Automates the process of creating a forensics capture of an EC2
Project description
These are the step by step instructions for what is happening in this automated workflow.
On the Forensic Disk
User data creates an /etc/environment file that holds three pieces of information:
- DESTINATION_BUCKET = The location of the bucket
- IMAGE_NAME = The volume
- INCIDENT_ID = the ID of this incident
The image is setup with a number of applications and cron jobs
- install dc3dd. A patched verion of dd that is used to convert and copy files
- install incron. A daemon which monitors file system events and executes commands. Think crontab for file system changes. We will use this to detect when the volume has successfully been mounted.
There are some scripts that are created on the base image
- /home/ubuntu/collector.sh - Collects data bout the attached volume and stores it in the DESTINATION appliation above.
- /home/ubuntu/orchestrator.sh - loads the environment variables from /etc/environment and executes collector.sh. This is run by incrontab.
- /home/ubuntu/incronChecker.sh - Tests if the INCRON service is running and stores it into the /home/ubuntu/readiness.log. This log is grabbed by the CloudWatch agent and loaded one of our Log Groups. Which is monitored by our "Check Mount" to see if incron is loaded before starting to mount the file. This script is run by crontab every second
The CloudWatch agent is configured to grab logs and send them to log groups for tracking, and also to provide action to the step function.
- /home/ubuntu/cloudwatch.log is sent to the group ForensicDiskCapture
- /home/ubuntu/readiness.log is sent to ForensicDiskReadiness log group
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
auto_aws_forensics-0.2.14.tar.gz
(20.1 kB
view hashes)
Built Distribution
Close
Hashes for auto_aws_forensics-0.2.14.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9b19a8b29e885b8e0c8656dee19975a7485d24169b2046880bfb903c59f5e3a2 |
|
MD5 | 4039b755c726247dfdda0dd7cc98f79a |
|
BLAKE2b-256 | cc0f690e26c0cf169b08662db88f5f10fe34402285131ec21d915a59282cbf94 |
Close
Hashes for auto_aws_forensics-0.2.14-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e7e3f82dd100b64d61b0acd6e345765b727bb246a556a432ca423b23f9665981 |
|
MD5 | 1c2c0a18b5148189fcccf4d6ccafeb49 |
|
BLAKE2b-256 | dc014606f4cb2f4765f0a1e6079fd1ae271e88090c7f5cd8b414c427ed74687d |