Cloud forensics for discovery and attacks
Introduction
Carving deleted data, recovering lost files and examination of disk clusters can all reveal tell tale signs of malicious activity. On several occasions, the snapshots and volume available publicly have not been scrubbed for information and may reveal very interesting things about the system, including sensitive information.
What are we going to cover?
This chapter is about doing digital forensic on an Amazon EC2 volume instance. We shall work with a snapshot that has been taken after an attack was performed on the original system. We will try and determine what commands were run by the attackers.
Forensic investigation requires that the target device on which the forensics will be performed should not be mounted as a filesystem to the analyst machine as that may cause the operating system to make changes to the sectors that may contain deleted data.
In this exercise, we will
Discover a snapshot that has been made to conduct forensic investigation on
Make a volume out of it
Attach the volume to our attacker machine
Use forensic tools to browse the filesystem without mounting the volume
Identify what was the name and credentials of the database server to which the attacker connected
Steps to attack
You can do this exercise using the AWS Web console since the we did the last exercise using the command line
Before performing moving on, we need to detach the volume from the previous exercise
First we will unmount the volume that we attached earlier
Next, we will (forecfully) detach the volume from the attacker EC2
Use the AWS console to do this.
Navigate to the EC2 service in AWS console
Select the attacker-machine
Scroll down the bottom pane to find
/dev/sdhunder Block devicesClick on
/dev/sdhand select the EBS ID from the popupIn the new page that opens, select the EBS (if unselected) and click Actions > Force Detach Volume
Wait for about a minute and proceed after the State changes to 'available'
In the EC2 console, under Elastic Block Store > Snapshots, search for 'globalbutter jump server'
Obtain the snapshot id
Obtain the availability zone and instance id of your attacker EC2 by running the command
Once the availability zone is obtained, insert it into the following command to create a new volume using the discovered snapshot
Once the volume is created, note the 'VolumeID'
Next step is to attach the newly created volume to the EC2 attacker machine using the instance id of your attacker EC2 and the volume id of the newly created volume
This may take some time. To check the status of the volume (it should say "in use")
Once the volume is attached, identify the partition using lsblk. The image will be /dev/xvdh. Run the following commands on the attacker machine as that is where the volume has been attached using the AWS CLI
Using The Sleuth Kit (forensics framework) let's attempt to recover the files in /home/ubuntu directory
Check the filesystem on the image
Use the start sector address for the Linux partition to list folders
Get the inode number for the home directory
Once the inode number of the ubuntu directory is found get files using icat
use icat to recover the .bash_history file inside the ubuntu directory
Examine the bash_history file to see what database server the attackers connected to and what credentials did they use.
Additional references
Last updated