Launch Forensic Workstations - AWS Security Incident Response Guide

Launch Forensic Workstations

Some of your incident response activities might include analyzing disk images, file systems, RAM dumps, or other artifacts that are involved in an incident. Many customers build a customized forensic workstation that they can use to mount copies of any affected data volumes (known as EBS snapshots). To do so, follow these basic steps:

  1. Choose a base Amazon Machine Image (AMI) (such as Linux or Microsoft Windows) that can be used as a forensic workstation.

  2. Launch an Amazon EC2 instance from that base AMI.

  3. Harden the operating system, remove unnecessary software packages, and configure relevant auditing and logging mechanisms.

  4. Install your preferred suite of open source or private toolkits, as well as any vendor software and packages that you need.

  5. Stop the Amazon EC2 instance and create a new AMI from the stopped instance.

  6. Create a weekly or monthly process to update and rebuild the AMI with the latest software patches.

After the forensic system is provisioned using an AMI, your incident response team can use this template to create a new AMI to launch a new forensic workstation for each investigation. The process for launching the AMI as an Amazon EC2 instance can be preconfigured to simplify the deployment process. For example, you can create a template of the forensic infrastructure resources that you need in a text file and deploy it into your AWS account using AWS CloudFormation.

When your resources are available to be deployed quickly from a template, your well-trained forensic experts are able to use new forensic workstations for each investigation, instead of reusing infrastructure. With this process, you can make sure that there is no cross-contamination from other forensic examinations.

Instance Types and Locations

Amazon EC2 provides a wide selection of instance types that are optimized for different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity, and give you the flexibility to choose the appropriate mix of resources for your applications. Many instance types include multiple instance sizes, which enables you to scale your resources to the requirements of your target workload. For incident response instances, follow your company’s GRC policies for location and segmentation from the network that runs production instances.

AWS enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. There is no additional charge for using enhanced networking. For information about which instance types support 10 or 25 Gbps network speeds, and other advanced capabilities, see Amazon EC2 Instance Types.