Sign In
In this section

LX1.3 Remote and Cloud-Specific Collection

3-4 hours · Module 1 · Free
Operational Objective
The Access Method Problem: WEBSRV-NGE01 is a Linux VM running in Azure — you cannot walk to it, plug in a USB drive, or touch its disk. DBSRV-NGE01 is a Kubernetes pod that may be terminated by the orchestrator's health check in the next 90 seconds. The attacker's lateral movement path crossed a bare-metal server in a colocation facility 200 miles away. Three environments, three collection methods, three different evidence planes. Choosing the wrong method loses evidence that cannot be recovered.
Deliverable: Collection workflows for SSH-based remote access (bare-metal and VMs), cloud API-based disk snapshots (AWS, Azure, GCP) with accompanying audit trail collection, and container-specific evidence extraction (Docker and Kubernetes). Understanding of the forensic implications of each method — what it preserves, what it modifies, and what it cannot reach.
⏱ Estimated completion: 35 minutes

Remote Collection, Cloud Snapshots, and Container Evidence

Every environment where Linux runs has a different evidence surface. A bare-metal server has a physical disk you can image — but only if you are physically present or have remote console access. A cloud VM has an API that can snapshot the disk without logging in — but the snapshot does not capture memory or running processes. A container has a filesystem diff that shows exactly what changed from the base image — but the container can be destroyed at any moment and the evidence disappears with it.

The investigator must know all three collection methods and choose the right one based on the environment, the urgency, and what evidence is needed.

COLLECTION METHOD BY ENVIRONMENT SSH Remote Collection Bare-metal servers, on-prem VMs ✓ Captures Volatile data (processes, network) Log files, configuration, history Output piped to workstation ✗ Modifies auth.log, wtmp, utmp, lastlog Document connection time in evidence log Cloud API Snapshots AWS EC2, Azure VMs, GCP Compute ✓ Captures Full disk (immutable snapshot) Cloud audit trail (API calls) Zero modification to VM ✗ Cannot capture Memory, running processes Combine with SSH for volatile data Container Collection Docker, Kubernetes pods ✓ Captures Filesystem diff from base image Container logs, metadata Full filesystem export ✗ Risk Container may terminate any time Collect immediately — do not wait THE TWO-PLANE PRINCIPLE (CLOUD ENVIRONMENTS) Plane 1 — VM evidence: filesystem, logs, processes, network (collected via SSH or disk snapshot) Plane 2 — Cloud audit trail: API calls, IAM changes, security group modifications (collected via cloud CLI) Always collect BOTH planes. The attacker's cloud-level activity is invisible from inside the VM.
Figure LX1.3 — The three collection environments and their evidence characteristics. Cloud investigations require both planes: VM-level evidence and cloud audit trail. Container evidence is the most transient — collect before the orchestrator terminates the pod.

SSH-Based Remote Collection

# From your forensic workstation — collect volatile data first
# Each command runs on the remote system; output streams to local files

# Collect running processes
ssh investigator@target "ps auxf" > evidence/processes.txt

# Collect network connections (userspace + kernel)
ssh investigator@target "ss -tnp && echo '---' && cat /proc/net/tcp" > evidence/network.txt

# Collect /proc data for all processes (bypasses rootkits)
ssh investigator@target "for p in /proc/[0-9]*/; do echo PID=\$(basename \$p); cat \$p/cmdline 2>/dev/null | tr '\0' ' '; echo; readlink -f \$p/exe 2>/dev/null; echo ---; done" > evidence/proc_data.txt

# Copy critical log files to your workstation
scp investigator@target:/var/log/auth.log* evidence/logs/
scp investigator@target:/var/log/syslog* evidence/logs/
scp -r investigator@target:/var/log/journal/ evidence/logs/journal/

# Copy UAC output (if you ran UAC on the target)
scp -r investigator@target:/tmp/uac-output/ evidence/uac/
# Stream entire /var/log as a tarball — preserves timestamps and permissions
ssh investigator@target "sudo tar czf - /var/log/" > evidence/var_log.tar.gz

