performing-cloud-forensics-investigation

Featured

Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata from AWS, Azure, and GCP services.

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Cloud Forensics Investigation ## When to Use - When investigating a security breach in AWS, Azure, or GCP cloud environments - For collecting volatile and non-volatile evidence from cloud infrastructure - When tracing unauthorized access through cloud service API logs - During incident response requiring preservation of cloud-based evidence - For analyzing compromised virtual machines, containers, or serverless functions ## Prerequisites - Administrative access to the cloud account under investigation - AWS CLI, Azure CLI, or gcloud CLI configured with appropriate permissions - Understanding of cloud-native logging (CloudTrail, Activity Log, Audit Log) - Forensic workstation with cloud SDKs installed - Knowledge of IAM, networking, and compute services in target cloud - Evidence preservation procedures for cloud environments ## Workflow ### Step 1: Preserve Cloud Evidence and Establish Scope ```bash # === AWS Evidence Preservation === # Snapshot compromised EC2 instance volumes INSTANCE_ID="i-0abc123def456789" VOLUME_IDS=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID \ --query 'Reservations[].Instances[].BlockDeviceMappings[].Ebs.VolumeId' --output text) for vol in $VOLUME_IDS; do aws ec2 create-snapshot --volume-id $vol \ --description "Forensic snapshot - Case 2024-001 - $(date -u)" \ --tag-specifications "ResourceType=snapshot,Tags=[{Key=Case,Value=2024-001},{Key=Evidence,Value=true}]" done # Capture instance metadata aws ec2...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

AWS · Cloud Google Cloud · Cloud Azure · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-cloud-forensics-with-aws-cloudtrail

Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

conducting-cloud-incident-response

Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment, cloud-native log analysis, resource isolation, and forensic evidence acquisition adapted for ephemeral cloud infrastructure. Activates for requests involving cloud incident response, AWS security incident, Azure compromise, GCP breach, cloud forensics, or cloud identity compromise.

12,642 Updated today
mukul975
AI & Automation Featured

performing-cloud-storage-forensic-acquisition

Perform forensic acquisition and analysis of cloud storage services including Google Drive, OneDrive, Dropbox, and Box by collecting both API-based remote data and local sync client artifacts from endpoint devices.

12,642 Updated today
mukul975
AI & Automation Featured

performing-disk-forensics-investigation

Conducts disk forensics investigations using forensic imaging, file system analysis, artifact recovery, and timeline reconstruction to support incident response cases. Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit for evidence acquisition, deleted file recovery, and artifact examination. Activates for requests involving disk forensics, hard drive analysis, forensic imaging, file recovery, evidence acquisition, or digital forensic investigation.

12,642 Updated today
mukul975
AI & Automation Featured

performing-cloud-log-forensics-with-athena

Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs for forensic investigation. Covers CREATE TABLE DDL with partition projection, forensic SQL queries for detecting unauthorized access, data exfiltration, lateral movement, and privilege escalation. Use when investigating AWS security incidents or building cloud-native forensic workflows at scale.

12,642 Updated today
mukul975