From 0c34b8ee46bee8c15651db5783d0604f415c8d88 Mon Sep 17 00:00:00 2001 From: chrisdoman Date: Mon, 9 Aug 2021 20:40:52 +0100 Subject: [PATCH] Initial Commit --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bdca02d..e14aee9 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,54 @@ -# AWS_EKS_Cluster_Forensics -AWS EKS Cluster Forensics +``` + _____ _ _____ _ _ __ _ _ +| | ___ _| | ___ | __| ___ ___ _ _ ___ |_|| |_ _ _ | | | |_ _| | +| --|| .'|| . || . | |__ || -_|| _|| | || _|| || _|| | | | |__ | _|| . | +|_____||__,||___||___| |_____||___||___||___||_| |_||_| |_ | |_____||_| |___| + |___| + +================================================================================== +================================================================================== +================================================================================== +======Cado Security Presentation - Evidence Files SANS DFIR Conference 2021======= +================================================================================== + +Attached are the files associated with the Cado Security SANS Presentation "buff your +cloud game". Where James Campbell and Allan Carchrie presented the value of forensically +analysing multiple data sources when it comes to cloud investigations. This investigation +is based on a AWS Kubernetes that has been compromised, and the associated log sources +that can be made available through AWS Cloud. For the full presentation, and outline +please refer to the blog and presentation at cadosecurity.com + +=================================================================================== +=================================================================================== + +This data has been provided to the digital forensics community to provide a resource +where people can learn how to do forensics in Amazon Cloud environments, and the useful +data sources that can be captured. This is intended for training all levels from students +to active incident response experts/consultants and is not for commercial use. + +==================================================================================== +==================================================================================== + +The data sources made avaliable within the 7zip file, include, +1) cado_cloud_collector_i-06308..._20GB_1625678779.dd.gz (which is the raw forensic +AWS EKS node image collected by Cado Response. This is a raw DD file Gzipped) +2) AWS Log files +---a) kube-apiserver* (Kube api audit logs) +---b) eni-* (AWS VPC flow logs for the AWS EKS cluster) +---c) cloudtrial* - (AWS Cloud Trail Logs) +---d) Authenticator* (AWS authentication logs for AWS EKS role/cluster) +SHA256 - 2b865d36bf7295adae5545d40be389803a841808a162d603e18a92da38a6c2ed CadoSecurity-CloudForensics-SANS_DFIR2021-Files.7z +MD5SUM - 4f486a34ad478a33f5df94dde1a3c6b3 CadoSecurity-CloudForensics-SANS_DFIR2021-Files.7z +7z files are associated with the 7zip application, other utilities like WinRAR will work to. + +------------------------------------------------------------------------------------ +For a full description of the data, and key events to get you started checkout the +presentation linked via the blog on cadosecurity.com +After being decompressed, all log files can be viewed either by your favourite text editor, +or be parsed into your favourite solution. + +==================================================================================== + +Have Fun! From The Cado Security Team! @CadoSecurity + +```