# Stream /etc for full configuration capture
ssh investigator@target "sudo tar czf - /etc/" > evidence/etc.tar.gz

# Verify the tarball integrity after transfer
tar tzf evidence/var_log.tar.gz | wc -l  # Count files — sanity check
# Get the instance ID and volume ID
aws ec2 describe-instances \
  --filters "Name=tag:Name,Values=WEBSRV-NGE01" \
  --query "Reservations[].Instances[].{ID:InstanceId,Vols:BlockDeviceMappings[].Ebs.VolumeId}" \
  --output table

# Create a snapshot of the root volume
aws ec2 create-snapshot \
  --volume-id vol-0abc123def456789 \
  --description "IR-2026-0402 forensic snapshot WEBSRV-NGE01" \
  --tag-specifications "ResourceType=snapshot,Tags=[{Key=Case,Value=IR-2026-0402},{Key=Investigator,Value=j.morrison}]"

# Monitor snapshot progress
aws ec2 describe-snapshots --snapshot-ids snap-0abc123 \
  --query "Snapshots[].{State:State,Progress:Progress}"

# Collect CloudTrail events for the instance (30 days)
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=i-0abc123 \
  --start-time "2026-03-03T00:00:00Z" \
  --end-time "2026-04-02T23:59:59Z" \
  --output json > evidence/cloudtrail_events.json

# Collect VPC Flow Logs (if enabled)
aws ec2 describe-flow-logs \
  --filter "Name=resource-id,Values=eni-0abc123" \
  --output json > evidence/flow_log_config.json
# Create a snapshot of the OS disk
az snapshot create \
  --name "IR-2026-0402-WEBSRV-NGE01-osdisk" \
  --resource-group NorthgateEng-RG \
  --source "/subscriptions/SUB_ID/resourceGroups/NorthgateEng-RG/providers/Microsoft.Compute/disks/WEBSRV-NGE01-osdisk" \
  --tags Case=IR-2026-0402 Investigator=j.morrison

# Collect Azure Activity Log (90 days retention)
az monitor activity-log list \
  --resource-id "/subscriptions/SUB_ID/resourceGroups/NorthgateEng-RG/providers/Microsoft.Compute/virtualMachines/WEBSRV-NGE01" \
  --start-time "2026-03-03T00:00:00Z" \
  --output json > evidence/azure_activity_log.json

# Collect NSG Flow Logs (if enabled)
az network watcher flow-log show \
  --resource-group NorthgateEng-RG \
  --nsg WEBSRV-NGE01-nsg \
  --output json > evidence/nsg_flow_log_config.json
# Create a snapshot
gcloud compute disks snapshot WEBSRV-NGE01-disk \
  --zone=europe-west2-a \
  --snapshot-names=ir-2026-0402-websrv-nge01 \
  --description="IR-2026-0402 forensic snapshot"

# Collect Cloud Audit Logs
gcloud logging read \
  'resource.type="gce_instance" AND resource.labels.instance_id="123456789"' \
  --limit=1000 --format=json > evidence/gcp_audit_log.json
# Is the container still running?
docker ps | grep suspicious-container

# Collect container metadata (image, config, network, mounts)
docker inspect suspicious-container > evidence/container_inspect.json

# Collect container logs (stdout/stderr)
docker logs suspicious-container > evidence/container_logs.txt 2>&1

# See what files changed from the base image
docker diff suspicious-container > evidence/container_diff.txt

# Export the full container filesystem
docker export suspicious-container > evidence/container_filesystem.tar

# Copy specific files out of the container
docker cp suspicious-container:/var/log/ evidence/container_logs/
docker cp suspicious-container:/tmp/ evidence/container_tmp/
docker cp suspicious-container:/etc/crontab evidence/container_crontab
# Is the pod still running?
kubectl get pods -n production | grep suspicious-pod

# Collect pod metadata (containers, volumes, status, events)
kubectl describe pod suspicious-pod -n production > evidence/pod_describe.txt

