This Week's/Trending Posts

Hand-Picked/Curated Posts

Most Popular/Amcache

Hand-Picked/Weekly News

The Most/Recent Articles

Daily Blog #713: Developing an AWS Examination Tool Part 4

 Hello Reader,

       Development continues! What all did we do today? Well here is the automated commit message the model made for me:

Enhance AWS Enumerator Tool with Lambda and Gateway Resource Support

- Added functionality to enumerate and display AWS Lambda functions, including details such as runtime, memory, timeout, and VPC configuration.
- Implemented scanning for Internet and NAT Gateways, capturing their state, type, and associated VPCs.
- Introduced a new Network Security tab in the GUI for analyzing security configurations across accounts, including security groups and network ACLs.
- Updated README.md to reflect new features and permissions required for Lambda and Gateway resource access.
- Improved error handling and progress tracking during resource scans.

This commit significantly enhances the AWS Enumerator Tool's capabilities for managing and analyzing AWS resources.


Tomorrow is the Forensic Lunch make sure to tune in!

Daily Blog #712: Developing an AWS Examination Tool Part 3

 


Hello Reader,

Today, I went down a rabbit hole of prompting and ended up adding a ton of new features to our application. Here’s what the latest version now includes:

New Features:

  • AWS Organization Scanning: Detects other AWS accounts in the organization of the accessed account.
  • Cross-Account Role Assumption: Verifies if the account key can assume the AWS Organizations role to enumerate other accounts.
  • Parallel Region Scanning: Uses multiprocessing to scan all regions simultaneously for every accessible account.
  • CloudTrail Logs: Identifies CloudTrail logs in each account and displays their locations in a dedicated GUI tab. Also checks if they are only stored by AWS (default storage).
  • VPC Flow Logs: Lists VPC Flow logs in a separate GUI tab, showing where they are stored.
  • EC2 Metadata: Adds detailed metadata for EC2 instances, snapshots, and EBS volumes.
  • CloudWatch Log Groups: Provides support for CloudWatch Log groups.
  • Lightsail Instances: Adds enumeration support for Lightsail instances.

A Different Approach:

Rather than listing the many individual prompts I used to add these features (and the iterative process of fixing errors), I decided to take a new approach. I asked the model to create a single prompt that could recreate the current state of this program. Here's what it generated:


Generated Prompt

Create a Python-based GUI application for enumerating AWS resources across multiple accounts and regions. The application should have the following specifications:

Core Requirements:

  1. GUI Framework:

    • Use PySide6 for the interface.
    • Include a tabbed layout for different resource types.
    • Show real-time progress with progress bars.
    • Provide a resource tree view for navigation.
    • Include a log window for status messages.
  2. AWS Integration:

    • Support both AWS profile and direct API key authentication.
    • Enable AWS Organizations support for multi-account scanning.
    • Implement cross-account role assumption.
    • Use boto3 with retry logic and error handling.
    • Support parallel processing of regions.
  3. Resource Types to Enumerate:

    • EC2 Resources:
      • Instances (metadata: type, IPs, key name, platform).
      • Volumes (size, type, encryption, IOPS).
      • Snapshots (size, source, encryption).
      • Security groups.
    • Storage:
      • S3 buckets (with region mapping).
      • EBS volumes (with attachments).
    • Database:
      • RDS instances.
      • Lightsail databases.
    • Logging & Monitoring:
      • CloudTrail configurations.
      • CloudWatch Log Groups.
      • VPC Flow Logs.
      • Organization-wide logging detection.
  4. Data Export:

    • Support for exporting in Excel, JSON, or text format.
    • Include metadata and a hierarchical structure in the export.
    • Use the AWS Account ID and timestamp as the default filename for uniqueness.
  5. Progress Tracking:

    • Display overall, per-account, and region-specific progress.
    • Show status messages for operations.

Technical Specifications:

  1. Multiprocessing:

    • Use Python’s multiprocessing to handle parallel region scanning.
    • Implement proper process cleanup and progress communication.
  2. Error Handling:

    • Implement exponential backoff for API calls.
    • Handle permission issues gracefully.
    • Display clear error messages in the GUI.
  3. Security:

    • Ensure secure credential handling.
    • Support AWS profiles and direct API key input.
    • Implement minimum required permissions.
  4. GUI Features:

    • Tab-based views for resource types (EC2, storage, database, logging).
    • Progress dialogs with multiple progress bars.
    • Resource tree view for navigation.
    • Color-coded status indicators.
  5. Dependencies:

    • boto3/botocore: AWS SDK.
    • PySide6: GUI framework.
    • pandas: Data handling.
    • openpyxl: Excel export.
  6. File Structure:

    • aws_enumerator.py: Main application.
    • requirements.txt: Dependency list.
    • README.md: Project documentation.
    • License file.

