Understanding the Incident: When an EC2 instance communicates with a suspicious port, it’s crucial

to analyze network traffic to understand the patterns of the security breach1.

Log Sources for Forensic Investigation: AWS provides several log sources that can be used for forensic

investigations, including AWS CloudTrail, AWS Config, VPC Flow Logs, and host-level logs1.

Amazon VPC Flow Logs: These logs capture information about the IP traffic going to and from

network interfaces in a Virtual Private Cloud (VPC). They are particularly useful for understanding

network-level interactions, which is essential in this case1.

Evidentiary Value: VPC flow logs can provide data with evidentiary value, showing the source,

destination, and protocol used in the network traffic, which can help investigators identify patterns

related to the security breach1.

Other Log Sources: While Amazon CloudTrail and Amazon CloudWatch provide valuable information

on user activities and metrics, respectively, they do not offer the detailed network traffic insights

needed for this specific forensic investigation1.

Reference:

AWS Security Incident Response Guide’s section on Forensics on AWS1.