Cloud Forensics using EBS Boot Volumes

By George Reese
January 3, 2010

In December, Amazon introduced a new feature for their cloud: EBS Boot Volumes. An EBS boot volume essentially provides the ability to boot from a virtual SAN. This new approach to booting virtual machines offers up a wealth of new capabilities in the Amazon Cloud. Among the security uses of EBS volumes I find most intriguing, however, is the use of EBS volumes in cloud-based forensics.

When I use the term "forensics" in this article, I am using that term a bit loosely. In particular, I am referring to leveraging EBS boot volumes during an investigation of a system compromise to determine what happened to a system after the fact. The role of EBS volumes in any legal investigations—including the admissibility into a court of law of information gained from the techniques I describe—is not an aspect of forensics I am addressing nor am I remotely qualified to address that issue.

George Reese is the author of Cloud Application Architectures: Building Applications and Infrastructure in the Cloud.

If you're involved in planning IT infrastructure as a network or system architect, system administrator, or developer, this book will help you adapt your skills to work with these highly scalable, highly redundant infrastructure services.

Forensics the Old Way

Prior to the use of EBS volumes, you created new virtual servers from boot images installed onto a virtual local disk drive. When you shut down servers created through the old style boot images, all data on your ephemeral drives—including the boot volume—is permanently lost.

The key to forensics is freezing the environment as close to the point of compromise as possible. The best way to accomplish your forensics objectives is to get a copy of the system data (both file system and memory) and save it offline for your forensics investigation. It's also critical to get the server offline as quickly as possible to minimize the impact of the breach.

If the compromise you are investigating relates to tainted components on your boot volume, these objectives are difficult to accomplish under the traditional model of booting in AWS. You need to attach a forensics volume to your server and dump memory and your root file system to that forensics volume. This process is time consuming and can easily result in tainted data.

The scenario isn't much better for other clouds. Though most other clouds support the idea of persistent servers with root volume data surviving the shutdown of the server they support, it's not terribly easy to get an offline copy of that data. Their key advantage over AWS from a compromise perspective is that you can take the server offline without destroying the data. How you actually make use of that data for forensics purposes requires intervention from your cloud provider.

Forensics with EBS Volumes

With an EBS-based server in the Amazon cloud, you have the ability to snapshot your boot volume (and any other attached volumes) the moment you learn about a compromise. A snapshot takes just a few seconds and then you can take the compromised server offline.

With the compromised server offline, you can begin the forensics process by attaching copies of the snapshot you took prior to taking the server offline to cloud-based servers. You simply create a volume from the compromised snapshot and attach it to a running instance. You can even run tests against the data with the knowledge that you have a snapshot of a pristine copy of the compromise state.

In short, the process of supporting cloud-based forensics with EBS volumes includes these steps:

  1. Put together your OS with an IDS system installed.
  2. Image that system as an EBS boot volume.
  3. Thanks to the IDS, you will hopefully get early warning of a compromise.
  4. Make a snapshot of all attached volumes, including your EBS boot volume.
  5. Terminate the instance in question.
  6. Bring up a replacement instance to keep your systems running.
  7. Create volumes of your compromised snapshots and attach them to a forensics server.
  8. Investigate the breach on the forensics server and identify the vulnerability.
  9. Patch your EBS volume from which you launch instances.
  10. Gradually roll out the patch.

Because of the combination of cloud computing and EBS volumes, you can now:

  • Reduce the duration of impairment (the time between compromise and return to normal operations)
  • Increase time for investigation
  • Make it easier to execute tests on the compromised data
  • More quickly roll out patches based on your investigation

In addition, EBS volumes may make the use of cloud forensics easier in a court of law since the chain of custody of the evidence is easier to prove than with other cloud-based forensics.

You might also be interested in:

News Topics

Recommended for You

Got a Question?