AWS will now ask you for the instance size. A small free tier (t2.micro) instance will work.
However, you may want to select a more powerful instance for faster imaging. The limiting factor in imaging is typically network speed, or CPU power if hashing, so choose an instance size with fast Network Performance if speed is important.
Click “Review and Launch” and then “Launch”.
Allowing Network Access
Select Instances to view your new EC2 instance:
Click the Security Group to view the firewall rules:
Click the Security Group the is selected, then click “Edit Inbound Rules”:
Then enable access to port 443:
You can now allow access from just your IP address to 443.
Security Reminder: Do notallow public access to Cado Cloud Collector – we strongly recommend that you use a whitelisted IP.
Click “Save Rules”.
You can now copy the hostname from the EC2 console, and confirm you have access to the hostname in your browser:
Checking Cado Cloud Collector is Running
At this point Cado Cloud Capture will be served over a self-signed certificate. You can check it is running by accessing the hostname at https://xx.compute.amazonaws.com
Getting A Signed Certificate
We can’t automatically generate a certificate through a service such as Lets Encrypt. Let’s Encrypt forbid creating certificates for EC2 instance hostnames as they can change hands between different AWS users.
The easiest way to create a valid signed certificate for the encrypted HTTPS connection is to create an Amazon Load Balancer (ELB) in front of the host.
Then give your policy a name, and click Create Policy.
We can now create a user to attach our policy to.
On the menu, click Users:
Then Add User:
Enter a username, and select Programmatic access:
Select Attach Existing Policy Directly then select the policy you just created:
Then Click Next: Tags, then Next Review, then Create User
You can now copy the Access Key and Secret Key for your new user:
Back in Cado Cloud Capture, select Settings on the menu:
Then enter the Access Key and Secret Key for the user you just created:
You will also need to create an S3 bucket to save your disk images into, if one doesn’t already exist.
Creating a Disk Image
We are now ready to forensically image an instance.
Return to the home screen by clicking Acquire Evidence:
Then click Start Acquiring:
You will then see the Instances listed for the region that Cloud Collector is running in.
Click Acquire on the instance you want to acquire:
You can then customise your acquisition, then click Next to start acquiring:
And you will then be given a summary of the acquisition. Click View Progress to go to the task tracking page:
The tasks page provides a status of the current acquisition, and logs of previous acquisitions:
Once the acquisition has completed, you will be able to see the acquired files in S3.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.