Contains JSON files to build a SIFT Forensics Workstation AWS AMI from an exported Ubuntu Desktop .ova
From Browser: Visit & download: http://releases.ubuntu.com/16.04/ubuntu-16.04.6-desktop-amd64.iso
From VMware Workstation:
- Select create new virtual machine
- Select typical / recommended & next
- Select i will install the operating system later & next
- Select linux as the guest operating system & ubuntu 64 bit as version
- Select name/location/disk size. (unrelated as this will be a AMI )
- Note: my settings: name:ubuntu 64-bit, location: vmware/ubuntu 64-bit, disk size:20gb & next
- Select store virtual disk as single file
- Select finish
- From home menu, highlight the newly created vm ex: ubuntu 64-bit
- Once highlighted, visit the VM menu bar & choose settings from the dropdown (vm → settings)
- Select CD/DVD and select use ISO image file
- Navigate to the ubuntu-16.04.6-desktop-amd64.iso file that was downloaded & open
- Select save & start the operating system
From Terminal:
- as root user
apt update && apt upgrade
wget https://github.com/teamdfir/sift-cli/releases/download/v1.8.5/sift-cli-linux
wget https://github.com/teamdfir/sift-cli/releases/download/v1.8.5/sift-cli-linux.sha256.asc
From Terminal:
- as root user
gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys 22598A94
gpg --verify sift-cli-linux.sha256.asc
shasum -a 256 -c sift-cli-linux.sha256.asc
From Terminal:
- as root user
mv sift-cli-linux /usr/local/bin/sift
chmod 755 /usr/local/bin/sift
cd /usr/local/bin
From Terminal:
- as root user
sift install
From Terminal:
- as root user
apt update
apt install openssh-server
ufw allow 22
service ufw start
- [exit terminal and power off machine]
From VMware Workstation:
- File → export to OVF
- Save file as .ova | ex: Ubuntu 64-bit.ova
From AWS Console:
- Navigate to IAM resource
- Select users from left hand side bar
- Select add user
- Supply username & check programmatic access type
- Add user to new or existing group with AdministratorAccess policy attached
- Select Create User
- Important: Download .csv file [this contains AWS creds]
From Terminal:
aws configure
(Add AWS Access Key ID from the downloaded IAM user .csv file)
(Add AWS Secret Access Key from the downloaded IAM user .csv file)
(Add a default region name. Ex: us-east-2(ohio) )
From AWS Console:
- Select the S3 resource
- Select Create Bucket and supply name & region
- Ex: us-east-2(ohio)
From Terminal:
- run as root
mkdir sift-ami
cd sift-ami
touch trust-policy.json
vim trust-policy.json
- NOTE: This IAM role allows access to the file in the S3 bucket created in step 2
From Terminal / AWS CLI:
cd sift-ami
aws iam create-role --role-name vmimport --assume-role-policy-document file://sift-ami/trust-policy.json
From Terminal:
cd sift-ami
vim role-policy.json file
From Terminal / AWS CLI:
cd sift-ami
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://sift-ami/role-policy.json
From Terminal / AWS CLI:
aws s3 cp capstone-sift-workstation-ami.ova s3://capstone-sift-workstation-ami/
From Terminal:
vim containers.json
From Terminal / AWS CLI:
aws ec2 import-image --description "SIFT AMI" --disk-containers file://sift-ami/containers.json
The EC2 resource AMI section within the selected region contains the new SIFT AMI. This is what will be used to automatically build SIFT EC2’s in the incident response Python scripts.