Top Ad unit 728 × 90

Latest News

random

Daily Blog #672: AWS EBS Snapshot Block Access

Hello Reader,
     It's time for to be side tracked. I've been exploring pancake viewer in the past few daily blog, and I do plan to get back to that, but for now I read about something that AWS has published back in December of 2019 (aka the before times) which you can read here:

https://aws.amazon.com/blogs/aws/new-programmatic-access-to-ebs-snapshot-content/

I don't remember what crossed my feed to direct me there but once I read it I knew at once this was something I needed to test. Let me explain.

1. This API is similar to one Microsoft has in Azure that allows you to access individual 512k blocks that make up a VHD stores as a blog in Azure.
2. This API allows you, in the language of your choice, to read individual 512k blocks (think sectors) out of a snapshot
3. That means you can triage a AWS snapshot like it was a physical disk, skipping through sectors rather than transferring/imaging the whole thing

This is amazing and where the entire field of Cloud IR needs to go to be fast and silent You can create a snapshot without an agent, write blocker or letting the attacker know you're there. Even better with a quick Lambda you can do this automatically and then kick off a triage process to do it for you and then email you when its done.

This is actual API call you make:
https://docs.aws.amazon.com/ebs/latest/APIReference/API_GetSnapshotBlock.html

I decided to test this out by spinning up a new free tier Amazon Linux AMI, giving it a Admin IAM role to access my EBS stores and then from the CLI I created the snapshot. From within python I then pulled and printed the first EBS Block.

Also in the video I thought I couldn't do this through the CLI, turns out I was just calling the wrong stub. You can absolutely do it through the CLI with the following command:
aws ebs get-snapshot-blocks --snapshot-id= --block-index --block-token

To me this is amazing and I plan to expand on this example in the coming week.

Watch below for a Test Kitchen of me grabbing the first block/sector out of the snapshot getting the EFI header of my Amazon Linux AMI disk.


Daily Blog #672: AWS EBS Snapshot Block Access Reviewed by David Cowen on April 13, 2020 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.