Creating a memory dump of a Windows EC2 instance with Alexa and SSM

A while back, I wondered how hard it would be to capture the memory of an instance using AWS services and Alexa, then I realized…wait a sec I could probably figure that out myself with some effort.

For this lengthy walk through, I used the following components during this walk through:

  • S3 to store our executable and memory dump
  • A 2016 Windows host + IAM Role w/ access S3 and SSM
  • Systems Manager to check the agent health
  • Lambda function+ necessary IAM permissions to execute lambda function
  • Alexa Developer Portal to set up the skill

As usual, Github Project Repo here for this tutorial. And…off we go!

P.S. I added a summary at the end of the steps since I know there’s a lot to unpack here. Thank you for the feedback good sir (you know who you are).

S3 Config

The S3 folder structure:

my-forensics-bucket/
— tools/
— — winpmem_1.6.2.exe
— evidence/

IAM Instance Role

Image for post
Image for post

And since I was already in IAM, I also created the policy needed for the future lambda function. I added the policy (JSON) to this project’s repo for a quick copy + paste. Here is what the policy (to be attach to the Lambda function later) looks like:

Image for post
Image for post

Windows Hosts

I did see AWS has released some 2019 Windows base image?

Image for post
Image for post

I clicked through all the default settings except:

Tagging: I’m going to call this instance Tim as a shout out to my buddy who helped rekindle my interest in digital forensics. Plus we get to say “Capture Tim” to Alexa.

Image for post
Image for post

I opened the Remote Desktop port to My IP. Please set this to your IP and NOT 0.0.0.0/0 please.

Image for post
Image for post

After creation, I attached the IAM Role created earlier. I gave the server about 5–10 minutes (and you have to wait anyways to log into Windows hosts after initial launch anyways) to boot/setup/connect. Then, I logged into this server and installed the awscli.

I just went to this URL using Internet Explorer (be prepare to battle all the security pop-ups), downloaded the MSI and installed like any other Windows software.

I opened Powershell and verified that the AWS CLI was installed:

Image for post
Image for post

Next, I launched Calculator and minimized the RDP window.

Image for post
Image for post
Over 9000??

System Manager

Notice the agent version is blank…

Image for post
Image for post

Using the Run Command and selecting the AmazonInspector-ManageAWSAgent document.

Side note: Has anyone had success running the AWS-UpdateSSMAgent Document to get the agent healthy and displaying their version? My default was always to reinstall the agent and move on.

Image for post
Image for post

I manually selected the Tim instance.

Image for post
Image for post

I disabled any outputs for this — up to you if you want to do the same.

Image for post
Image for post

Then I ran the Run command and switched back to check the Agent health.

Image for post
Image for post

See how the Agent Version is listed now?

Image for post
Image for post

Alexa

Image for post
Image for post

You’ll take the Skill ID listed here and plug it into the Lambda function (coming up next!).

Lambda

mkdir medium-alexa-inspector-tutorial
cd medium-alexa-forensics-tutorial
virtualenv --python=/usr/local/bin/python3.7 .
source bin/activate
pip install boto3
pip install ask-sdk
deactivate
vi lib/python3.7/site-packages/lambda_function.py
# copy + paste + save code from github repo found here:
#
https://github.com/pyraven/alexa-memory-forensics-guide/blob/master/lambda_function.py
cd lib/python3.7/site-packages/
zip -r9 lambda_package.zip .

Of course, I suggest reading the code and understanding what it’s doing. Heck, make improvements?

After the zip was created, I uploaded it. Don’t forget to ensure the handler matches the python file name.

Image for post
Image for post

If you don’t have the existing role lambda_basic_execution, you can create it by clicking Custom Role.

Image for post
Image for post

To give the function more time to process the request, I increased the timeout from 3 seconds to 1 minutes. Adjust as necessary. To specify the bucket for uploading, I set the environment variable here.

Image for post
Image for post

You’ll see in the python code to reference this environment variable when running.

# line 24
bucket = os.environ[‘Bucket’]

Next, I added an Alexa Skills kit. I copy/pasted the Alexa’s Skill ID from earlier here and the ARN (Amazon Resource Name) of the Lambda function to the default endpoint location under the Alexa Developer portal. You’ll then save and build your model.

If this is slightly confusing and you’d like more screenshots examples, I have a few more detailed examples in my previous Alexa articles.

Bringing all that hard work together

Image for post
Image for post

Switching back to the Windows instance, I watched the files be downloaded, and executable ran.

Image for post
Image for post
I know the winpmem.exe file date looks old but I can confirm the exe wasn’t on the host before the command was run.

After the memory dump (1 GB file) was created, it was uploaded to S3 within 2 minutes.

Image for post
Image for post

I downloaded the file to my Macbook to test with Volatility — an open-source memory forensics framework. I ran imageinfo to get a profile suggestion to begin analyzing.

Image for post
Image for post

Using one of the profiles, I was able to grep out the calculator app launched earlier (and even the one I launched last night since I left the server on).

Image for post
Image for post

Fair warning: I’m not an expert but forensics has always been intriguing to me. I hope someone finds this proof of concept useful in some way.

TL; DR the whole thing, summarize?

  • I set up an S3 bucket containing the executable and some folder to store evidence (raw memory dump)
  • Create two roles; one to attach to our ec2 instance it can be managed System Manager and upload/download files from S3 and the other role allows our Lambda function to execute SSM commands (which perform the memory capture and upload to S3)
  • Set up a Windows host, named it Tim, attached role (mentioned in the last bulletin), logged in to install AWSCLI, and launch the calculator app.
  • Switched over to System’s Manager to force the agent to phone home and update. Notice how we didn’t know the agent version until after the run command was pushed?
  • Create a custom lambda function, set the timeout and environment variable, uploaded to code, and configured the Alexa’s skill kit.
  • For the Alexa skill, I imported the JSON from this project’s Github and pasted the ARN of the Lambda function. Save and build model.
  • After that, I tested the skill and was able to download a raw memory dump from S3. Using volatility, I could see the calculator app.

Hope this article has been helpful and thank you for taking the time to read this lengthy post.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store