1. Home
    2. »
  2. Blog
    3. »
  3. Incident Response
    4. » Forensic Analysis Preparation: Preserving Logs in Windows Cloud Environments [ PART 3 ]

Forensic Analysis Preparation: Preserving Logs in Windows Cloud Environments [ PART 3 ]

- Posted in Incident Response by - Permalink
Forensic Analysis Preparation: Preserving Logs in Windows Cloud Environments [ PART 3 ]

Background: In contrast to classic logging systems that preserve on-premises data, cloud systems require some familiarity with the components provided by cloud vendors. To prepare for cloud activities, you should first set up your applications or API keys to make REST API calls, especially if you plan to work with Windows machines at scale. However, if you're only working with one or two machines, setting up a separate REST API capability may not be necessary.

Preparing for Windows AWS Cloud Work at Scale: One of the best implementations by Amazon is its IAM access key capability, which allows users to easily make calls to EC2 instances where Windows OS is hosted, on behalf of their accounts.

Preparing for Windows Azure Cloud Work at Scale: For that purpose, you need to set up an app in Entra ID that will have all the required permissions and IAM roles.

Architectures of cloud logs preservation by vendors: To preserve Windows OS events (EVTX) in Azure, you need to use three components:

MMA/AMA Agent > Azure Monitor > Log Analytics Workspace

In AWS, to preserve Windows OS events (EVTX), you need to use two components:

AWS SSM Agent > CloudWatch

In both cases, when you create a new machine, these agents come pre-installed.

Architectures of cloud logs preservation by vendors for OS current state: Both vendors have the capability to take snapshots of machines, capturing the file structure and other non-volatile data. However, for volatile data, it is preferable to deploy scripts across all scaled machines using methods such as REST APIs or out-of-the-box forensic solutions.

Final steps: 1. Set up CloudWatch/Azure Monitor for events. 2. Take snapshots of suspicious machines using the built-in capabilities provided by the vendors. 3. Deliver volatile memory dumping tools via REST API.

Conclusions: It is one of the critical stages you need to prepare for before incidents occur on Windows OS. Taking these steps will ensure that your incident response in the cloud environment proceeds successfully.

Happy hunt, Jok3r

Tags:

Related posts

« »