CADO CLOUD COLLECTOR DOCUMENTATION

Cado Cloud Collector is a solution to make forensic imaging of AWS EC2 instances a whole lot easier.

 

Setup takes only 5 mins, and then you can use it to forensically image any instance in your AWS region in just a few clicks.

 

We are releasing it free to the security and digital forensics community.

First we need to create the Cloud Collector Instance.

Open the AWS console and select the region of your target instance:

a.png

Cloud Collector must be running in the same region as the instance you want to acquire.

Open the EC2 section in the AWS console and select “Launch Instance”:

b.png

You can now deploy directly from the Amazon Marketplace, or follow the instructions below:

Click “Community AMIs” then enter the Cado Cloud Collector ID for your region (below):

c.png

We have provided AMIs for the following regions:

Region - AMI ID

N. Virginia (us-east-1) - ami-0f5c7532967db449e

Ohio (us-east-2) - ami-07f7fb877f9baa1b5

N. California (us-west-1) - ami-0ffc5625b26a8f1b0

Oregon (us-west-2) - ami-099b9fbcaaae224a4

London (eu-west-2) - ami-00b7c84d06046ffda

If your region is not listed above, you can copy the AMI from one of the pre-existing regions to the region you are using.

AWS will now ask you for the instance size. A small free tier (t2.micro) instance will work.

However, you may want to select a more powerful instance for faster imaging.

 

The limiting factor in imaging is typically network speed, or CPU power if hashing, so choose an instance size with fast Network Performance if speed is important.

Click “Review and Launch” and then “Launch”.
 

Allowing Network Access

Select Instances to view your new EC2 instance:

a.png

Click the Security Group to view the firewall rules:

b.png

Click the Security Group that is selected, then click “Edit Inbound Rules”:

c.png

Then enable access to port 443:

d.png

You can now allow access from just your IP address to 443.

Security Reminder: Do not allow public access to Cado Cloud Collector – we strongly recommend that you use a whitelisted IP.

Click “Save Rules”.

 

You can now copy the hostname from the EC2 console, and confirm you have access to the hostname in your browser:

e.png

Checking Cado Cloud Collector is Running

At this point Cado Cloud Capture will be served over a self-signed certificate. You can check it is running by accessing the hostname at https://xx.compute.amazonaws.com

Getting A Signed Certificate

We can’t automatically generate a certificate through a service such as Lets Encrypt. Let’s Encrypt forbid creating certificates for EC2 instance hostnames as they can change hands between different AWS users.

The easiest way to create a valid signed certificate for the encrypted HTTPS connection is to create an Amazon Load Balancer (ELB) in front of the host.

There is advice on how to create an ELB here.

AWS will create a SSL certificate for a domain you own and route it to the Cado Cloud Capture EC2 instance for you.
 

When creating the ELB, we recommend you use the following settings:

  • Healthcheck URL: /health

  • Port: 80


Logging In

Login for the first time with the username “admin”. The password is the Instance ID – for example i-xxx:

f.png

You will then be asked to immediately change your password – you will not be able to use the platform before doing so:

g.png

Creating Credentials

Now you will need to create a user that has the required permissions to snapshot and image the target AWS EC2 instance.

 

Open the IAM Management section in the AWS Console and click Create Policy:

h.png

Then click JSON:

i.png

And enter the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DetachVolume",
                "ec2:AttachVolume",
                "ec2:DeleteSnapshot",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeSnapshotAttribute",
                "ec2:CreateTags",
                "ec2:DescribeSnapshots",
                "ec2:GetConsoleScreenshot",
                "ec2:DescribeVolumeAttribute",
                "ec2:CreateVolume",
                "ec2:GetConsoleOutput",
                "s3:PutObject",
                "ec2:DeleteVolume",
                "ec2:CreateSnapshots",
                "ec2:DescribeVolumes",
                "ec2:CreateSnapshot",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        }
    ]
}

Then Click Review Policy:

j.png

Then give your policy a name, and click Create Policy.

We can now create a user to attach our policy to.

 

On the menu, click Users:

k.png

Then Add User:

l.png

Enter a username, and select Programmatic Access:

m.png

Click Next Permissions.

Then select Attach Existing Policy Directly then select the policy you just created:

n.png

Then Click Next: Tags, then Next Review, then Create User.

You can now copy the Access Key and Secret Key for your new user:

a.png

Back in Cado Cloud Capture, select Settings on the menu:

b.png

Then enter the Access Key and Secret Key for the user you just created:

c.png

You will also need to create an S3 bucket to save your disk images into, if one doesn’t already exist.
 

Creating a Disk Image

We are now ready to forensically image an instance.

Return to the home screen by clicking Acquire Evidence:

d.png

Then click Start Acquiring:

e.png

You will then see the Instances listed for the region that Cloud Collector is running in.

Click Acquire on the instance you want to acquire:

f.png

You can then customise your acquisition, then click Next to start acquiring:

g.png

And you will then be given a summary of the acquisition.

 

Click View Progress to go to the task tracking page:

h.png

The tasks page provides a status of the current acquisition, and logs of previous acquisitions:

i.png

Once the acquisition has completed, you will be able to see the acquired files in S3.