1

I'm trying to figure the best way to acquire remote image from an EC2 instance.

Here is how I took/trying to take an image of an EC2 EBS drive:

  1. Using EnCase Remote Recovery (trial for 14 days): 1.a: on Windows, I connected via Remote Desktop, copied the servlet and started it (it basically to allow the client on local machine to connect). Now I can use the client on my local machine to explore and acquire an image of the EC2 instance. This one worked. 1.b: on Linux, I tried the same thing. However, the servlet is not working for some reason.

  2. FTK Lite (this version does not require installation): 2.a on Windows, I connected via Remote Desktop while sharing one of my local disks where FTK Lite resides. On the remote machine I navigate to my local disk, run FTK Lite and start the acquisition. Since I'm sharing my local disk I can instruct FTK Lite to store the image on it. However, around 10% FTK Lite stops sending any data. I don't know if it's a problem with FTK itself or Remote Desktop. 2.b: I don't know how to do the same thing on Linux.

  3. I'll try the snapshot feature of EC2.

What do you think about these methods? How can I use FTK lite in Linux instance (I need the image to be stored on a different instance or my local machine). Do you know any other method to acquire an image from an EC2 instance?

Thank you.

Improve this question

1 Answer 1

Reset to default
1

An EC2 system is relying up on Elastic Block Storage (EBS). Then you can take an EBS snapshot of the system, and download this image.

You now have a full disk image locally, and you could run the instance it within a VM, or whatever.

Improve this answer
1
  • You cannot download snapshots from S3. Shapshots are stored in S3 but not in a location that you can access.
    – John Hanley
    Commented Dec 10, 2017 at 2:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .