Cloud Incident Response Blog | Cado Security

The Cado Platform can now Capture AWS EC2 Systems into E01 Format

Written by Chris Doman | Jan 5, 2024 2:29:47 PM

When responding to serious incidents in the cloud, chain of custody and the ability to confirm forensic findings with multiple tools is important.

That’s why we’re happy to announce that the Cado platform now supports collecting AWS EC2 instances to .E01 (Expert Witness Format) format disk images in addition to the pre-existing .DD / Raw format. 

This can be enabled automatically if you are acquiring via API, or in the user interface by selecting "Convert DD to E01":

The E01 format file will be stored in S3 storage. You can also now centrally preserve all forensic collections from all clouds and formats into a central S3 bucket:

To enable this E01 conversion functionality, you will need to enable the “Preserve Evidence” settings above first. By default, it is turned off and if enabled, the last setting is saved for future imports

To ensure that the whole process stands up to scrutiny, under the hood we use DD, an industry standard and recognized tool to facilitate the transfer and storage of evidence, as well as the industry standard SHA-256 to ensure evidence is unaltered.
Interested in implementing chain of custody into your cloud environment? Or streamlining your current forensics and incident response processes in the cloud? Contact us to schedule a demo with our team or check out our 14-day free trial.