Top Ad unit 728 × 90

Latest News

random

Daily Blog #679: Snapshot 4n6ir Imager



Hello Reader,
   I've been documenting my own cloud DFIR research but i'm far from alone in this journey. Today I wanted to provide a spotlight on what could be a very useful tool if your looking to up your AWS DFIR game. John Lukach has put out a python script that makes use the AWS EBS Block API I've been testing for a different purpose. While I've been noodling over the idea of live block based triage John focused on what is a bigger real problem for most examiners and that is dealing with encrypted EBS volumes and snapshots.

While I realized that the Block Token allowed for block based snapshot decryption I did not appreciate that the steps prior to deal with restoring encrypted snapshots was a bit more painful than most examiners cared for. What John's tool called Snapshot 4n6ir Imager does is utilized the AWS EBS Block API to retrieve the decrypted blocks from a snapshot and store it as a dd/raw image where you run it from.

I know John is actively working on this and recently put out a Docker container that has it working as well. So if you were looking for a building block in your automation pipeline to create dd images out of snapshots rather than attaching volumes this is a good solution!

You can read more here:
https://cloud.4n6ir.com/projects/snapshot-4n6ir-imager-initial-release/index.html
Daily Blog #679: Snapshot 4n6ir Imager Reviewed by David Cowen on April 20, 2020 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.