Getting Started - Snapshot 4n6ir Imager

SCENARIO

Suspicious activity was detected on an EC2 Instance that requires investigation. An Amazon EBS Snapshot was obtained that needs to be converted to a DD image for analysis. The examiner workstation has been initiated in the region with the snapshot in question to limit data transfer costs. An IAM Role for EC2 has been applied to your workstation with the Elastic Block Store (EBS) permissions enabled by an IAM Policy.

  • ebs:ListSnapshotBlocks
  • ebs:ListChangedBlocks
  • ebs:GetSnapshotBlocks
INSTALLATION

Add two Python 3 libraries, download the script, and you are all set to go!

Installation for Ubuntu 18.04

$ sudo apt-get install python3-pip -y
$ pip3 install boto3 tqdm

Snapshot 4n6ir Imager Download

BUDGET

Download and volume size is the amount of EBS disk storage needed to image and rebuild a snapshot.

$ python3 Snapshot-4n6ir-Imager.py --region us-east-2 --snapshot snap-056e0b1bd07ad91b2 --budget
Snapshot 4n6ir Imager v0.3.1

Region: 	us-east-2
Snapshot: 	snap-056e0b1bd07ad91b2

100%|█████████████████████████████████████| 103/103 [00:00<00:00, 484319.86it/s]

API Quantity: 	103
Download Size: 	0.05 GB
Volume Size: 	1 GB

Snapshot 4n6ir Imager provides a feasible option for archiving individual blocks to S3, just in case!

IMAGE

Each Snapshot block (512K) writes to a folder named after the Snapshot identification number as an individual file. The file name includes the following information:

  • block index number
  • snapshot id
  • sha256 of block content for verification
  • total volume size
  • block size

    $ python3 Snapshot-4n6ir-Imager.py --region us-east-2 --snapshot snap-056e0b1bd07ad91b2 --image
    Snapshot 4n6ir Imager v0.3.1
    
    Region: 	us-east-2
    Snapshot: 	snap-056e0b1bd07ad91b2
    
    100%|█████████████████████████████████████████| 103/103 [00:08<00:00, 12.20it/s]
REBUILD IMAGE

Empty DD image gets created for both EXT and NTFS file systems as part of rebuilding the images. Linux has an extra step where the superblock gets overlaid onto the image file. The block index and block size calculate the offset to restore the data to the correct disk location.

$ sudo python3 Snapshot-4n6ir-Imager.py --region us-east-2 --snapshot snap-056e0b1bd07ad91b2 --ext4
Snapshot 4n6ir Imager v0.3.1

Region: 	us-east-2
Snapshot: 	snap-056e0b1bd07ad91b2

0+0 records in
0+0 records out
0 bytes copied, 0.000102911 s, 0.0 kB/s
mke2fs 1.44.1 (24-Mar-2018)
Discarding device blocks: done                            
Creating filesystem with 262144 4k blocks and 65536 inodes
Filesystem UUID: 31345c8c-20ac-4ee4-ab81-4edffc196175
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

100%|█████████████████████████████████████████| 103/103 [00:34<00:00,  2.98it/s]
ANALYSIS

Snapshot-4n6ir-Imager

PREVIOUS POST

Snapshot 4n6ir Imager Initial Release