-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
chrisdoman
authored
Aug 9, 2021
1 parent
356e4ae
commit 0c34b8e
Showing
1 changed file
with
54 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,54 @@ | ||
| # AWS_EKS_Cluster_Forensics | ||
| AWS EKS Cluster Forensics | ||
| ``` | ||
| _____ _ _____ _ _ __ _ _ | ||
| | | ___ _| | ___ | __| ___ ___ _ _ ___ |_|| |_ _ _ | | | |_ _| | | ||
| | --|| .'|| . || . | |__ || -_|| _|| | || _|| || _|| | | | |__ | _|| . | | ||
| |_____||__,||___||___| |_____||___||___||___||_| |_||_| |_ | |_____||_| |___| | ||
| |___| | ||
| ================================================================================== | ||
| ================================================================================== | ||
| ================================================================================== | ||
| ======Cado Security Presentation - Evidence Files SANS DFIR Conference 2021======= | ||
| ================================================================================== | ||
| Attached are the files associated with the Cado Security SANS Presentation "buff your | ||
| cloud game". Where James Campbell and Allan Carchrie presented the value of forensically | ||
| analysing multiple data sources when it comes to cloud investigations. This investigation | ||
| is based on a AWS Kubernetes that has been compromised, and the associated log sources | ||
| that can be made available through AWS Cloud. For the full presentation, and outline | ||
| please refer to the blog and presentation at cadosecurity.com | ||
| =================================================================================== | ||
| =================================================================================== | ||
| This data has been provided to the digital forensics community to provide a resource | ||
| where people can learn how to do forensics in Amazon Cloud environments, and the useful | ||
| data sources that can be captured. This is intended for training all levels from students | ||
| to active incident response experts/consultants and is not for commercial use. | ||
| ==================================================================================== | ||
| ==================================================================================== | ||
| The data sources made avaliable within the 7zip file, include, | ||
| 1) cado_cloud_collector_i-06308..._20GB_1625678779.dd.gz (which is the raw forensic | ||
| AWS EKS node image collected by Cado Response. This is a raw DD file Gzipped) | ||
| 2) AWS Log files | ||
| ---a) kube-apiserver* (Kube api audit logs) | ||
| ---b) eni-* (AWS VPC flow logs for the AWS EKS cluster) | ||
| ---c) cloudtrial* - (AWS Cloud Trail Logs) | ||
| ---d) Authenticator* (AWS authentication logs for AWS EKS role/cluster) | ||
| SHA256 - 2b865d36bf7295adae5545d40be389803a841808a162d603e18a92da38a6c2ed CadoSecurity-CloudForensics-SANS_DFIR2021-Files.7z | ||
| MD5SUM - 4f486a34ad478a33f5df94dde1a3c6b3 CadoSecurity-CloudForensics-SANS_DFIR2021-Files.7z | ||
| 7z files are associated with the 7zip application, other utilities like WinRAR will work to. | ||
| ------------------------------------------------------------------------------------ | ||
| For a full description of the data, and key events to get you started checkout the | ||
| presentation linked via the blog on cadosecurity.com | ||
| After being decompressed, all log files can be viewed either by your favourite text editor, | ||
| or be parsed into your favourite solution. | ||
| ==================================================================================== | ||
| Have Fun! From The Cado Security Team! @CadoSecurity | ||
| ``` |