Progress So Far:

The best part? I still haven’t written a single line of code myself! The application now has a polished interface and works as described. I've also updated the README file and requirements.txt, so everything is ready for you to try.



 

You can check out the latest version and give it a spin here:
AWSExaminer GitHub Repository

Stay tuned for more updates as we continue building!



Daily Blog #711: Developing an AWS Examination Tool Part 2

 

 



Hello Reader,

Today, we're making progress on our feature wishlist by tackling several key enhancements:

  1. Selecting Credentials: Currently, it defaults to my AWS profile for FOR509.
  2. Adding Support for Global Views.
  3. Exporting Inventory.

Step 1: Selecting Credentials

We began by addressing the first feature with the following prompt:

"Prior to enumerating the AWS account, provide a GUI pop-up that asks how the user wants to authenticate to AWS. Options should include:

  1. Profile in the creds file
  2. An API key provided by the user

If the user selects a profile, they should see a dropdown of available profiles in the creds file to choose from. If they opt to provide an API key, the system should offer a checkbox to store the key with the collection for easy reuse."

This resulted in an error when I ran the Python code. You might think, "Aha! Your lazy adventure ends here—time to fix the code yourself!" But not so fast, dear reader. Instead, I highlighted the error and prompted:

"I got this error."

After resolving two more errors using the same prompt, the model managed to fix itself, and I got the GUI functionality I wanted. Now I can either provide a key or choose from any profiles already stored within the AWS CLI.


 


Step 2: Progress Bars

Next, I wanted to add a progress bar to keep users informed during the enumeration process. Here's how I tackled it:

  1. First Prompt:

    "Add a GUI progress window that updates as the account is enumerated so the user knows what is happening."

    This worked, but I wanted more. Since enumerating each region can take time, I added a secondary prompt:

  2. Second Prompt:

    "Add a second progress bar for each region, showing what is being enumerated."

This introduced a new issue—the progress window popped up but displayed no updates. I informed the model:

"The progress window popped up, but there were no updates displayed."

The model refactored the code to enable real-time GUI updates while enumeration was running. Voilà! A neat dual-progress bar system was now functional.


 


Step 3: Region Resource Count

To enhance the user experience further, I requested:

"Add a number next to each listed region summarizing how many resources were found in that region."

This worked beautifully, providing a clear overview of resource counts per region.


 


Step 4: Exporting Inventory

For the final item on today's list, I wrote a more detailed prompt:

"Create a toolbar option called 'Export.' When selected, it should open a dialog asking the user to save the output in one of three formats: text (as displayed), JSON, or XLSX. After selecting the format, present a window to choose a save location and filename. The default filename should include the AWS Account ID and the current timestamp, keeping it unique with the chosen extension. Then export all regions' data to the selected file."

This feature worked on the very first attempt! The code automatically added pandas and openpyxl packages to support Excel output.


 


Step 5: Finishing Touches

To wrap things up, I asked the model to create essential project files:

  1. Requirements File:

    "Create a requirements.txt file with all the necessary packages."

  2. GitHub README:

    "Create a README file in Markdown syntax that describes the project, how to install it, how to execute it, and includes an Apache 2 license."

Finally, I pushed the project to its new repository using Cursor for direct linking. You can explore it here: AWSExaminer GitHub Repository.


Conclusion

This project is shaping into a useful tool for my AWS cases. The best part? I haven’t had to write a single line of code or look up all the APIs I'm using. Rest assured, I’ll be testing thoroughly to catch any quirks the AI might have introduced.

Stay tuned for tomorrow’s update, where we’ll add even more features!


Daily Blog #710: Developing an AWS Examination Tool Part 1

 

 


Hello Reader, 
           I've been really enjoying creating forensic tools with cursor (an AI extended version of Visual Studio Code). While I'm not ready to show my main pet project, an open source clone of FTK Imager, I thought it would be fun to start a series of making a smaller tool with a much more well known API. I've found that the more well known the API is and the more example code the model has ingested the better the results are. That's not to say that less known APIs won't work well, I have it working with dfvfs, but more that it does take more work to get it to find the right examples to work with. 


For this example I've installed cursor and given it a small series of prompts:

"We are going to create a tool to assist forensic examiners and incident responders with investigating AWS accounts. You will create a tool that when provided with AWS credentials will enumerated all of the regions and the resources within them. The code should be written in python"

 

This created the first part of the script. 

