Understanding the Incident: When an EC2 instance communicates with a suspicious port, it’s crucial to analyze network traffic to understand the patterns of the security breach1.

Log Sources for Forensic Investigation: AWS provides several log sources that can be used for forensic investigations, including AWS CloudTrail, AWS Config, VPC Flow Logs, and host-level logs1.

Amazon VPC Flow Logs: These logs capture information about the IP traffic going to and from network interfaces in a Virtual Private Cloud (VPC). They are particularly useful for understanding network-level interactions, which is essential in this case1.

Evidentiary Value: VPC flow logs can provide data with evidentiary value, showing the source, destination, and protocol used in the network traffic, which can help investigators identify patterns related to the security breach1.

Other Log Sources: While Amazon CloudTrail and Amazon CloudWatch provide valuable information on user activities and metrics, respectively, they do not offer the detailed network traffic insights needed for this specific forensic investigation1.

References:

AWS Security Incident Response Guide’s section on Forensics on AWS1.