Vishal Thakur
3 min readJul 19, 2022


DFIR QuickStart

Install AWS CLI

Details on all three OS can be found here.

This should get you started on a Mac:

$ curl "" -o "AWSCLIV2.pkg" 
$ sudo installer -pkg AWSCLIV2.pkg -target /

Once you’ve installed it, run this command to verify installation:

$ which aws /usr/local/bin/aws
$ aws --version aws-cli/2.4.5 Python/3.8.8 Darwin/18.7.0 botocore/2.4.5

If you get a result as shown above, aws cli has been installed and us ready to go!

Configure AWS CLI

Next, you need to configure your aws cli — use these commands to do so:

$ aws configure
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

You can find all the Regions here.

Run a quick check on your identity using this command:

$ aws sts get-caller-identity

Working with S3 buckets

Syntax: aws s3 <Command> [<Arg> …]

Use this simple command to list out all the S3 buckets you have access to:

$ aws s3 ls

You can use these basic commands on S3 buckets:

  • cp — copy
  • mv — move
  • rm — remove

In order to use the above commands recursively, use this flag:



aws s3 cp s3://s3-bucket-name/ LocalFolder --recursive

Find the full list of commands here:

Assuming Roles

When working on an incident, it is common for your clients to create a role for your organisation, that can be used to conduct forensics on their AWS Infrastructure. In order to use this role, you need to ‘assume’ it first.

Basically, this is what ‘assume-role’ does: Returns a set of temporary security credentials that you can use to access Amazon Web Services resources that you might not normally have access to.

They (clients) will provide you with the required information in order for you to assume the role.

Use this command to assume the role that has been created for you:

aws sts assume-role --role-arn "arn:aws:iam::12345678910:role/RoleName" --role-session-name GiveItAnyName-session

The output of the command contains an access key, secret key, and session token that you can use to authenticate to AWS:

"Credentials": {
"AccessKeyId": "Some String",
"SecretAccessKey": "Longer String",
"SessionToken": "A ver long string...",
"Expiration": "Some date+time"
"AssumedRoleUser": {
"AssumedRoleId": "Some String",
"Arn": "arn:aws:sts::ARN-number and role etc."

Once you have the above information, you need to run these commands:

export AWS_ACCESS_KEY_ID="Some String"
export AWS_SECRET_ACCESS_KEY="Longer String"
export AWS_SESSION_TOKEN="A ver long string..."

Verify that you have assumed the role by running this command:

$ aws sts get-caller-identity

Once done, you can use these commands to unset the ENV variables and verify that the assumed role has been ‘unassumed’:

$ aws sts get-caller-identity

Working with AWS Logs

You can use Amazon CloudWatch Logs to monitor, store, and access your log files from EC2 instances, CloudTrail, and other sources. You can then retrieve the associated log data from CloudWatch Logs using the CloudWatch console, CloudWatch Logs commands in the Amazon Web Services CLI, CloudWatch Logs API, or CloudWatch Logs SDK.

One of the most useful commands is get-log-events

Have a look at all these options you can use with the get-log-events command -

get-log-events — AWS CLI 1.25.31 Command Reference

There are quite a few commands that you can use for logs with the awscli but to get started, run this command:

1awslogs get Log-Group-Name ALL --start='2021-12-20 00:00:00.000' --end='2021-12-26 00:00:00.000' > logs-20-26-dec.csv

Another example:

1aws logs get-log-events --log-group-name my-logs --log-stream-name 20150601

Note: where available, use AWS tools or apps such as Athena (query) etc as they are much faster and easier to use.



Vishal Thakur

DFIR enthusiast. Founder of HCKSYD. Founder of Security BSides Sydney Australia. Malware Analyst.