 

The next prompt 

"Add on a QT GUI written in Pyside6, the top left pane should be a list of regions and when one is selected it displays the resources within it in the top right pane. The bottom pane should be a log of actions taken. There should be a region labeled ALL that allows all regions to be selected and displayed at once."

 

And now I have a working tool that is enumerating some AWS resources:



You can view the code here: https://github.com/dlcowen/AWSEnumerator

In the next series of posts I'm going to extend the functionality:

1. Selecting what credentials to use, this is defaulting to my default AWS profile for FOR509

2. Include more AWS services

3. Add in support for global views

4. Exporting out the inventory

5. Extracting cloudwatch logs

6. Extracting cloudtrail logs

7. Exporting snapshots 

8. Creating snapshots

9. Exporting lambda functions

10. Enumerating organizations 

11. Exporting flows






Daily Blog #709: Sunday Funday 1/5/25 Entra ID and Bloodhound

 



Hello Reader,

Welcome back to Sunday Funday! This week we are going straight in to topics I see as current research blind spots. We are going to be focusing on Entra ID aka Azure AD and what evidence you can find when people run tools like Bloodhound/Sharphound. I look forward to your thorough responses as we work as a community to overcome lack of knowledge. 


The Prize:

$100 Amazon Giftcard
An apperance on the following week's Forensic Lunch!

The Rules:

  1. You must post your answer before Friday 1/10/25 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:

What evidence is left behind in Azure when an attacker runs Bloodhound or any derivative like Sharphound. You should document at least two scenarios:
1. Default logging
2. Turning on any optional logging you want to test. 

Your response can be a link to your own blog, an email, a document etc.. Bonus points if you point out specific indicators that can be searched for or alerted off of. 

Daily Blog #708: Zeltser Challenge Spotlight - Oleg Skulkin

        -+



 

Hello Reader,

Several other people have joined the Zelster challenge with me and its been great reading what they've been putting out. I thought it would be great today to spotlight one of them, Oleg Skulkin. 

I've been following Oleg's work for many years now and have always enjoyed what he's written in the past, so it wasn't a surprise when I found his new blog Know Your Adversary to be just as good. In just the first four posts of the year Oleg has already put out some great posts and shared some valuable insights. If you've been reading my blog for a long time (817 posts in total as of this blog) then you should check out Oleg's as well. 


I'll be tracking and highlighting other challenge participants through the year! 


Speaking of challenges, tomorrow is Sunday! The Sunday Funday Challenge returns and I look forward to seeing what you all can do!

Daily Blog #707: Surviving the Breach Podcast

A sleek and modern logo for a podcast titled 'Surviving The Breach' that explores the intersection of cybersecurity and business. The design features a central shield symbolizing protection, with circuitry patterns and network nodes embedded within. Behind the shield, a subtle outline of a business skyline suggests the business aspect, while glowing lines represent interconnected networks. The color scheme includes shades of blue, gray, and metallic tones to evoke themes of technology and security. The podcast name 'Surviving The Breach' is displayed in bold, futuristic font below the symbol, with a tagline space available. The overall design is professional, dynamic, and tech-savvy.

 

 Hello Reader,

                So today is Podcast day but I'm not going to post an episode today, instead I'm going to tell you about how the podcasts will proceed going forward. 


Podcasts:

1. Forensic Lunch - The overly technical, fully nerdy and all around good for you show that dives deep into the latest and greatest tools, research and techniques is coming back.

2. The Test Kitchen - The long form test videos will alternate with the lunch. The test kitchen is coming to the cloud and other places as we look to expand our knowledge where no forensicator has fully documented before. 

3. Surviving The Breach - Once a month Erik Harssema and I will be keeping things at a higher level. Surviving the Breach is a podcast devoted to helping business leaders deal with all of the things after the technical investigation is done. From materiality, privilege issues, auditors and boards we are going to talk through the all the things you need you (or your boss) to know when the worst has come to bear. 


I'm excited about all three of these podcasts as it will give me some variety on topics but I'm most excited to try my hand at speaking outside of the church of DFIR and seeing if we can reach the ears of the non technical. I've found that it's very easy for all of us to agree on technical facts, but getting those who control budgets and make decisions to be informed could possibly do the most good for those around them. 


The first episode will be published 1/13/25 and will be a discussion on determining whether or a breach is material or not for publicly traded companies.

