Skip to main content

IR tool for acquiring memory images from windows EC2 instances on AWS

Project description

Espresso IR

Introduction

Espresso IR provides the fuctionality to automate memory aquisitions of Windows based EC2 instances and stores them in an S3 bucket. Currently it uses DumpIt to facilitate the memory aquisition part but with some minor edits you could use your tool of choice.

This was created as part of a research paper the author conducted for their MSc dissertaion.

Feedback is wanted, collaboration is encouraged. Please do this via the GitHub repositiory.

Getting Started

use pip install espresso-ir to install the module or clone from this GitHub repositiory https://github.com/Terrizmo/espresso-ir and from inside the repository directory run pip install .

You must have an account with programatic access to your AWS environment. Once you have the access-key-id and secret-access-key. Once you have this information run aws configure and follow the prompt. AWS CLI will store these details in your home directory. These details will then be used each time your run an espresso_ir command. Further infomation can be found in the AWS documents.

If this is the first time you are running espresso-ir you will need to run the --setup flag to create the necessary S3 buckets and to upload DumpIt. The full command it espresso_ir <case-id> --setup <local-path-to-DumpIt>

Requirements

This tool has been designed to use DumpIt by comae. Other memory acquisition tools may be availible in the future.

Finally System manager must be able to communicate with the system manager agent on the EC2 instances you wish to acquire the memory from. You can create the necessary role with the required policies with this tool, --setup flag. Note if you add this role after the the system manager agent has turned on you will need to reboot the agent or the instance to get this functionality. Rebooting the EC2 instance will lose artifacts in memory, proabably all of them!

Acquiring Memory

Once you have completing the instruction in the Getting Started section and you have met the Requirements you are ready to dump memory from Windows based EC2 instances which will be uplaoaded to your <case-id>-memory-evidence S3 bucket.

The case ID is a manditory positional argument for espresso-ir and must be the first argument it receives.

It is recommended you turn on API logging in AWS before hand. If you do not have API logging turned on you can use espresso_ir <case-id> --api-logging

To start a memory dump you will need the instance ID for each EC2 instance you want to acquire memory from. These currently can only be passed as arguments seperated by a space. for example espresso_ir <case-id> --dump-memory <instance-id> <instance-id> <instance-id> . Up to 50 IDs can be passed at once.

Limitations

At this time you can on dump the memory for 50 EC2 hosts in one CLI entry. This is due to a limitation in the send command API. This will be ovecome later using the Targets parameter.

This tool only supports DumpIt as the memory acquisition tool.

TODO

  • Next steps
  • Features planned
  • Known bugs (shortlist)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

espresso_ir-0.0.2.tar.gz (13.5 kB view details)

Uploaded Source

Built Distribution

espresso_ir-0.0.2-py3-none-any.whl (17.3 kB view details)

Uploaded Python 3

File details

Details for the file espresso_ir-0.0.2.tar.gz.

File metadata

  • Download URL: espresso_ir-0.0.2.tar.gz
  • Upload date:
  • Size: 13.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/49.2.1 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/3.9.1

File hashes

Hashes for espresso_ir-0.0.2.tar.gz
Algorithm Hash digest
SHA256 1cf2e3b460286401b6a74a42365b52badcd36bc53c925b936c91baff0461b54a
MD5 172c4135b312f4f2c7861add2fcfdb34
BLAKE2b-256 4b0cf91da45acc187cbcc386947b35e1905468efe04fda4cc2182488f3a79bcb

See more details on using hashes here.

File details

Details for the file espresso_ir-0.0.2-py3-none-any.whl.

File metadata

  • Download URL: espresso_ir-0.0.2-py3-none-any.whl
  • Upload date:
  • Size: 17.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/49.2.1 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/3.9.1

File hashes

Hashes for espresso_ir-0.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 45326cb2480dc414d832b9b757b0ea0f317851cefadc8b9e184df55a34246640
MD5 5e28d56a0aa4bd61691ec9ee8df8c245
BLAKE2b-256 703fd7b9170f6db4461bd1b9dbed8149562da824f9aeba958014a256ac3bf7d4

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page