Daily Blog #679: Snapshot 4n6ir Imager

Snapshot 4n6ir Imager

Hello Reader,
   I've been documenting my own cloud DFIR research but i'm far from alone in this journey. Today I wanted to provide a spotlight on what could be a very useful tool if your looking to up your AWS DFIR game. John Lukach has put out a python script that makes use the AWS EBS Block API I've been testing for a different purpose. While I've been noodling over the idea of live block based triage John focused on what is a bigger real problem for most examiners and that is dealing with encrypted EBS volumes and snapshots.

While I realized that the Block Token allowed for block based snapshot decryption I did not appreciate that the steps prior to deal with restoring encrypted snapshots was a bit more painful than most examiners cared for. What John's tool called Snapshot 4n6ir Imager does is utilized the AWS EBS Block API to retrieve the decrypted blocks from a snapshot and store it as a dd/raw image where you run it from.

I know John is actively working on this and recently put out a Docker container that has it working as well. So if you were looking for a building block in your automation pipeline to create dd images out of snapshots rather than attaching volumes this is a good solution!

You can read more here:

Also Read: Daily Blog #678

Post a Comment