Daily Blog #706: Using AI to help create better test evidence

 

 A visually engaging and creative illustration of an AI assisting a person in writing an interesting movie. The scene shows a human sitting at a desk with a laptop, surrounded by notes, sketches, and a storyboard. Beside them is a futuristic holographic AI assistant, resembling a humanoid figure made of glowing light and circuits, projecting ideas and images onto a floating screen. The setting is a cozy creative studio with warm lighting and inspirational elements like film reels and posters in the background. The overall mood is collaborative, innovative, and inspiring.

Hello Reader,

Two AI-related posts in a row might seem like a lot, but I’ve been incorporating AI into my research for the past couple of years, so it naturally comes up in my work. While I’m not quite ready to share what I’ve been doing recently with Cursor, an AI IDE, I do want to showcase how I’ve used AI to create better datasets for forensic testing.

Creating engaging datasets for others to learn from can be a challenge, particularly when it comes to adding interesting elements for people to discover. In the past, I relied on downloading random free ebooks or generating large files with random data. However, I wondered if AI could improve this process. So, I tried this prompt:

“Create a PowerShell script that will generate a series of files with names related to AI technologies and themed around projects called ‘AI Tacos’ and ‘AI Burritos.’ The script should create 100 files with random data to vary their sizes. The files should use popular extensions and avoid numbers in the names. Instead, include at least 30 unique terms commonly used in research and development.”

The AI-generated script worked perfectly. When executed, it created 100 files in my specified directory, each with randomized content and varied file extensions. The result, as shown in the screenshot below, added depth and realism to my sample datasets.

 


This kind of themed, random data is incredibly useful for making datasets feel more authentic. For example, I can create a new virtual hard drive (VHD), populate it with these files, and then focus on generating interactions that leave digital artifacts for forensic analysis.

If you’re looking to populate other types of content, AI can help there too. For instance, this prompt:

“Write 5 text messages between two friends named David Cowen and Matthew Seyer discussing what kind of tacos to have for lunch.”

Produced the following conversation:

David Cowen: Hey Matt, I'm thinking tacos for lunch today. You up for it?
Matthew Seyer: Absolutely, dude! I could eat tacos every day. Any idea what kind?
David Cowen: I'm torn between fish tacos and something spicy, like chipotle chicken. What do you think?
Matthew Seyer: Fish tacos would be great, but I’m kind of craving some good old barbacoa. How about we do both?
David Cowen: Perfect idea! Let’s split an order of each so we can try everything. I’ll meet you in 20.

I even took it a step further and used AI to craft detailed fictional personas. For example, I used this prompt:

“Create a background story for a fictional employee at a company called TacoCorp who has worked there for 10 years as an IT administrator. This person has been recruited by BurritoTown to steal secrets from TacoCorp. Provide motivations, names, and profiles for their boss, coworker, new boss at BurritoTown, and best friend who’s a local police officer. Include a CV, LinkedIn bio, and 10 social media posts detailing their life.”

The AI generated a detailed persona, including:

  • Name: Oliver Delgado
  • Email: [email protected]
  • Social Media Handle: @OllieTacoTech

Motivations for Betrayal:
Oliver felt undervalued and underpaid after a decade at TacoCorp. Financial pressure and resentment toward his boss pushed him to accept BurritoTown’s lucrative offer to steal TacoCorp’s secrets.

Supporting Characters:

  • Franklin Hoyt, a strict and demanding boss at TacoCorp.
  • Samantha Mills, a friendly coworker unaware of Oliver’s frustrations.
  • Grace Li, the ambitious new boss at BurritoTown.
  • Daniel Morales, Oliver’s loyal best friend and a local detective.

The AI even provided Oliver’s CV, LinkedIn bio, social media posts, and a detailed headshot description for his persona.

A hyper-realistic, professional LinkedIn headshot of a mid-30s Hispanic male named Oliver Delgado. He has short, neatly trimmed dark hair and a well-groomed beard. He is wearing a crisp light-blue button-down shirt with a subtle pattern, no tie, and has a natural, confident smile. The background is a softly blurred, neutral-toned studio setting, with professional, natural lighting highlighting his face. The framing is from the chest up, with an impeccable shallow depth of field that brings his facial features into sharp focus. The image appears indistinguishable from a high-quality photograph taken by a professional photographer, suitable for a LinkedIn profile.

This ability to quickly generate characters, scenarios, and realistic data allows me to focus on ensuring the technical accuracy of my work. AI tools are invaluable for filling in creative gaps and enhancing the realism of forensic datasets. Don’t underestimate how much they can help!