Is Session Manager well featured enough to do forensic analysis on a compromised EC2 instance, or do you need something like Kali?
2 Answers
You would need to be using Session Manager first. And their access would need to through Session Manager.
Generally, I wouldn’t advise it.
A principle of good forensic investigation is not to tamper with or access the affected system. Session Manager functionally works the same as SSH, so you’re still interacting with the machine that was compromised, so that affects the integrity of the system when it comes to forensic analysis.
In general, it can be far better to capture a snapshot of the affected instance and work from that. You could either restore it to an EBS volume and attach it as a secondary volume to another instance for interrogation, like Kali. Alternatively, you could restore the snapshot into a copy of the instance, so you can interact with it in real-time.
The one thing you might need to interact with the live session for is if you need to capture a dump of the EC2 instance’s memory since that won’t survive a snapshot. There are processes for this too, but should be down with care.
If you’re interested in the subject, there’s a paper on the subject at the SANS Institute Reading Room, called Digital Forensic Analysis of Amazon Linux EC2 Instances that might be interesting to read.