amazon Import/Export you
have a different battle to fight 

How to grab and move Large (>
5GB) forensic image out of EC2
• Mount a linux VM to a snapshot of the
system (call this /dev/sdg)
• Give the linux VM a slightly larger drive (
/dev/sdh) – Format ext3/4 (mount it (-loop
–ro) (/tmp/image-sdg)
• dd if=/dev/sdh | split –d –b 2G /tmp/snap-
xxxxxx.dd.split.
• Split –d name .01 .02, etc…

Amazon import/Export Services
• You can now send in drives to Amazon
and have them copy your S3 bucket to
media they will mail you back
– You have to combine your split files back
– You then can mount them in…

• Will amazon help you with this?
– I dunno – haven’t found any credible answers
to this…

Move to S3
• Copy to S3 Bucket:
– Use aws by Tim Kay (timkay.com/aws)

aws putmybucket/snap-xxxx.dd.01 snap-
xxxx.dd.01

This will upload files of max 5GB to S3

Thing you may want to ask before
going Cloud
• Will they vendor help you grab forensically
sound images? Is there an SLA?
• Will they support chain of custody?
• What legal stuff will you have to sign before
they will export data for you? Will they export
over country lines? (UK to USA?)
• Do the existing tools out there allow you to
automate a large amount of machines?
• If you are the Feds – getting data out is most
likely wayyyy easier!

Thanks for listening!
• Questions?
• Twitter: @punkrokk
• jp@syncurity.net
• Come to @BSidesRoc next year! (May,
2013)

Using Security Incident Response Simulations (SIRS--also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, we will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.

(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014

Amazon Web Services

AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...

Amazon Web Services

Are you interested in learning how to control access to your AWS resources? Have you ever wondered how to best scope down permissions to achieve least privilege permissions access control? If your answer to these questions is "yes," this session is for you. We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.

Crypto Options in AWS

Amazon Web Services

Security Day IAM Recommended Practices

Amazon Web Services

Controlling Access to your Resources

Amazon Web Services

(SEC315) AWS Directory Service Deep Dive

Amazon Web Services

AWS Directory Service enables you to create a new Active Directory domain in AWS with Simple AD or to connect your existing Active Directory domain with AD Connector. Learn how to use these offerings to domain join and enable single sign-on (SSO) to your Amazon EC2 Windows and Linux instances, set up federated access to the AWS Management Console, and use Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail.

Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...

Amazon Web Services

Automatic and semiautomatic mechanical theorem provers are now being used within AWS to find proofs in mathematical logic that establish desired properties of key AWS components. In this session, we outline these efforts and discuss how mechanical theorem provers are used to replay found proofs of desired properties when software artifacts or networks are modified, thus helping provide security throughout the lifetime of the AWS system. We consider these use cases: Using constraint solving to show that VPCs have desired safety properties, and maintaining this continuously at each change to the VPC Using automatic mechanical theorem provers to prove that s2n’s HMAC is correct and maintaining this continuously at each change to the s2n source code Using semi-automatic mechanical theorem provers to prove desired safety properties of protocols and code

(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014

Amazon Web Services

AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)

Amazon Web Services

AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013

Amazon Web Services

Security must be the number one priority for any cloud provider and that's no different for AWS. Stephen Schmidt, vice president and chief information officer for AWS, will share his insights into cloud security and how AWS meets the needs of today's IT security challenges. Stephen, with his background with the FBI and his work with AWS customers in the government and space exploration, research, and financial services organizations, shares an industry perspective that's unique and invaluable for today's IT decision makers. At the conclusion of this session, Stephen also provides a brief summary of the other sessions available to you in the security track.

You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...

Amazon Web Services

Ensuring security and compliance across a globally distributed, large-scale AWS deployment requires a scalable process and a comprehensive set of technologies. In this session, Adobe will deep-dive into the AWS native monitoring and security services and some Splunk technologies leveraged globally to perform security monitoring across a large number of AWS accounts. You will learn about Adobe’s collection plumbing including components of S3, Kinesis, CloudWatch, SNS, Dynamo DB and Lambda, as well as the tooling and processes used at Adobe to deliver scalable monitoring without managing an unwieldy number of API keys and input stanzas. Session sponsored by Splunk. AWS Competency Partner

(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito

Amazon Web Services

Developing mobile apps can be complex and time-consuming. Learn how to simplify mobile identity management and data synchronization across devices. In addition, learn how to follow security best practices to give your app access to the resources it needs to provide a great user experience without hard-coding security credentials. We will cover how to easily and securely onboard users as anonymous guests using public login providers like Amazon, Facebook, Twitter, or your own user identity system. We are very excited to have Twitter representatives join us on stage for a deep dive on authenticating users with Twitter and Digits, which enables users to sign in with their phone numbers.

