Grabbing Forensic Images from EC2/Rackspace
Download as PPTX, PDF3 likes4,621 views
This document discusses challenges with retrieving forensic images from cloud service providers Amazon EC2 and Rackspace for forensic analysis when access to the cloud account is lost. It provides recommendations for regaining administrative access and outlines procedures used by Amazon and Rackspace to export images from customer accounts for forensic purposes, noting they can be technically and logistically difficult. The document also discusses challenges of exporting images across multiple geographical zones and techniques for moving large forensic images out of EC2 using splitting and S3.
Grabbing Forensic Images from EC2/Rackspace
- 1. Grabbing Forensic Images out of EC2/Rackspace JP Bourget Syncurity Networks B-Sides Las Vegas 2012 @punkrokk July 26, 2012
- 2. What I ran into while grabbing forensic images – What if you lose access to your amazon account? – What if it’s determined that you need to pull images from EC2 in order to to forensic analysis on them? – Amazon makes it easy to get data in – but tough to get data out – Rackspace doesn’t make it much easier…
- 3. Regaining Admin account access (Amazon) • I called up Amazon and Rackspace – Neither has a public procedure – the most they will really say is “they will work with you” – Can I social engineer access to someone’s cloud account? – Best practice is to use role based access (Use Amazon Identity + Access mgmt) (and two factor with Google authenticator)
- 4. Regaining Access (Rackspace) • If you have monitoring, racker (rackspace team), and your account creds changed – you better hope you can reset your admin creds. (drive images can be decrypted) • If they haven’t changed the monitoring account – Rackspace will login to that and reset admin passwords • You need to authenticate to your customer cloud/billing account and they will reset your server side account • Best practice is to have a dedicated account which provides granular role based access (public cloud side – does not have robust delegation at this time) (you can schedule account terminations)
- 5. Rack space Forensic Images • You can: Pause the VM • Sign off from Legal and Cloud Ops Team • Need to prove ownership of the account • Send in my own storage • It’s up to you to have a strategy to get your data out (dd, ghost, other 3rd party cloning tool) • They will boot up a tool if it’s private storage. • This can be a nightmare (technically and logistically) • Thanks Nicole Schwartz from RackSpace (@amazonv)
- 6. Geographical Zones • Zones – If you have data in multiple zones for redundancy it’s a pain to pull things out – AWS Import/Export helps – but you need to send disks to every zone – Rackspace – you have to send in storage and scripts in each store zone (will not transfer between countries)
- 7. Amazon Forensics • If you have small images ( > 5 GB ) you can dd them to another drive then download them (http, sftp, etc) (amazon linux image has all the tools you need) • If you have large images - > 5GB and you need to use Amazon Import/Export you have a different battle to fight
- 8. How to grab and move Large (> 5GB) forensic image out of EC2 • Mount a linux VM to a snapshot of the system (call this /dev/sdg) • Give the linux VM a slightly larger drive ( /dev/sdh) – Format ext3/4 (mount it (-loop –ro) (/tmp/image-sdg) • dd if=/dev/sdh | split –d –b 2G /tmp/snap- xxxxxx.dd.split. • Split –d name .01 .02, etc…
- 9. Amazon import/Export Services • You can now send in drives to Amazon and have them copy your S3 bucket to media they will mail you back – You have to combine your split files back – You then can mount them in… • Will amazon help you with this? – I dunno – haven’t found any credible answers to this…
- 10. Move to S3 • Copy to S3 Bucket: – Use aws by Tim Kay (timkay.com/aws) aws putmybucket/snap-xxxx.dd.01 snap- xxxx.dd.01 This will upload files of max 5GB to S3
- 11. Thing you may want to ask before going Cloud • Will they vendor help you grab forensically sound images? Is there an SLA? • Will they support chain of custody? • What legal stuff will you have to sign before they will export data for you? Will they export over country lines? (UK to USA?) • Do the existing tools out there allow you to automate a large amount of machines? • If you are the Feds – getting data out is most likely wayyyy easier!
- 12. Thanks for listening! • Questions? • Twitter: @punkrokk • jp@syncurity.net • Come to @BSidesRoc next year! (May, 2013)