I thought I’d just focus on a small script for this post. The idea was to build the necessary tool (.ko file made using LiME) on a test instance, which is just a copy (AMI) of the infected host, to use on the infected host — light footprint possibly? This script will do the following:
- Create an AMI of the “infected” instance
- Create a test instance from AMI and assign a role (more info below)
- Download LiME and build .ko file on test instance
- Upload .ko file to s3 and terminate test instance
- Download .ko file to running infected host and dump memory to file
- Upload memory dump file to s3
This role will allow SSM commands and S3 uploads/downloads. Under IAM, I used the AmazonEC2RoleforSSM policy for my ForensicsRole.
I have the file sitting in S3...now it’s time to find some amzn Volatility profiles and validate…I know they exist…
Thanks for reading!
P.S. I may or may not have run this script with that easy-button policy (AdministratorAccess).