We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
К сожалению, данный материал на выбранном языке не доступен. Мы постоянно работаем над расширением контента, предоставляемого пользователю на выбранном языке. Благодарим вас за терпение!
Automated Forensics Orchestrator for Amazon EC2 deploys a mechanism that uses AWS services to orchestrate and automate key digital forensics processes and activities for Amazon Elastic Compute Cloud (Amazon EC2) instances in the event of a potential security issue being detected.
This AWS Solution helps to establish an automated workflow across data acquisition from disk and memory, instance isolation, and invocation of third-party forensics investigation, analysis, and reporting tools that can be easily integrated with the solution. The solution is intended for organizations deploying and running workloads on EC2 instances and aims to support their security operations and response functions.
Note: We make no claim as to the suitability of Automated Forensics Orchestrator for Amazon EC2 in the detection or investigation of crime, nor the ability of data or forensics evidence captured by this solution to be used in a court of law. You should independently evaluate the suitability of Automated Forensics Orchestrator for Amazon EC2 for your use case.
Benefits
Automate manual, time-consuming digital forensics tasks
Quickly establish an end-to-end, in-house, and low touch digital forensics capability that automatically orchestrates data acquisition from disk and memory, instance isolation, and invocation of forensics investigation and analysis tools.
Respond faster, at scale
Scale your digital forensics automation across fleets of AWS Systems Manager-managed EC2 instances and automatically initiate acquisition and isolation processes for tagged EC2 instances in multiple accounts or across Regions. Reduce mean time to acquire and process evidence from the point of detection—down to minutes.
Plug in open-source or third-party forensics tooling
Get started with out-of-the-box support for Amazon Linux 2 and Sans SIFT open-source tools, such as log2timeline, Volatility 2, and LiME. Customize and extend the solution for specific OS kernels, or your preferred forensics tools, using Systems Manager documents.
Set up end-to-end traceability
Monitor your end-to-end forensic orchestration workflow and processes with correlation identifiers. Keep your security operations personnel informed of progress through regular and timely notifications.
Step 11 DynamoDB stores the state of forensic tasks as well as their result when the jobs are complete. Investigation job details are stored in DynamoDB.
Step 13 EC2 Image Builder builds the Forensic AMI. Note: You can also use an existing forensic AMI.
Step 14 Forensic AMI is leveraged by investigation Step Functions to perform memory and disk investigation.
Step 15 The Forensic timeline can be queried using AWS AppSync.
Note: Using a forensics AMI with the required tooling, and the installed AWS Systems Manager Agent (SSM Agent), the state machine will provision an EC2 instance, attach the previously captured snapshots, and mount the memory data captured, making the data ready for investigation.
Systems Manager using SSM Run Command runs scripts using the forensic tools installed to perform forensic investigative processes such as timelining against the captured data.
Step 1 In the AWS application account, an AWS Config rule, Amazon GuardDuty, and third-party tools detect malicious activities that are specific to Amazon Elastic Compute Cloud (Amazon EC2) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to AWS Security Hub in the security account through their native or existing integration.
Step 2 By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows.
Step 3 For a specified event, EventBridge provides an instance ID for the forensics process to target and initiates the AWS Step Functions workflow.
Step 4 Step Functions triages the request as follows:
Gets the instance information.
Determines if isolation is required based on the Security Hub action.
Determines if acquisition is required based on tags associated with the instance.
Initiates the acquisition flow based on triaging output.
Step 6 The following two acquisition flows are initiated in parallel:
Memory forensics flow - The Step Function workflow captures the memory data and stores them in Amazon Simple Storage Service (Amazon S3). Post memory acquisition, the instance is isolated using security groups.
(Memory forensics flow cont.) To help achieve the chain of custody, a new security group gets attached to the targeted instance and removes any access for users, admins, or developers. Note that isolation is initiated based on the selected Security Hub action.
Disk forensics flow - The Step Function workflow takes snapshot of the Amazon Elastic Block Store (Amazon EBS) volume and shares it with the forensic account.
Step 7 Acquisition details are stored in DynamoDB.
Step 8 Once the disk or memory acquisition process is complete and the evidence has been captured successfully, a notification is sent to an investigation Step Function state machine to begin the automated investigation of the captured data.
Step 9 Investigation Step Function starts forensic instance from forensic Amazon Machine Image (AMI) loaded with customer forensic tools:
Loads the memory data from Amazon S3 for memory investigation.
Creates an EBS volume from the snapshot and attaches the EBS volume for disk analysis.
Step 11 DynamoDB stores the state of forensic tasks as well as their result when the jobs are complete. Investigation job details are stored in DynamoDB.
Step 13 EC2 Image Builder builds the Forensic AMI. Note: You can also use an existing forensic AMI.
Step 14 Forensic AMI is leveraged by investigation Step Functions to perform memory and disk investigation.
Step 15 The Forensic timeline can be queried using AWS AppSync.
Note: Using a forensics AMI with the required tooling, and the installed AWS Systems Manager Agent (SSM Agent), the state machine will provision an EC2 instance, attach the previously captured snapshots, and mount the memory data captured, making the data ready for investigation.
Systems Manager using SSM Run Command runs scripts using the forensic tools installed to perform forensic investigative processes such as timelining against the captured data.
Step 1 In the AWS application account, an AWS Config rule, Amazon GuardDuty, and third-party tools detect malicious activities that are specific to Amazon Elastic Compute Cloud (Amazon EC2) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to AWS Security Hub in the security account through their native or existing integration.
Step 2 By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows.
Step 3 For a specified event, EventBridge provides an instance ID for the forensics process to target and initiates the AWS Step Functions workflow.
