determine whether document uploaded to S3 bucket
we have captured the disk image of a suspect 's laptop, we suspect the person upload word documents to AWS S3 bucket, how to determine from image that documents has been uploaded to external cloud storage
Do you know if they were using any desktop application like S3 Browser? If so, you will have quite a bit of artifacts to look at.
if the upload was using the AWS Console, then look at web history, identify the AWS:s3 arn or account number. S3 bucket names are unique, so you should be able to place a preservation on Amazon for that particular bucket.
however, I do not know how they are working when it comes to producing content… encryption keys may be customer managed and AWS may not have the ability to decrypt the data.
i would still go through preserving the AWS account and S3.
The other option is if they used AWS cli, or AWS Tools for Powershell. Look at event logs for commands, installed applications and see if any of these were installed.
Depending on the system you are investigating, and whether powershell and command line arguments were being captured, you may be able to see what was executed.
@anucci , thank you for the reply.
if suspect is using web to upload, during data upload, he would use https (with ssl), how can we view the encrypted data using forensic software (eg.Encase), if no ssl descryption, how would we know which data he upload, suspect can say he only upload a test document instead of confidential file, how to prove?
if we found aws cli in event log? how to examine, which document he upload through aws cli? i think windows event log does not capture that info. any idea?
the web history review is for you to potentially identify the AWS account number or bucket name the suspect was using. Then you can go the search warrant route with Amazon. If you have probable cause.
It is unlikely (since this is a users device) that process command line is being captured in event logs. But you could check. I think event 4688 may be one to look at. This is not enabled by default.
you could tray and do a Regex search for the AWS ARN syntax of the S3 bucket… if you are using enCase. This may give you something to look at to see if any artifacts captured what was uploaded.
when you upload files using the AWS CLI or AWS tools for PoweShell, you use arguments in the command that explicitly show the file being uploaded.
for example, for cli it would look like:
aws s3 cp path-to\myFile.pdf s3://suspectBucket/anyName.pdf
the first argument after the “cp” is the file being uploaded. The second is the S3 bucket where the file was uploaded to. The uploaded can give any name to the file uploaded to be saved. So the file name could either be the same or they could provide a different one.
Keep in mind that this is not the only way one can upload to S3. This is why identifying the bucket name will be useful as it may be helpful in doing keyword searching.
Regarding your comment:
if you are using enCase. This may give you something to look at to see if any artifacts captured what was uploaded.
may i know the list of S3 artifacts Encase support? thanks