Why do you need SIFT in EC2? Well, first and foremost, I prefer to do forensics investigations of IaaS cloud assets in the cloud itself. There's usually no data transfer cost to moving data within the same region of a given service. I can do my analysis and then only copy the data I need from the cloud service saving big money on bandwidth costs. The other issue is time. It takes time to move whole images out of the cloud. That's time I could better spend answering the client's questions. Maybe we can solve the "were we hacked" or "what's the damage" questions without moving data out.
We'll cover the steps to performing forensics in the cloud, as well as moving data out of the cloud, in the upcoming Cloud Forensics course.
Some notes on the SIFT:
- The username is ubuntu. This is the standard for Ubuntu based AMIs and I decided not to change it. You need to know this username to SSH into the machine after you launch it.
- The VNC password is password. Since your firewall rules shouldn't allow you to directly VNC to the machine, I figured that's not a big deal. You should be using SSH forwarding to get there.
- The desktop is installed, but not tested. I built this primarily for command line use and the tools I needed work.
- If you find issues, please let me know and I'll work to correct them.
Look for similar base images to pop up in Azure and Rackspace in the coming months.