Cloud Forensics
Cloud evidence collection, API forensics, container forensics, and investigation.
Overview
Cloud forensics investigates incidents in cloud environments.
Evidence Sources
| Source | Provider |
|---|---|
| CloudTrail | AWS |
| Activity Log | Azure |
| Audit Log | GCP |
| VPC Flow Logs | AWS |
| NSG Flow | Azure |
AWS Forensics
# Snapshot EBS volume
aws ec2 create-snapshot \
--volume-id vol-1234567890abcdef0 \
--description "Forensic snapshot"
# Create forensic instance
aws ec2 run-instances \
--image-id ami-forensic \
--instance-type t3.micro \
--security-group-ids sg-forensic
# Copy snapshot to forensic account
aws ec2 copy-snapshot \
--source-region us-east-1 \
--source-snapshot-id snap-1234567890abcdef0 \
--destination-region us-west-2
Container Forensics
# Capture container filesystem
docker export container_id > container.tar
# Analyze running container
docker exec -it container_id /bin/sh
# Capture container logs
docker logs container_id > container.log
Evidence Collection
# Cloud evidence collection
def collect_cloud_evidence(account_id):
evidence = {
"cloudtrail": get_cloudtrail_logs(account_id),
"vpc_flow": get_vpc_flow_logs(account_id),
"config": get_config_history(account_id),
"guarduty": get_guardduty_findings(account_id)
}
return evidence
Investigation Steps
Architecture Diagram
1. Isolate → Contain the incident
2. Collect → Gather cloud evidence
3. Preserve → Secure evidence
4. Analyze → Investigate logs
5. Report → Document findings
Best Practices
- Enable logging — CloudTrail, Flow Logs
- Automate collection — Lambda functions
- Secure storage — Encrypted buckets
- Chain of custody — Document everything
- Cross-account — Isolate forensics
Practice
Investigate a cloud security incident using AWS CloudTrail logs.