# Collect pod logs (all containers in the pod)
kubectl logs suspicious-pod -n production --all-containers > evidence/pod_logs.txt

# Previous pod logs (if pod restarted)
kubectl logs suspicious-pod -n production --previous > evidence/pod_logs_previous.txt 2>/dev/null

# Copy files out of the running pod
kubectl cp production/suspicious-pod:/var/log/ evidence/pod_logs/
kubectl cp production/suspicious-pod:/tmp/ evidence/pod_tmp/

# Collect Kubernetes events for the namespace
kubectl get events -n production --field-selector involvedObject.name=suspicious-pod > evidence/k8s_events.txt

# Collect Kubernetes audit log (if enabled — check with cluster admin)
# Location varies by cluster configuration
Expand for Deeper Context

Most Linux investigations begin with remote access. The server is in a data center, a cloud region, or a customer's network. You are at your desk. The connection method is SSH — and SSH has forensic implications that the investigator must understand.

When you SSH into a compromised system, your connection creates evidence. Your login appears in auth.log: Accepted publickey for investigator from 192.0.2.10 port 52341 ssh2. Your session appears in wtmp (visible via last). Your session appears in utmp (visible via who). If the system records SSH sessions in the journal, your connection appears there too. These entries are evidence of your collection activity, not the attacker's activity. Document the exact time you connected so that your entries can be distinguished from the attacker's entries during analysis.

The collection approach for remote SSH access pipes output directly to your workstation, avoiding writes to the compromised filesystem:

The key technique: pipe output directly to your forensic workstation. Each ssh command runs on the remote system and the output streams to a local file. This avoids writing collection output to the compromised disk — the output never touches the target filesystem. For file transfers, scp copies files from the remote system to your workstation.

For high-volume log transfer or when you need to preserve file permissions and timestamps exactly, use tar over SSH instead of scp:

Cloud VM Collection — The No-Login Approach

Cloud environments provide a collection capability that does not exist for bare-metal servers: you can snapshot the disk without logging into the VM. This is the forensically cleanest disk collection method because it captures the disk state without any modification to the running system.

AWS EC2 disk snapshot:

Azure VM disk snapshot:

GCP Compute Engine disk snapshot:

After the snapshot is created, attach it to a forensic analysis VM as a secondary disk and mount it read-only. This gives you full filesystem access without modifying the original evidence. The snapshot is immutable — it represents the disk state at the moment of creation.

The cloud audit trail is the second evidence plane that does not exist for bare-metal servers. CloudTrail, Azure Activity Log, and GCP Cloud Audit Logs record every API call made against the VM: who started it, who stopped it, who changed the security group, who attached a new disk, who modified the IAM role. If the attacker used stolen cloud credentials to modify the VM's configuration, the evidence is in the cloud audit trail — not on the VM itself. This is why the two-plane principle exists: always collect both the VM evidence and the cloud audit trail. Investigating one without the other misses half the attack surface.

Container Evidence Collection

Container evidence collection is a race against time. The container may be restarted, rescheduled, or terminated at any moment — by the orchestrator's health checks, by autoscaling, or by the attacker.

Docker container collection:

The docker diff command is uniquely valuable for container forensics. It shows every file that was added (A), changed (C), or deleted (D) from the base image. Since the base image is known-good (it is the image you deployed), every change in the diff is either legitimate application activity or attacker activity. This is a far cleaner evidence set than bare-metal forensics, where attacker files are mixed with hundreds of thousands of system files.

Kubernetes pod collection:

The --previous flag on kubectl logs retrieves logs from the previous container instance if the pod has restarted. If the attacker caused a crash and the pod restarted, the pre-crash logs contain the attack evidence. Without --previous, you only see logs from the current instance, which started after the crash — potentially after the attacker's activity.

Worked artifact — Cloud evidence collection checklist:

Use this checklist for every cloud VM investigation. Both planes must be collected.

