How to Perform Forensic Investigation on an AWS Instance without a Public Key
Introduction
Performing a forensic investigation on an AWS EC2 instance can become complicated if access to the instance is lost or the SSH key is unavailable. Recently, I came upon a case where I did not have the private key to the instance. The only details I had, were the AWS portal login and password.
The private key does not serve any other purpose except SSH authentication. So, if we bypass the authentication, we don’t need the key. But the fact is, the cloud is just another computer and so, I figured out a way to make this work just like I would do it on a physical computer.
Here’s the process:
1. Detach the hard drive
2. Attach the hard drive to another machine
3. Access the data of our target system through the new machine.
Here’s a step-by-step guide on how to accomplish the same on AWS:
Step 1: Creating a Snapshot of the EBS Volume
The first step involves creating a snapshot of the EBS volume that’s attached to the EC2 instance. You can use the AWS CLI to accomplish this:
aws ec2 create-snapshot --volume-id vol-049df61146f12f951 --description "Forensic snapshot"
Step 2: Creating a New Volume from the Snapshot
Once the snapshot is ready, you can create a new volume from it. Make sure to create it in the same availability zone as the instance you’ll be attaching it to:
aws ec2 create-volume --availability-zone us-west-2a --snapshot-id snap-01234567890abcdef0
Step 3: Launching a New EC2 Instance
Next, launch a new EC2 instance in the same availability zone as your volume. This instance will act as a bridge to access the data:
aws ec2 run-instances --image-id ami-abcd1234 --count 1 --instance-type t2.micro --key-name MyKeyPair
Step 4: Attaching the New Volume to the New EC2 Instance
aws ec2 attach-volume --volume-id vol-049df61146f12f951 --instance-id i-01474ef662b89480 --device /dev/sdf
Step 5: SSH into the New EC2 Instance
Next, SSH into the new EC2 instance using its own key:
ssh -i "/path/my-key-pair.pem" ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com
Step 6: Mounting the New Volume in Read-Only Mode
This step involves creating a new directory and mounting the new volume in read-only mode. This ensures that the data on the volume isn’t altered during the investigation:
sudo mkdir /my_new_volume
sudo mount -o ro /dev/xvdf /my_new_volume
Step 7: Performing the Forensic Investigation
Finally, you can navigate to the directory where you mounted the new volume and start your forensic investigation.
Conclusion
Losing SSH access to an EC2 instance doesn’t mean your investigation has to come to a halt. AWS provides a workaround by creating and using snapshots of the EBS volume associated with the instance. Remember, while performing the investigation, it’s important to ensure that the data remains unaltered. Therefore, always mount your volume in read-only mode. With these steps, you should be able to continue your investigation even in challenging scenarios.