Cado Cloud Collector

Documentation

Cado Cloud Collector is a solution to make forensic imaging of AWS EC2 instances a whole lot easier.

Setup takes only 5 mins, and then you can use it to forensically image any instance in your AWS region in just a few clicks.

We are releasing it free to the security and digital forensics community.

First we need to create the Cloud Collector Instance.

Open the AWS console and select the region of your target instance:

Cloud Collector must be running in the same region as the instance you want to acquire.

Open the EC2 section in the AWS console and select “Launch Instance”:

You can now deploy directly from the Amazon Marketplace, or follow the instructions below:

Click “Community AMIs” then enter the Cado Cloud Collector ID for your region (below):

We have provided AMIs for the following regions:

  • Region – AMI ID
  • N. Virginia (us-east-1) – ami-0f5c7532967db449e
  • Ohio (us-east-2) – ami-07f7fb877f9baa1b5
  • N. California (us-west-1) – ami-0ffc5625b26a8f1b0
  • Oregon (us-west-2) – ami-099b9fbcaaae224a4
  • London (eu-west-2) – ami-00b7c84d06046ffda

If your region is not listed above, you can copy the AMI from one of the pre-existing regions to the region you are using.

AWS will now ask you for the instance size. A small free tier (t2.micro) instance will work.

However, you may want to select a more powerful instance for faster imaging.

The limiting factor in imaging is typically network speed, or CPU power if hashing, so choose an instance size with fast Network Performance if speed is important.

Click “Review and Launch” and then “Launch”.

Allowing Network Access

Select Instances to view your new EC2 instance:

Click the Security Group to view the firewall rules:

Click the Security Group that is selected, then click “Edit Inbound Rules”:

Then enable access to port 443:

You can now allow access from just your IP address to 443.

Security Reminder: Do not allow public access to Cado Cloud Collector – we strongly recommend that you use a whitelisted IP. Click “Save Rules”.

You can now copy the hostname from the EC2 console, and confirm you have access to the hostname in your browser:

Checking Cado Cloud Collector is Running

At this point Cado Cloud Capture will be served over a self-signed certificate. You can check it is running by accessing the hostname at https://xx.compute.amazonaws.com

Getting A Signed Certificate

We can’t automatically generate a certificate through a service such as Lets Encrypt. Let’s Encrypt forbid creating certificates for EC2 instance hostnames as they can change hands between different AWS users.

The easiest way to create a valid signed certificate for the encrypted HTTPS connection is to create an Amazon Load Balancer (ELB) in front of the host.

See advice on how to create an ELB.

AWS will create a SSL certificate for a domain you own and route it to the Cado Cloud Capture EC2 instance for you.

When creating the ELB, we recommend you use the following settings:

  • Healthcheck URL: /health
  • Port: 80

​Logging In

Login for the first time with the username “admin”. The password is the Instance ID – for example i-xxx:

You will then be asked to immediately change your password – you will not be able to use the platform before doing so:

Creating Credentials

Now you will need to create a user that has the required permissions to snapshot and image the target AWS EC2 instance.

Open the IAM Management section
in the AWS Console and click Create Policy
Then click JSON

And enter the following JSON:

​{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DeleteSnapshot",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeSnapshotAttribute",
"ec2:CreateTags",
"ec2:DescribeSnapshots",
"ec2:GetConsoleScreenshot",
"ec2:DescribeVolumeAttribute",
"ec2:CreateVolume",
"ec2:GetConsoleOutput",
"s3:PutObject",
"ec2:DeleteVolume",
"ec2:CreateSnapshots",
"ec2:DescribeVolumes",
"ec2:CreateSnapshot",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
}]
}

Then Click Review Policy:

Then give your policy a name, and click Create Policy.
We can now create a user to attach our policy to. On the menu, click Users:

Then Add User:

Enter a username, and select Programmatic Access:

Click Next Permissions. Then select Attach Existing Policy Directly then select the policy you just created:

Then Click Next: Tags, then Next Review, then Create User. You can now copy the Access Key and Secret Key for your new user:

Back in Cado Cloud Capture, select Settings on the menu:

Then enter the Access Key and Secret Key for the user you just created:

You will also need to create an S3 bucket to save your disk images into, if one doesn’t already exist.

Creating a Disk Image

We are now ready to forensically image an instance. Return to the home screen by clicking Acquire Evidence:

Then click Start Acquiring:

You will then see the Instances listed for the region that Cloud Collector is running in.
Click Acquire on the instance you want to acquire:

You can then customise your acquisition, then click Next to start acquiring:

And you will then be given a summary of the acquisition. Click View Progress to go to the task tracking page:

The tasks page provides a status of the current acquisition, and logs of previous acquisitions:

Once the acquisition has completed, you will be able to see the acquired files in S3.

Cado Cloud Collector – Acknowledgements

Acknowledgements

We call a number of compiled applications during execution:

Cado Cloud Collector also uses a portion of code for listing disks attached to Linux systems from Google’s GiftStick tool, which was released under an Apache License.

We also use the Airframe Bootstrap theme, released under a MIT license.