Step 4 Step Functions triages the request as follows:
Gets the instance information.
Determines if isolation is required based on the Security Hub action.
Determines if acquisition is required based on tags associated with the instance.
Initiates the acquisition flow based on triaging output.
Step 6 The following two acquisition flows are initiated in parallel:
Memory forensics flow - The Step Function workflow captures the memory data and stores them in Amazon Simple Storage Service (Amazon S3). Post memory acquisition, the instance is isolated using security groups.
(Memory forensics flow cont.) To help achieve the chain of custody, a new security group gets attached to the targeted instance and removes any access for users, admins, or developers. Note that isolation is initiated based on the selected Security Hub action.
Disk forensics flow - The Step Function workflow takes snapshot of the Amazon Elastic Block Store (Amazon EBS) volume and shares it with the forensic account.
Step 7 Acquisition details are stored in DynamoDB.
Step 8 Once the disk or memory acquisition process is complete and the evidence has been captured successfully, a notification is sent to an investigation Step Function state machine to begin the automated investigation of the captured data.
Step 11 DynamoDB stores the state of forensic tasks as well as their result when the jobs are complete. Investigation job details are stored in DynamoDB.
Step 13 EC2 Image Builder builds the Forensic AMI. Note: You can also use an existing forensic AMI.
Step 14 Forensic AMI is leveraged by investigation Step Functions to perform memory and disk investigation.
Step 15 The Forensic timeline can be queried using AWS AppSync.
Note: Using a forensics AMI with the required tooling, and the installed AWS Systems Manager Agent (SSM Agent), the state machine will provision an EC2 instance, attach the previously captured snapshots, and mount the memory data captured, making the data ready for investigation.
Systems Manager using SSM Run Command runs scripts using the forensic tools installed to perform forensic investigative processes such as timelining against the captured data.
Step 1 In the AWS application account, an AWS Config rule, Amazon GuardDuty, and third-party tools detect malicious activities that are specific to Amazon Elastic Compute Cloud (Amazon EC2) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to AWS Security Hub in the security account through their native or existing integration.
Step 2 By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows.
Step 3 For a specified event, EventBridge provides an instance ID for the forensics process to target and initiates the AWS Step Functions workflow.
Step 4 Step Functions triages the request as follows:
Gets the instance information.
Determines if isolation is required based on the Security Hub action.
Determines if acquisition is required based on tags associated with the instance.
Initiates the acquisition flow based on triaging output.
Step 6 The following two acquisition flows are initiated in parallel:
Memory forensics flow - The Step Function workflow captures the memory data and stores them in Amazon Simple Storage Service (Amazon S3). Post memory acquisition, the instance is isolated using security groups.
(Memory forensics flow cont.) To help achieve the chain of custody, a new security group gets attached to the targeted instance and removes any access for users, admins, or developers. Note that isolation is initiated based on the selected Security Hub action.
Disk forensics flow - The Step Function workflow takes snapshot of the Amazon Elastic Block Store (Amazon EBS) volume and shares it with the forensic account.
Step 7 Acquisition details are stored in DynamoDB.
Step 8 Once the disk or memory acquisition process is complete and the evidence has been captured successfully, a notification is sent to an investigation Step Function state machine to begin the automated investigation of the captured data.
Step 9 Investigation Step Function starts forensic instance from forensic Amazon Machine Image (AMI) loaded with customer forensic tools:
Loads the memory data from Amazon S3 for memory investigation.
Creates an EBS volume from the snapshot and attaches the EBS volume for disk analysis.
Step 11 DynamoDB stores the state of forensic tasks as well as their result when the jobs are complete. Investigation job details are stored in DynamoDB.
Step 13 EC2 Image Builder builds the Forensic AMI. Note: You can also use an existing forensic AMI.
Step 14 Forensic AMI is leveraged by investigation Step Functions to perform memory and disk investigation.
Step 15 The Forensic timeline can be queried using AWS AppSync.
Note: Using a forensics AMI with the required tooling, and the installed AWS Systems Manager Agent (SSM Agent), the state machine will provision an EC2 instance, attach the previously captured snapshots, and mount the memory data captured, making the data ready for investigation.
Systems Manager using SSM Run Command runs scripts using the forensic tools installed to perform forensic investigative processes such as timelining against the captured data.
Step 1 In the AWS application account, an AWS Config rule, Amazon GuardDuty, and third-party tools detect malicious activities that are specific to Amazon Elastic Compute Cloud (Amazon EC2) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to AWS Security Hub in the security account through their native or existing integration.
Step 2 By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows.
Step 3 For a specified event, EventBridge provides an instance ID for the forensics process to target and initiates the AWS Step Functions workflow.
Step 4 Step Functions triages the request as follows:
Gets the instance information.
Determines if isolation is required based on the Security Hub action.
Determines if acquisition is required based on tags associated with the instance.
Initiates the acquisition flow based on triaging output.
Step 6 The following two acquisition flows are initiated in parallel:
Memory forensics flow - The Step Function workflow captures the memory data and stores them in Amazon Simple Storage Service (Amazon S3). Post memory acquisition, the instance is isolated using security groups.
(Memory forensics flow cont.) To help achieve the chain of custody, a new security group gets attached to the targeted instance and removes any access for users, admins, or developers. Note that isolation is initiated based on the selected Security Hub action.
Disk forensics flow - The Step Function workflow takes snapshot of the Amazon Elastic Block Store (Amazon EBS) volume and shares it with the forensic account.
Step 7 Acquisition details are stored in DynamoDB.
Step 8 Once the disk or memory acquisition process is complete and the evidence has been captured successfully, a notification is sent to an investigation Step Function state machine to begin the automated investigation of the captured data.