Steps to build LiME module and volatility profile using SSM document
The below diagram explains the overall architecture of building volatility profile.
steps to build volatility profile using SSM document
The diagram below details the usage of a Volatility profile in the memory investigation flow.
usage of a volatility profile in the memory investigation flow
image::images/volatility-profile-using-ssm-flow.png[scaledwidth=100%]. Launch an Amazon EC2
+ .SSM document image::images/ssm-document.png[scaledwidth=100%] Run AWS SSM document to build LiME module and Volatility 3 symbol tables for a launched Amazon EC2 instance or EKS cluster that matches the OS and kernel version.
+ NOTE: Currently the profile and tools are loaded into the S3 bucket for Amazon Linux EC2 instance. For other operating systems, modify the SSM document to create Volatility profiles.
Automate the creation of LiME and Volatility 3 symbol tables
You can incorporate the module build process for LiME and Volatility (or your preferred forensic tools) into a hardened AMI pipeline prior to allowing AMI use by developers and application teams. These modules are prerequisites for running the Automated Forensics Orchestrator for Amazon EC2 and EKS Guidance to allow the capture and analysis of volatile memory. You also need to incorporate a mechanism to build these modules for the specific kernel versions in the event they do not exist. This can occur if an EC2 instance or EKS cluster is updated after being launched or if an EC2 instance or EKS cluster was launched from a non-hardened AMI that is not managed by a central team.
For more information, refer to the How to automatically build forensic kernel modules for Amazon Linux EC2 instances
