Traditionally, I would make a gold build image of the base install to create a hash library. Later providing the opportunity to conduct a hash analysis to help limit the scope of what had changed since the system’s initial installation. What if I told you that you could narrow this down to 512K blocks of what data changed without any analysis?
The only catch is your AMI build pipeline or default AWS image needs a base snapshot that the list_changed_blocks() method can use for comparison.
IDENTIFY CHANGED BLOCKS
$ python3 Snapshot-4n6ir-Imager.py --region us-east-2 --snapshot snap-08d6b515831f89767 --compare --base snap-0de67428c1be121f4 Snapshot 4n6ir Imager v0.1.9 Region: us-east-2 Snapshot: snap-08d6b515831f89767 100%|██████████████████████████████████████| 1046/1046 [00:00<00:00, 2053952.24it/s] API Quantity: 1046 Download Size: 0.51 GB
The best part about having a base snapshot as part of your process to compare is the significant volume reduction that the investigator needs to triage! The list_changed_blocks() method returns a block access token for the changed second block that can be downloaded by the get_snapshot_block() process.
IMAGE CHANGED BLOCKS
$ python3 Snapshot-4n6ir-Imager.py --region us-east-2 --snapshot snap-08d6b515831f89767 --changed --base snap-0de67428c1be121f4
I found this useful, so I wanted to get the capability included in the Snapshot 4n6ir Imager python script for others.
Snapshot 4n6ir Imager Initial Release
Snapshot 4n6ir Imager for Docker
Snapshot 4n6ir Imager