Hello! I have a small question about the recommended steps if an EC2 seems to be hacked. A Cloud Guru’s lecture recommended stopping the instance as a first step, and them taking a snapshot of the EBS instance, so you can deploy it in a totally isolated environment. However, since there is some malware that may just reside in memory, and it doesn’t write anything on the volumes, I wonder if, in order to analyze the behavior of the compromised EC2 instance, wouldn’t it be better trying to isolate it within its current VPC, but attaching a more restricted Security Group to it, so I may be able to at least make a copy of the content in memory before terminating my instance. Thank you so much in advance! Santiago (Madrid, Spain)
I agree with your assertion: Stopping a compromised instance negates any forensic information retained in memory. I found the following article on the web. Hope it helps https://www.linkedin.com/pulse/aws-forensics-ec2-volatile-memory-capture-stephen-mcmaster/