Skip to main content

Enabling Elastio Forensic Archive Generation

© 2024 Elastio Software, Inc. All Rights Reserved.

Enabling Elastio Forensic Archive Generation

Greg Aligiannis
Updated

The Elastio Forensic File Archive is a powerful feature that strengthens your organization’s response to ransomware incidents. When Elastio’s ransomware detection engine identifies signs of compromise, it automatically generates a secure, encrypted archive containing the affected files. This archive is stored in a customer-owned, private Amazon S3 bucket, ensuring your data remains fully under your control.

To facilitate secure access, the Elastio UI provides both the Amazon Resource Name (ARN) of the archive and a link to the SSM parameter that stores the encryption password. This setup allows your security and forensic teams to safely examine infected files without putting clean environments at risk.

Contents

Configuration

To configure the forensics file archive, follow the 3 steps below.

Step 1: Create a Private S3 Bucket

  1. Log in to each AWS account where the Elastio Cloud Connector is installed.
  2. Create a private S3 bucket to store forensic archives.
  3. Record the name of the newly created bucket (<bucket_name>) for use in the next steps. 

Step 2: Enable Forensic Archive Generation

To activate this feature across all Elastio scan types:

  1. Log in to the AWS account that hosts the Elastio Cloud Connector. 

Open AWS CloudShell, then run the following commands:wget -nv https://raw.githubusercontent.com/elastio/contrib/master/forensic-archive/configure_forensics.py 

python ./configure_forensics.py --bucket <bucket_name>

Replace <bucket_name> with the actual name of the S3 bucket created in Step 1.

The script will:

  • Enable forensic archive generation for all Elastio scans.
  • Create a policy.json file in the current directory. This policy grants Elastio permission to upload forensic results to your S3 bucket. 

Step 3: Grant Required Permissions

In the same CloudShell session, display and copy the contents of the policy.json file:

  1. cat policy.json



  2. Go to the Permissions tab of your S3 bucket in the AWS Console.
     
  3. Click Edit Bucket Policy, paste the policy content from policy.json, and save your changes.

Repeat Steps 1–3 for every AWS account where the Elastio Cloud Connector is deployed.

Accessing the Forensic Archive and Retrieving Infected Files

When a scan detects ransomware, malware, or malicious encryption:

  • Elastio generates an encrypted archive of infected files.
  • The archive is automatically uploaded to your specified S3 bucket. 

To retrieve the archive and password:

  1. Open the Elastio UI and navigate to the infected asset.
  2. View the detailed scan results by selecting the infected asset.

    The S3 ARN of the archive can be copied, as well the the ARN to the SSM parameter containing the unique password which was generated to encrypt the forensic archives. 

S3 ARN of the archive (for example):
arn:aws:s3:::elastio-forensic/iscan/threats/elastio-asset-aws-s3-objects-.../malware/2025-05-08T00:02:39Z.zip

SSM Parameter ARN (containing the archive’s password):
arn:aws:ssm:{region}:{accountId}:parameter/elastio/forensic-analysis/elastio-asset-...| 

  1. Use the SSM ARN to retrieve the archive password from the AWS Systems Manager Parameter Store.

Related articles