Case: INC-2026-XXXX Cloud provider: ☐ AWS ☐ Azure ☐ GCP

Instance/VM: [name/ID] Region: [region] IP: [public/private]

Plane 1 — VM evidence: - Disk snapshot created: ☐ Yes (snapshot ID: ___) ☐ No (reason: ___) - Snapshot tagged with case ID and investigator: ☐ Yes ☐ No - Volatile data collected via SSH: ☐ Yes (timestamp: ___) ☐ No (reason: ___) - Memory dump acquired: ☐ Yes ☐ No ☐ Not supported by provider - UAC run on target: ☐ Yes ☐ No

Plane 2 — Cloud audit trail: - Cloud audit log collected: ☐ CloudTrail ☐ Activity Log ☐ Cloud Audit (time range: ___) - Network flow logs collected: ☐ VPC Flow Logs ☐ NSG Flow Logs ☐ VPC Flow Logs ☐ Not enabled - IAM/identity events reviewed: ☐ Yes ☐ No - Security group/firewall changes reviewed: ☐ Yes ☐ No

Plane 2 findings: - Suspicious API calls: ___ - IAM changes by attacker: ___ - Security group modifications: ___

Evidence integrity: - All files hashed on collection: ☐ Yes ☐ No - Evidence stored at: ___

Decision points: choosing the right collection method

Cloud VM, attacker may still be active: Snapshot the disk first (zero modification, captures disk state). Then SSH in for volatile data (processes, network, memory). Snapshot first because it takes a few seconds to initiate but captures the entire disk. If the attacker detects your SSH session and begins destroying evidence, the snapshot already preserves the disk state before your connection.

Cloud VM, attacker disconnected, time is available: Snapshot the disk. Collect the cloud audit trail. Then mount the snapshot on a forensic VM and analyze offline. No need to SSH into the compromised VM at all — the snapshot plus audit trail provides complete evidence.

Kubernetes pod, actively compromised: Run the full container collection sequence immediately — do not wait for approval, do not wait for the IR plan to be activated. A pod can be terminated at any moment. The docker export (or equivalent kubectl cp of key directories) is the priority. You can analyze later. Right now, you preserve.

Bare-metal server, no physical access: SSH-based remote collection is your only option. Pipe all output to your workstation. Deploy UAC via SCP. Accept the log modifications and document them.

Multi-environment incident (container + VM + cloud): Collect the most volatile evidence first. Container evidence disappears fastest (pod termination). VM volatile data disappears next (reboot, process exit). Cloud audit trail is the most durable (30-90 day retention). Collect in that order: container → VM volatile → disk snapshot → cloud audit trail.

Troubleshooting: common remote and cloud collection issues

SSH connection refused on the compromised system. The attacker may have modified the SSH configuration, changed the listening port, or added firewall rules blocking your IP. Check the cloud provider console for a serial console or out-of-band access. On AWS, use EC2 Instance Connect or Systems Manager Session Manager. On Azure, use the serial console in the portal. These provide shell access without SSH.

Cloud snapshot fails with "insufficient permissions." Your IAM role or service principal does not have the ec2:CreateSnapshot (AWS), Microsoft.Compute/snapshots/write (Azure), or compute.disks.createSnapshot (GCP) permission. Contact your cloud admin or use an account with the required permissions. Do not delay the investigation waiting for permissions — collect volatile data via SSH while the permissions issue is resolved.

Container terminated before collection completed. The evidence in the terminated container's writable layer is gone unless the container runtime preserved it. Check if the container used a persistent volume (PV): kubectl describe pod shows volume mounts. If PV was used, the data on the PV survives container termination. Also check if the node retained the container's log files: journalctl -u docker.service or the container runtime's log directory may still have the container's stdout/stderr.

Cloud audit trail shows no events for the compromised VM. Verify that logging is enabled: CloudTrail must be active in the account (not just the region), Azure Activity Log is always-on but may have shorter retention, GCP Cloud Audit Logs must be enabled for the project. If logging was not enabled, the audit trail evidence does not exist — you are limited to VM-level evidence only.

Large disk snapshot takes hours to complete. Cloud snapshots are incremental — the first snapshot copies the entire disk, subsequent snapshots copy only changes. A 500GB disk may take 30-60 minutes for the first snapshot. Do not wait for the snapshot to complete before collecting volatile data via SSH. The snapshot runs in the background while you perform live response.

