LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestras Condiciones de uso y nuestra Política de privacidad para más información.
LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestra Política de privacidad y nuestras Condiciones de uso para más información.
asking if I had assets in their cloud and I lost access to the AWS or Rackspace console – what is the process for getting it back? access (Use Amazon Identity + Access mgmt) (and two factor with Google authenticator)
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images out of EC2/Rackspace JP Bourget Syncurity Networks B-Sides Las Vegas 2012 @punkrokk July 26, 2012
What I ran into while grabbing forensic images– What if you lose access to your amazon account?– What if it’s determined that you need to pull images from EC2 in order to to forensic analysis on them?– Amazon makes it easy to get data in – but tough to get data out– Rackspace doesn’t make it much easier…
Regaining Admin account access (Amazon)• I called up Amazon and Rackspace – Neither has a public procedure – the most they will really say is “they will work with you” – Can I social engineer access to someone’s cloud account? – Best practice is to use role based access (Use Amazon Identity + Access mgmt) (and two factor with Google authenticator)
Regaining Access (Rackspace)• If you have monitoring, racker (rackspace team), and your account creds changed – you better hope you can reset your admin creds. (drive images can be decrypted)• If they haven’t changed the monitoring account – Rackspace will login to that and reset admin passwords• You need to authenticate to your customer cloud/billing account and they will reset your server side account• Best practice is to have a dedicated account which provides granular role based access (public cloud side – does not have robust delegation at this time) (you can schedule account terminations)
Rack space Forensic Images• You can: Pause the VM• Sign off from Legal and Cloud Ops Team• Need to prove ownership of the account• Send in my own storage• It’s up to you to have a strategy to get your data out (dd, ghost, other 3rd party cloning tool)• They will boot up a tool if it’s private storage.• This can be a nightmare (technically and logistically) • Thanks Nicole Schwartz from RackSpace (@amazonv)
Geographical Zones• Zones – If you have data in multiple zones for redundancy it’s a pain to pull things out – AWS Import/Export helps – but you need to send disks to every zone – Rackspace – you have to send in storage and scripts in each store zone (will not transfer between countries)
Amazon Forensics• If you have small images ( > 5 GB ) you can dd them to another drive then download them (http, sftp, etc) (amazon linux image has all the tools you need)• If you have large images - > 5GB and you need to use Amazon Import/Export you have a different battle to fight
How to grab and move Large (> 5GB) forensic image out of EC2• Mount a linux VM to a snapshot of the system (call this /dev/sdg)• Give the linux VM a slightly larger drive ( /dev/sdh) – Format ext3/4 (mount it (-loop –ro) (/tmp/image-sdg)• dd if=/dev/sdh | split –d –b 2G /tmp/snap- xxxxxx.dd.split.• Split –d name .01 .02, etc…
Amazon import/Export Services• You can now send in drives to Amazon and have them copy your S3 bucket to media they will mail you back – You have to combine your split files back – You then can mount them in…• Will amazon help you with this? – I dunno – haven’t found any credible answers to this…
Move to S3• Copy to S3 Bucket: – Use aws by Tim Kay (timkay.com/aws) aws putmybucket/snap-xxxx.dd.01 snap- xxxx.dd.01 This will upload files of max 5GB to S3
Thing you may want to ask before going Cloud• Will they vendor help you grab forensically sound images? Is there an SLA?• Will they support chain of custody?• What legal stuff will you have to sign before they will export data for you? Will they export over country lines? (UK to USA?)• Do the existing tools out there allow you to automate a large amount of machines?• If you are the Feds – getting data out is most likely wayyyy easier!
Thanks for listening!• Questions?• Twitter: @punkrokk• email@example.com• Come to @BSidesRoc next year! (May, 2013)