BSIDES Idaho Falls offered a workshop called Cloud Forensics with an accompanying CTF. I left early Friday to make the 3 hour drive for the workshop because I see the need in my career to learn more about the Cloud especially as it applies to Forensics.
My expectations had to change for this workshop. I was expecting it to use the awscli to explore intrusions, cloud trail logs, and other tools. Knowing that the instructor, Kerry Hazelton had 23 years of experience and was experienced in this realm I listened and undertook the CTF challenge that followed.
The new expectations that I built for the course:
1st - The workshop could have been named "Using an Amazon Instance in the Cloud to Conduct Forensics" (The instance was of a Windows 10 OS)
2nd - How to mirror traffic from 1 instance into the instance built for forensics
3rd - Use tools like Autopsy, ExifTool, and others to explore the artifacts.
Additional notes and takeaways:
I was unaware of the Autospy GUI that you could install in windows. I explored version 4.9.1 and was impressed. I observed as I tried to import the given images provided by the instructor that a VM with 2 CPUs and 8GB RAM struggled with digesting the 4 images provided in < 3 hours of time. I could see how an Amazon Instance with the necessary resources (being temporary) could speed the process of forensics. Especially if you are short on time and current resources as was the case in the CTF that lasted for 3 hours. (The images were provided by an email caught in my spam folder the night before...)
Autopsy, the web server provided on a linux platform I have used in the past. When I used the GUI I was impressed how it would digest the information, still a little slow. You do need to make a choice as you import images that you have taken whether you enable or disable windows defender. Windows Defender from what I experienced helped to identify malware that was carved from images, but also caused an interruption in the operation of the import process in Autopsy.
Mirroring traffic from 1 instance in Amazon to another instance through configuration of the ENI's I need to spend some more time in troubleshooting how this works. A great take away!
One of the challenges involved looking at a memory image to solve what had occurred. I initially loaded Volatility 3 into my linux VM and ran into issues with missing dependencies. This is a plague of using Volatility 2.6 or 3. To avoid this plague you can download the VM called "Remnux". This has volatility 3 and autopsy pre-installed. Volatility and how it works is different than Volatility 2.6 which I am most familiar with.
Then, I was not sure about the wireless provided so I used my phones hot spot. I was not in a position to download "Remnux" during the challenge. I then reverted to using the pre-compiled binary of Volatility 2.6 on Windows 10. This worked until I found that I needed to extend the functionality to a plugin for exploring the browsing history of firefox.
In Summary
The workshop was thin on direction and content and very broad in expectations for the CTF Challenge. I would recommend next year try and be more lean in the expectations of the CTF Challenge. Then I would provide a better introductory email to introduce the workshop, content necessary to be successful in understanding the topics explored, and better introduce what is expected to be submitted in the CTF Challenge at least 3 days in advance.
The instructor, Kerry met my expectations of providing a challenge that was difficult. Introduced us to new tools and how to use those tools to be successful.
Thank you BSIDES Idaho Falls, I will look forward to participating next year!!