Beyond this investigation: LX9 (Container Compromise) and LX10 (Cloud VM Compromise) demonstrate remote collection in environments where SSH access may not be available, using kubectl exec, cloud provider APIs, and snapshot-based acquisition.

Myth: "A cloud disk snapshot is not real forensic evidence because you did not use a hardware write blocker."

Reality: The concept of a hardware write blocker applies to physical media — connecting a hard drive to a forensic workstation. Cloud disk snapshots operate at the storage API level, not the physical level. The snapshot is created by the cloud provider's storage service and is immutable once created — it cannot be modified after the fact. Courts and forensic practitioners accept cloud snapshots as valid evidence when the investigator documents the snapshot creation (timestamp, snapshot ID, who created it) and the snapshot's immutability is preserved (no delete or modification operations performed on the snapshot). The chain of custody for a cloud snapshot is the cloud audit trail itself — the CreateSnapshot API call recorded in CloudTrail, Activity Log, or Cloud Audit Logs is the documentation.

Try it yourself

Exercise

If you have AWS CLI configured, practice the snapshot workflow on a test instance: create a snapshot, wait for it to complete, then create a volume from the snapshot and attach it to a forensic VM. Mount it read-only: mount -o ro,noexec /dev/xvdf1 /mnt/evidence/. You have just performed the no-login disk collection workflow for a cloud VM. If you use Docker, practice the container collection workflow: docker run -d --name test-container nginx, then run the docker inspect, docker diff, docker logs, and docker export commands above. Examine the diff output — what files changed from the base nginx image just by the container running normally?

Beyond this investigation

Remote SSH collection is the default for LX4-LX8 scenarios where the target is a traditional server. Cloud API collection is the primary method for LX10 (Cloud VM Compromise), where the investigation explicitly exercises the two-plane principle — correlating VM filesystem evidence with cloud audit trail events to reconstruct the attacker's use of stolen cloud credentials. Container collection is the primary method for LX9 (Container Compromise), where the docker diff technique identifies exactly what the attacker added to the base image. LX11 (Lateral Movement) combines all three — the attacker moves from a container to the host to the cloud API, and the investigator collects evidence from all three environments and builds a unified timeline across them.

Check your understanding:

1. When you SSH into a compromised system to collect evidence, what entries does your connection create in the system's logs, and how do you prevent these from being confused with attacker activity? 2. Why is a cloud disk snapshot forensically cleaner than running dd on the live system? 3. What does docker diff show, and why is it more useful for investigation than listing all files in the container? 4. A Kubernetes pod was terminated 5 minutes ago and a new pod has been scheduled. What evidence from the old pod is still available, and where would you look for it? 5. You are investigating an Azure VM compromise. You have collected a disk snapshot and SSH volatile data. What evidence plane are you still missing, and what commands collect it?

Subsection artifacts: Remote collection command templates for SSH (with tar streaming), AWS EC2, Azure VM, GCP Compute Engine, Docker, and Kubernetes. Cloud evidence collection checklist (worked artifact) covering both evidence planes. The two-plane principle: always collect VM evidence and cloud audit trail together — the attacker's cloud-level activity is invisible from inside the VM.

Decision point

You are investigating a Linux server and discover evidence of both a cryptominer (resource abuse) and an SSH key theft (lateral movement preparation). The cryptominer is consuming 95% CPU and impacting production. Which do you address first?

Address the lateral movement first. The cryptominer is visible, noisy, and contained to this server — it is causing performance impact but not spreading. The SSH key theft is silent, potentially already exploited, and may have given the attacker access to additional servers. Contain the lateral movement risk: rotate the stolen SSH keys, check the target servers for unauthorized access, and apply network restrictions. Then address the cryptominer: kill the process, remove the binary and persistence mechanisms. Prioritizing the noisy but contained threat over the silent but spreading threat is the most common Linux IR prioritization mistake.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →