SEC10-BP03: Prepare forensic capabilities

Overview

Ahead of a security incident, consider developing forensics capabilities to support security event investigations.

Concepts from traditional on-premises forensics apply to AWS. For key information to start building forensics capabilities in the AWS Cloud, see Forensic investigation environment strategies in the AWS Cloud.

Once you have your environment and AWS account structure set up for forensics, define the technologies required to effectively perform forensically sound methodologies across the four phases:

• Collection: Collect relevant AWS logs, such as AWS CloudTrail, AWS Config, VPC Flow Logs, and host-level logs. Collect snapshots, backups, and memory dumps of impacted AWS resources where available.
• Examination: Examine the data collected by extracting and assessing the relevant information.
• Analysis: Analyze the data collected in order to understand the incident and draw conclusions from it.
• Reporting: Present the information resulting from the analysis phase.

Implementation Steps

Prepare your forensics environment

AWS Organizations helps you centrally manage and govern an AWS environment as you grow and scale AWS resources. An AWS organization consolidates your AWS accounts so that you can administer them as a single unit. You can use organizational units (OUs) to group accounts together to administer as a single unit.

For incident response, it’s helpful to have an AWS account structure that supports the functions of incident response, which includes a security OU and a forensics OU.

Within the security OU, you should have accounts for:

• Log archival: Aggregate logs in a log archival AWS account with limited permissions
• Security tools: Centralize security services in a security tool AWS account. This account operates as the delegated administrator for security services

Within the forensics OU, you have the option to implement a single forensics account or accounts for each Region that you operate in, depending on which works best for your business and operational model. If you create a forensics account per Region, you can block the creation of AWS resources outside of that Region and reduce the risk of resources being copied to an unintended region.

For example, if you only operate in US East (N. Virginia) Region (us-east-1) and US West (Oregon) (us-west-2), then you would have two accounts in the forensics OU: one for us-east-1 and one for us-west-2.

You can create a forensics AWS account for multiple Regions. You should exercise caution in copying AWS resources to that account to verify you’re aligning with your data sovereignty requirements.

Because it takes time to provision new accounts, it is imperative to create and instrument the forensics accounts well ahead of an incident so that responders can be prepared to effectively use them for response.

Capture backups and snapshots

Setting up backups of key systems and databases are critical for recovering from a security incident and for forensics purposes. With backups in place, you can restore your systems to their previous safe state. On AWS, you can take snapshots of various resources. Snapshots provide you with point-in-time backups of those resources.

There are many AWS services that can support you in backup and recovery. For detail on these services and approaches for backup and recovery, see Backup and Recovery Prescriptive Guidance and Use backups to recover from security incidents.

Especially when it comes to situations such as ransomware, it’s critical for your backups to be well protected. For guidance on securing your backups, see Top 10 security best practices for securing backups in AWS.

In addition to securing your backups, you should regularly test your backup and restore processes to verify that the technology and processes you have in place work as expected.

Automate forensics

During a security event, your incident response team must be able to collect and analyze evidence quickly while maintaining accuracy for the time period surrounding the event (such as capturing logs related to a specific event or resource or collecting memory dump of an Amazon EC2 instance). It’s both challenging and time consuming for the incident response team to manually collect the relevant evidence, especially across a large number of instances and accounts. Additionally, manual collection can be prone to human error.

For these reasons, you should develop and implement automation for forensics as much as possible. AWS offers a number of automation resources for forensics, which are listed in the Resources section. These resources are examples of forensics patterns that we have developed and customers have implemented. While they might be a useful reference architecture to start with, consider modifying them or creating new forensics automation patterns based on your environment, requirements, tools, and forensics processes.

Implementation Examples

Example 1: Comprehensive Forensic Capabilities Framework

Code snippet hidden for website display

Example 2: Automated Forensic Evidence Collection and Analysis

Code snippet hidden for website display

Resources

Related Documents

• AWS Security Incident Response Guide - Develop Forensics Capabilities
• AWS Security Incident Response Guide - Forensics Resources
• Forensic investigation environment strategies in the AWS Cloud
• How to automate forensic disk collection in AWS
• AWS Prescriptive Guidance - Automate incident response and forensics
• Backup and Recovery Prescriptive Guidance
• Use backups to recover from security incidents
• Top 10 security best practices for securing backups in AWS

Related AWS Services

• AWS Organizations - For forensic account structure and management
• Amazon EC2 Snapshots - For forensic disk imaging
• AWS CloudTrail - For API activity logging and forensic analysis
• Amazon VPC Flow Logs - For network traffic analysis
• AWS Config - For configuration change tracking
• Amazon CloudWatch Logs - For application and system log collection
• AWS Systems Manager - For automated evidence collection
• Amazon Detective - For security investigation and analysis
• Amazon Athena - For forensic log analysis
• AWS Step Functions - For forensic workflow orchestration
• Amazon S3 - For secure evidence storage
• AWS Backup - For automated backup and recovery

Related Videos

• Automating Incident Response and Forensics
• AWS re:Invent 2020: Incident response and forensics in the cloud

Related Examples

• Automated Incident Response and Forensics Framework
• Automated Forensics Orchestrator for Amazon EC2
• AWS Security Analytics Bootstrap
• AWS CloudTrail Analysis Framework

Related Tools and Solutions

• SIFT Workstation - Digital forensics and incident response toolkit
• Volatility Framework - Memory forensics framework
• Autopsy - Digital forensics platform
• Sleuth Kit - Digital investigation tools
• Wireshark - Network protocol analyzer
• YARA - Malware identification and classification

Compliance and Legal Considerations

• NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
• ISO/IEC 27037: Guidelines for identification, collection, acquisition and preservation of digital evidence
• Federal Rules of Evidence - For legal admissibility of digital evidence
• GDPR Article 33 - Personal data breach notification requirements
• HIPAA Security Rule - Healthcare data protection requirements

Best Practices and Guidelines

• Maintain proper chain of custody documentation for all evidence
• Use write-blocking tools when acquiring disk images
• Implement time synchronization across all forensic systems
• Regularly test forensic procedures and tools
• Ensure forensic personnel have appropriate training and certifications
• Document all forensic procedures and maintain detailed case notes
• Implement secure evidence storage with appropriate access controls
• Regular backup and testing of forensic tools and environments