A self-service solution to capture and examine data from EC2 instances and attached volumes for forensic analysis in the event of a potential security issue being detected - Automated Forensics Orchestrator for Amazon EC2

A self-service solution to capture and examine data from EC2 instances and attached volumes for forensic analysis in the event of a potential security issue being detected

Publication date: July 2022

Automated Forensics Orchestrator for Amazon EC2 is a self-service AWS Solution that customers can deploy to quickly set up and configure a forensics orchestration workflow for their Security Operations Center (SOC). It allows their SOC to capture and examine data from EC2 instances and attached volumes as digital forensics evidence for forensic analysis, in the event of an issue being detected.

This solution provides a framework to orchestrate and automate key forensics processes from the point at which a threat is first detected. This includes isolation of the affected EC2 instances and data volumes, capture of memory and disk images to secure storage, and initiation of automated actions or tools for investigation and analysis of such artifacts. The solution reports findings and provides process notifications. It allows the SOC to continuously discover and analyze patterns of fraudulent activities across multi-account and multi-region environments. The Automated Forensics Orchestrator for Amazon EC2 solution leverages AWS services and is underpinned by a highly available, resilient, a serverless architecture, security, and operational monitoring features.

Forensic workflow

Figure 1: Forensic workflow

Digital forensics is a four-step process of acquisition, isolation, investigation and reporting. The Automated Forensics Orchestrator for Amazon EC2 solution provides the capability to act on security events by imaging or acquisition of affected resources for examination and generating a forensic report about the security event. In the event of an issue being detected, it allows customers to automatically capture and store targeted data for forensic examination and analysis, and their SOC to discover and analyze patterns of fraudulent activities. The solution supports EC2 instances distributed across multiple accounts and regions.

This solution is intended for deployment in an enterprise by IT infrastructure and security architects, Incident Response team, security administrators, developers, and SecDevOps professionals who have practical experience with the AWS Cloud.

Note

We make no claim as to the suitability of Automated Forensics Orchestrator for Amazon EC2 in the detection or investigation of crime, nor the ability of data or forensics evidence captured by this solution to be used in a court of law. You should independently evaluate the suitability of Automated Forensics Orchestrator for Amazon EC2 for your use case.