What I learned when I needed to grab forensic images out of Amazon and Rackspace.

1. Grabbing Forensic Images out
of EC2/Rackspace
JP Bourget
Syncurity Networks
B-Sides Las Vegas 2012
@punkrokk
July 26, 2012

2. What I ran into while grabbing
forensic images
– What if you lose access to your amazon
account?
– What if it’s determined that you need to pull
images from EC2 in order to to forensic
analysis on them?
– Amazon makes it easy to get data in – but
tough to get data out
– Rackspace doesn’t make it much easier…

3. Regaining Admin account access
(Amazon)
• I called up Amazon and Rackspace –
Neither has a public procedure – the most
they will really say is “they will work with
you”
– Can I social engineer access to someone’s
cloud account?
– Best practice is to use role based access (Use
Amazon Identity + Access mgmt) (and two
factor with Google authenticator)

4. Regaining Access (Rackspace)
• If you have monitoring, racker (rackspace team), and
your account creds changed – you better hope you
can reset your admin creds. (drive images can be
decrypted)
• If they haven’t changed the monitoring account –
Rackspace will login to that and reset admin
passwords
• You need to authenticate to your customer cloud/billing
account and they will reset your server side account
• Best practice is to have a dedicated account which
provides granular role based access (public cloud side
– does not have robust delegation at this time) (you
can schedule account terminations)

5. Rack space Forensic Images
• You can: Pause the VM
• Sign off from Legal and Cloud Ops Team
• Need to prove ownership of the account
• Send in my own storage
• It’s up to you to have a strategy to get your data
out (dd, ghost, other 3rd party cloning tool)
• They will boot up a tool if it’s private storage.
• This can be a nightmare (technically and
logistically)
• Thanks Nicole Schwartz from RackSpace (@amazonv)

6. Geographical Zones
• Zones
– If you have data in multiple zones for
redundancy it’s a pain to pull things out
– AWS Import/Export helps – but you need to
send disks to every zone
– Rackspace – you have to send in storage
and scripts in each store zone (will not
transfer between countries)

7. Amazon Forensics
• If you have small images ( > 5 GB ) you
can dd them to another drive then
download them (http, sftp, etc) (amazon
linux image has all the tools you need)
• If you have large images - > 5GB and you
need to use Amazon Import/Export you
have a different battle to fight 

8. How to grab and move Large (>
5GB) forensic image out of EC2
• Mount a linux VM to a snapshot of the
system (call this /dev/sdg)
• Give the linux VM a slightly larger drive (
/dev/sdh) – Format ext3/4 (mount it (-loop
–ro) (/tmp/image-sdg)
• dd if=/dev/sdh | split –d –b 2G /tmp/snap-
xxxxxx.dd.split.
• Split –d name .01 .02, etc…

9. Amazon import/Export Services
• You can now send in drives to Amazon
and have them copy your S3 bucket to
media they will mail you back
– You have to combine your split files back
– You then can mount them in…
• Will amazon help you with this?
– I dunno – haven’t found any credible answers
to this…

10. Move to S3
• Copy to S3 Bucket:
– Use aws by Tim Kay (timkay.com/aws)
aws putmybucket/snap-xxxx.dd.01 snap-
xxxx.dd.01
This will upload files of max 5GB to S3

11. Thing you may want to ask before
going Cloud
• Will they vendor help you grab forensically
sound images? Is there an SLA?
• Will they support chain of custody?
• What legal stuff will you have to sign before
they will export data for you? Will they export
over country lines? (UK to USA?)
• Do the existing tools out there allow you to
automate a large amount of machines?
• If you are the Feds – getting data out is most
likely wayyyy easier!

12. Thanks for listening!
• Questions?
• Twitter: @punkrokk
• jp@syncurity.net
• Come to @BSidesRoc next year! (May,
2013)