(SEC312) Reliable Design & Deployment of Security & Compliance

Amazon Web Services

"No matter how you use AWS resources, you can design your AWS account to deliver a reliably secure and controlled environment. This session will focus on ""Secure by Design"" principles and show how you can configure the AWS environment to provide the reliable operation of security controls, such as: Organizational governance Asset inventory and control Logical access controls Operating system configuration Database security Applications security configurations This session will focus on using AWS security features to architect securing and auditing the architecture capabilities of AWS cloud services such as AWS Identity and Access Management (IAM), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Storage (EBS), Amazon S3, Amazon Virtual Private Cloud (VPC), Amazon Machine Images (AMIs), and AWS CloudFormation templates. The session will include demonstrations with the governance perspective in mind and discuss how AWS technology can be used to create a secure and auditable environment."

AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...

Amazon Web Services

AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. Using SAML, you can configure your AWS accounts to integrate with your identity provider (IdP). Your federated users then are authenticated and authorized by your organization's IdP, and they can use single sign-on (SSO) to access AWS. In this workshop, you choose your own path through the exercises to direct yourself to the technologies and use cases that matter to you. We start by guiding you through deploying an IdP and configuring SAML federation for AWS, including federated CLI access. We will then continue to walk you through a number of advanced SAML use cases, including how to: Write S3 bucket policies for specific federated users. Use SAML attributes to enforce additional authorization requirements. Automate federation configurations across a large number of AWS accounts. Implement other advanced SAML use cases for AWS.

Become an IAM Policy Ninja

Amazon Web Services

We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.

Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...

Amazon Web Services

Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.

Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013

Amazon Web Services

At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.

Announcements for Mobile Developers

Amazon Web Services

Amazon Cognito now makes it easy to sign up and sign in users to your mobile and web apps. Previously, with Amazon Cognito you can use social identity providers like Facebook, Google, Twitter, and Amazon for user sign-in and federate these identities to allow secure access to AWS resources. Now with User Identity Pools in Amazon Cognito, you get a secure, low-cost, and fully managed user directory that can scale to 100s of millions of users. Join us for an overview of Amazon Cognito and how to get started with User Identity Pools.

Transparency and Auditing on AWS

Amazon Web Services

(SEC325) Satisfy PCI Obligations While Continuing to Innovate

Amazon Web Services

As an online payments provider, Stripe has always had a close relationship with PCI DSS. And as a partner to hundreds of thousands of online businesses, we take the security of our users' personal information very seriously. But as a fast-growing startup company where fast innovation is a key advantage, we also can't let PCI control us. In this session, we will discuss strategies we have used that both make us more secure and satisfy our PCI (and other) obligations, all without slowing down our ability to innovate. Though useful for PCI and other compliance obligations, these strategies can just as easily be applied to security problems across your organization.

(SEC303) Architecting for End-To-End Security in the Enterprise

Amazon Web Services

This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

AWS Webcast - Highly Available SQL Server on AWS

Amazon Web Services

AWS Solutions Architect Matt Tavis reviews high availability features for Microsoft Windows Server and SQL Server running on the AWS cloud. Windows Server Failover Clustering (WSFC) and SQL AlwaysOn Availability Groups are part of the underpinnings for many enterprise-class solutions, including Microsoft SharePoint and .NET applications. We will walk through an example implementation and share templates and sample code to help you deploy high availability architectures. Please review this virtual event geared for a technical audience.

(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014

Amazon Web Services

(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less

Amazon Web Services

Are you interested in learning how to control access to your AWS resources? Have you ever wondered how to best scope down permissions to achieve least privilege permissions access control? If your answer to these questions is "yes," this session is for you. We will take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We will start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we will explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we will cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or locking down access to Amazon EC2 instances. The demonstrations will use tools such as the policy editor and policy simulator to debug policies.

Secure Amazon EC2 Environment with AWS IAM & Resource-Based Permissions (CPN2...

Amazon Web Services

IAM Recommended Practices

Amazon Web Services

Distributed Data Systems

Jared Kerim

London Devops #9 - Security at a startup

Neil Saunders

What's hot

AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)

Amazon Web Services

(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014

Amazon Web Services

AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)

Amazon Web Services

AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013

Amazon Web Services

You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...

Amazon Web Services

(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito

Amazon Web Services

(SEC312) Reliable Design & Deployment of Security & Compliance

Amazon Web Services

AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...

Amazon Web Services

Become an IAM Policy Ninja

Amazon Web Services

Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...

Amazon Web Services

Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013

Amazon Web Services

Announcements for Mobile Developers

Amazon Web Services

Transparency and Auditing on AWS

Amazon Web Services

(SEC325) Satisfy PCI Obligations While Continuing to Innovate

Amazon Web Services

(SEC303) Architecting for End-To-End Security in the Enterprise

Amazon Web Services

AWS Webcast - Highly Available SQL Server on AWS

Amazon Web Services

(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014

Amazon Web Services

(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less

Amazon Web Services

Are you interested in learning how to control access to your AWS resources? Have you ever wondered how to best scope down permissions to achieve least privilege permissions access control? If your answer to these questions is "yes," this session is for you. We will take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We will start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we will explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we will cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or locking down access to Amazon EC2 instances. The demonstrations will use tools such as the policy editor and policy simulator to debug policies.

Secure Amazon EC2 Environment with AWS IAM & Resource-Based Permissions (CPN2...

Amazon Web Services

IAM Recommended Practices

Amazon Web Services

What's hot (20)