I originally posted pre-made Volatility3 Profiles for Amazon Linux versions 1 and 2 from August 2016 to the present with the SHA256 hash lists. https://github.com/4n6ir/metavault Switching to BLAKE3 hash lists, I added a collection of “System.map” files for Amazon Linux versions 1 and 2 from August 2016 to the present necessary to generate Volatility3 Profiles for memory analysis. https://github.com/4n6ir/volatility3-profiles The latest “dwarf2json” Go utility can process these files that contain symbol and type information needed to generate Volatility3 Intermediate Symbol File (ISF) JSON out ..read more

If you have not had the opportunity yet, I would definitely check out the cryptographic hash function BLAKE3, as it has impressive performance! https://github.com/BLAKE3-team/BLAKE3 I remember “way back when” the big push was to move from broken MD5/SHA1 to SHA256 hashes. Wait, I am not sure that has actually has been accomplished yet? I have heard the typical reasoning around the performance concerns when using SHA256 over older algorithms, anyway ..read more

I want to share a potential option to deploy a bastion/forensic workstation with a micro-pipeline quickly for Incident Response as Code in an AWS account and or organization. ACCESS REQUIREMENT Single Sign-On (SSO) needs to exist to handle authentication and authorization for this method to work. CLOUD9 BASTION I prefer to use Cloud9 as my forensic workstation these days. It comes pre-installed with most of the necessary developer tools to stand up new infrastructure to process an investigation ..read more

ALL VENDORS, PLEASE Link –> https://twitter.com/cyb3rops/status/1399634705323073536 NOPE, VERY REASONABLE Ideally, each vendor would become the source of truth for their respective products that is always current. Creating a standardized format would require a happy balance of what is possible to collect in a reasonable amount of time to support ephemeral systems. Getmeta captures these fields from all Amazon Linux AMIs hosted in Ohio (US-EAST-2) from August 2016 to the present ..read more

THAT IS A BIG NUMBER The number is the total current IP address space for Amazon Web Services (AWS), including IPv4 addresses at about 55 million with the rest in IPv6. https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html Previously, I shared some Python3 code for searching CIDRs for a specific IP address. https://www.4n6ir.com/posts/2020/06/searching-cidrs/ WHY IS THIS HELPFUL The information is helpful to figure out what region an address is assigned. It is also beneficial for potentially identifying the AWS service in your logs ..read more

GOODBYE LOCAL DEVELOPMENT Two-point-five years into my nomadic lifestyle of using cellular data, I decided it was time to figure out my development environment. My primary goal was to lower my local bandwidth consumption while having a decent interface that I could use from macOS, iPadOS, and Linux operating systems. I code for fun mainly with Python on AWS infrastructure, making Cloud9 and CDK an excellent starting point. Start by launching a Cloud9 environment with an identifiable name and optional description in the region with your current workloads ..read more

SCENARIO Your organization has a business requirement to store disk images of EC2 volumes cost-effectively for thirty days at termination for security investigations. The Cloud Watch Event “createSnapshot” for a completed EBS Snapshot will launch a Lambda that initiates the Snapshot 4n6ir Imager for Docker script. DOCKERFILE FROM ubuntu:20.04 WORKDIR /4n6ir RUN apt-get update && apt-get install -y python3-pip RUN pip3 install --no-cache-dir boto3 cryptography requests ADD https://cloud.4n6ir.com/scripts/Snapshot-4n6ir-Imager-for-Docker.py.gz /4n6ir/Snapshot-4n6ir-Imager-for-Docker.py.g ..read more

SCENARIO Suspicious activity was detected on an EC2 Instance that requires investigation. An Amazon EBS Snapshot was obtained that needs to be converted to a DD image for analysis. The examiner workstation has been initiated in the region with the snapshot in question to limit data transfer costs. An IAM Role for EC2 has been applied to your workstation with the Elastic Block Store (EBS) permissions enabled by an IAM Policy ..read more

Cloud service providers like Amazon Web Service (AWS), Microsoft Azure, Google Cloud Platform (GCP), etc. provide their CIDR network IPv4/6 ranges for consumption. During analysis, we could use WHOIS information to determine ownership of a specific IP address. However, using this OSINT, we can glean some additional information on a particular IP address like possible services operating in particular regions. AWS IP Address Ranges Example: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html Two challenges exist with this data set that needs addressing ..read more

One significant addition is the usage of AWS Security Token Service (STS) like the stand-alone version to generate logs of access to the EBS direct API. The other is the splitting of the upload and download permissions to separate keys, received in two emails. Cloud 4n6ir Upload/Download API Key URL Link: https://upload.us-east-2.4n6ir.com API Key: abacadaba-abacadaba-abacadaba AWS Region: us-east-2 TTL Seconds: 120 SNAPSHOT 4N6IR IMAGER FOR DOCKER Before the script even starts now, it checks to make sure the snapshot exists ..read more