Automated Incident Response: AWS Lambda Forensic Snapshots, Velociraptor, and Timesketch for Timeline Analysis
DOI:
https://doi.org/10.63530/IJCSITR_2022_03_01_015Keywords:
Automated Incident Response, AWS Lambda, Digital Forensics, Velociraptor, Timesketch, YARA, VirusTotal API, Memory Forensics, Serverless Computing, Cloud-Native SecurityAbstract
This paper proposes a serverless, automated incident response framework tailored for cloud-native environments. The workflow integrates AWS Lambda for EBS snapshot acquisition, Velociraptor for live memory collection, and Timesketch for timeline analysis, enhanced by YARA-based signature matching and VirusTotal API enrichment. It addresses the shortcomings of traditional forensic approaches—manual workflows, delayed evidence capture, and fragmented analysis pipelines—by offering a modular and scalable architecture. By automating key stages of forensic triage and integrating open-source tools with cloud-native triggers, this framework improves detection speed, operational efficiency, and investigative accuracy in elastic infrastructure environments.
References
P. Castro, V. Ishakian, V. Muthusamy, and A. Slominski, “The rise of serverless computing,” Communications of the ACM, vol. 62, no. 12, pp. 44–54, Nov. 2019, doi: https://doi.org/10.1145/3368454
“AWS Security Incident Response Guide,” 2019. Available: https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf
“Velociraptor Digging Deeper,” 2020. Available: https://dfrws.org/wp-content/uploads/2021/03/DFRWS-EU-2021-Velociraptor-Digging-Deeper.pdf?
H. Studiawan, F. Sohel, and C. Payne, “Sentiment Analysis in a Forensic Timeline With Deep Learning,” IEEE Access, vol. 8, pp. 60664–60675, 2020, doi: https://doi.org/10.1109/access.2020.2983435
E. Neto, “Finding a fileless malware with Yara rules - Euler Neto - Medium,” Medium, Dec. 21, 2020. Available: https://enetolabs.medium.com/finding-a-fileless-malware-with-yara-rules-fdb7c39bf914?
J. Berggren, “Timeline analysis from the future - Timesketch - Medium,” Medium, Jul. 21, 2017. Available: https://medium.com/timesketch/timeline-analysis-from-the-future-59a7ad7da498?
S. Zawoad and R. Hasan, “I Have the Proof: Providing Proofs of Past Data Possession in Cloud Forensics,” arXiv.org, 2012. Available: https://arxiv.org/abs/1211.4328?
Forensic Focus, “Timelines In Digital Forensic Investigation: From Investigation To Court - Forensic Focus,” Forensic Focus, Sep. 10, 2020. Available: https://www.forensicfocus.com/articles/timelines-in-digital-forensic-investigation-from-investigation-to-court/?.
A. Lockett, “Assessing the Effectiveness of YARA Rules for Signature-Based Malware Detection and Classification,” arXiv:2111.13910 [cs], Nov. 2021, Available: https://arxiv.org/abs/2111.13910
F. Lardinois, “Google Acquires Online Virus, Malware and URL Scanner VirusTotal,” TechCrunch, Sep. 07, 2012. Available: https://techcrunch.com/2012/09/07/google-acquires-online-virus-malware-and-url-scanner-virustotal/
J. Dykstra and A. T. Sherman, “Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform,” Digital Investigation, vol. 10, pp. S87–S95, Aug. 2013, doi: https://doi.org/10.1016/j.diin.2013.06.010. Available: https://www.dfrws.org/sites/default/files/session-files/paper-design_and_implementation_of_frost_-_digital_forensic_tools_for_the_openstack_cloud_computing_platform.pdf.
L. memory, “Linux memory acquisition issues,” Information Security Stack Exchange, Apr. 09, 2018. Available: https://security.stackexchange.com/questions/183292/linux-memory-acquisition-issues?
E. E. Eiland, “Time Line Analysis in Digital Forensics,” 2018. Available: https://citeseerx.ist.psu.edu/document?doi=d0e290455599cc01d282bf1448f40e2132f3103b&repid=rep1&type=pdf
“How to automate forensic disk collection in AWS | Amazon Web Services,” Amazon Web Services, Aug. 24, 2021. Available: https://aws.amazon.com/blogs/security/how-to-automate-forensic-disk-collection-in-aws/?
Downloads
Published
Issue
Section
License
Copyright (c) 2022 Sandhya Guduru (Author)
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
