Kenneth Hartman.jpg

Step by Step Walkthrough of Forensic Analysis of Amazon Linux on EC2 for Incident Responders

Kenneth Hartman

This workshop will be a step-by-step walkthrough of techniques that can be used to perform forensics on Amazon Linux Instances running in AWS Elastic Cloud Compute (EC2). We use various open-source tools and perform the analysis itself in the cloud. 

The purpose of this workshop is to equip security engineers with the skills necessary to investigate compromised Linux EC2 instances and discover Indicators of Compromise (IOC), the Tools, Tactics, and Procedures (TTP) used in the attack, as well as information that can help one reconstruct the timeline, determine the scope of the incident, and scope of the incident.

To get the most out of this workshop, each participant should:

  • Have their own account in Amazon Web Services ( and have experience managing virtual machines in the EC2 service.

  • Have the AWS Command Line Interface (CLI) installed and configured. See this link for installing the CLI and this link to configure it for full administrative access to one’s account.

  • Be comfortable with the tasks covered in the Using Amazon EC2 with CLI tutorial and be able to SSH into Linux virtual machines launched in EC2.

  • Bring their own laptop and power cord.

NOTE: We will not be covering Windows forensics as there are several existing resources covering this topic.
Workshop materials will be provided electronically during the session.

Speakers Bio: Kenneth G. Hartman is a security engineering leader in Silicon Valley and teaches the “Security 545 -Cloud Security, Architecture, and Operations” Course for the SANS Institute. Ken has worked for a variety of Cloud Service Providers in Architecture, Engineering, Compliance, and Security Product Management roles. From 2002-2011, Ken helped launch and lead a company called Visonex into a profitable, nation-wide dialysis-specific electronic medical record using a software-as-a-service (SaaS) business model. Ken holds a BS Electrical Engineering from Michigan Technological University and a Masters Degree in Information Security Engineering from SANS Technology Institute. Ken has earned the CISSP, as well as multiple GIAC security certifications, including the GIAC Security Expert. Ken is also a Licensed PI in Michigan as required by law to consult on criminal cases involving digital forensics.