determine whether d...
 
Notifications
Clear all

determine whether document uploaded to S3 bucket

afsfr
(@afsfr)
Junior Member

we have captured the disk image of a suspect 's laptop, we suspect the person upload word documents to AWS S3 bucket, how to determine from image that documents has been uploaded to external cloud storage

Quote
Topic starter Posted : 24/02/2022 1:25 pm
anucci
(@anucci)
New Member

Hi There,

 

Do you know if they were using any desktop application like S3 Browser? If so, you will have quite a bit of artifacts to look at. 

if the upload was using the AWS Console, then look at web history, identify the AWS:s3 arn or account number. S3 bucket names are unique, so you should be able to place a preservation on Amazon for that particular bucket. 

however, I do not know how they are working when it comes to producing content… encryption keys may be customer managed and AWS may not have the ability to decrypt the data. 

i would still go through preserving the AWS account and S3. 

The other option is if they used AWS cli, or AWS Tools for Powershell. Look at event logs for commands, installed applications and see if any of these were installed. 

Depending on the system you are investigating, and whether powershell and command line arguments were being captured, you may be able to see what was executed. 

Good Luck!!

ReplyQuote
Posted : 24/02/2022 3:40 pm
afsfr
(@afsfr)
Junior Member

@anucci , thank you for the reply.

if suspect is using web to upload, during data upload, he would use https (with ssl), how can we view the encrypted data using forensic software  (eg.Encase), if no ssl descryption, how would we know which data he upload, suspect can say he only upload a test document instead of  confidential file, how to prove?

if we found aws cli in event log? how to examine, which document he upload through aws cli? i think windows event log does not capture that info. any idea?

ReplyQuote
Topic starter Posted : 25/02/2022 8:27 am
anucci
(@anucci)
New Member

@afsfr

the web history review is for you to potentially identify the AWS account number or bucket name the suspect was using. Then you can go the search warrant route with Amazon. If you have probable cause. 

It is unlikely (since this is a users device) that process command line is being captured in event logs. But you could check. I think event 4688 may be one to look at. This is not enabled by default. 

you could tray and do a Regex search for the AWS ARN syntax of the S3 bucket… if you are using enCase. This may give you something to look at to see if any artifacts captured what was uploaded. 

when you upload files using the AWS CLI or AWS tools for PoweShell, you use arguments in the command that explicitly show the file being uploaded. 

for example, for cli it would look like:

aws s3 cp path-to\myFile.pdf  s3://suspectBucket/anyName.pdf

 

the first argument after the “cp” is the file being uploaded. The second is the S3 bucket where the file was uploaded to. The uploaded can give any name to the file uploaded to be saved. So the file name could either be the same or they could provide a different one. 

Keep in mind that this is not the only way one can upload to S3. This is why identifying the bucket name will be useful as it may be helpful in doing keyword searching. 

 

ReplyQuote
Posted : 25/02/2022 12:33 pm
afsfr
(@afsfr)
Junior Member

Thanks.

Regarding your comment:

 if you are using enCase. This may give you something to look at to see if any artifacts captured what was uploaded. 

may i know the list of S3 artifacts Encase support? thanks

ReplyQuote
Topic starter Posted : 26/02/2022 6:46 am
Share:
Share to...