Amazon EC2 instance

When you create a new case in AXIOM Process, you can acquire a single EC2 instance with a single S3 bucket. If you want to acquire additional instances, add them as a new evidence source after the original search completes.

AXIOM Process supports acquiring EC2 instances for Amazon Linux and Ubuntu Server SSD volume types.

Amazon does not allow direct downloading from an EC2 instance, so to acquire evidence from an EC2 instance, AXIOM Process initiates an export in AWS which copies the EC2 instance and its associated drives to create an image. AWS then exports this image to an S3 bucket.

When acquiring an EC2 instance, you do not need to specify a date range. Date ranges are applicable to directly acquiring S3 buckets only.

Note: There are typically costs associated with transferring data from AWS over the internet to a local machine. When you acquire evidence from AWS, you might be charged a nominal fee per GB of data downloaded based on your storage plan. For more information about specific charges you might incur, please consult the Amazon S3 pricing plans.

Prerequisites for acquiring an EC2 instance

To acquire evidence from an Amazon EC2 instance, there are several prerequisites and limitations you should be aware of. For detailed information about how to prepare for acquiring an EC2 instance, review the Limitations and prerequisites for acquiring an EC2 instance article in the Magnet Forensics Customer Portal.

Step 1: Sign in to an AWS account

To sign in to and acquire an EC2 instance, you must provide authentication details for the AWS account required for your organization's AWS configuration. Depending on your organization's AWS configuration, you might be prompted to provide additional authentication details. You can find these authentication details in the AWS Management Console. For more information about the authentication details required and where to find them, review the Prepare the AWS authentication details for AXIOM article in the Magnet Forensics Customer Portal.

  1. In AXIOM Process, click Evidence sources > CloudAcquire evidence.
  2. Confirm that you have proper search authorization.
  3. Click Amazon.
  4. Provide the required authentication details for the AWS account.
  5. Click Sign in.

Step 2: Select services and content

After you gain access to the AWS account, you can specify that you want to acquire an EC2 instance, and then select the EC2 instance that you want to download.

  1. In Select services and content, select the Amazon EC2 instances source type option.
  2. In the Content column, click Edit.
  3. In the Select EC2 instances to download section, search for the EC2 instance or click View all instances.
  4. In the table, select the EC2 instance that you want to download, and then click Next.

Supported data sources by authentication type

The following types of data can be acquired from an Amazon EC2 instance.

Amazon Web Services

Authentication type 2FA/MFA support Data sources
Security credentials
  • AWS EC2 Instance
  • AWS S3 Files
Session credentials  
  • AWS EC2 Instance
  • AWS S3 Files

For a complete list of supported cloud data sources by authentication type, review supported cloud data sources by authentication type.

Step 3: Define export details

To download an EC2 instance, AXIOM Process initiates an export in AWS. This export copies the EC2 instance and all of the drives associated with it to create an image. Next, AWS exports the image to an S3 bucket.

To export an image to an S3 bucket, you must provide some information about the export such as the disk image format and the S3 bucket you want to export the image to. To help organize your evidence in the S3 bucket, you can optionally provide a prefix to add to the name of the image of the EC2 instance. For example, you could add the target's name as the prefix value.

AXIOM Process supports VHD, VMDK, and RAW disc images formats for images of an EC2 instance.

  1. In the Export description field, provide a description for the exported EC2 instance.
  2. In the Disk image format drop-down, select a format for the image of the exported EC2 instance.
  3. In the S3 bucket field, type the name of the S3 bucket where you want to store the image.
  4. In the S3 prefix field, optionally provide a prefix to add to the name of the image of the EC2 instance.
  5. When you've finished selecting services and content, click Next to continue setting up your case.

Note: Storing an image of an EC2 instance in an S3 bucket might incur monthly costs. After you've successfully acquired the EC2 instance, consider removing the image from the S3 bucket to avoid additional expenses.