Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page

Was this helpful?

  1. Incident Response
  2. Unix-like Artifacts Collector (UAC)

Create S3 pre-signed URL

We'll setup a server using MinIO and generate a pre-signed URL using the Python SDK so we can upload a triage collection.

PreviousSetup MinIO (object storage)NextUAC and pre-signed URLs

Last updated 3 years ago

Was this helpful?

Next step is to generate a pre-signed URL so we can upload data to it.

Review the MinIO Python SDK here:

The example code we're going to use is get_presigned_url.py from

You'll need Python3, and the minio library

$ sudo apt install python3-pip
$ pip3 install minio

Edit this python script in your favourite editor.

from minio import Minio

client = Minio(
    "minio.yourdomain.com.au:9000",
    access_key="default_username",
    secret_key="default_password",
    secure=True,
)

If you're still using the default credentials we set earlier (minioadmin/minioadmin) then enter those here. It's obviously best practice to not use the default credentials.

$ python3 get_presigned_url.py

If the script executed successfully without errors, you'll have three URLs printed on the screen. We're interested in the second URL as this is what we'll be using to upload our data using UAC. If you don't have a need for the other two URLs and intend to administer objects manually via the web interface, then comment out the other two DELETE/GET URL generation sections.

The name of the object created with this URL is 'my-object'. If you want a custom name, you'll need to edit the python script and change 'my-object' to something else. Likewise, if you want to store data in a different bucket, replace 'my-bucket' with another name. If you were using this in production you'd prompt for the desired values to store client data in specific buckets, with specific names.

You should have a pre-signed URL which looks similar to the following;

https://minio.yourdomain.com.au:9000/my-bucket/my-object?response-content-type=application%2Fjson&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=[redacted]

You've now generated a pre-signed URL using MinIO's python SDK, and you're ready to upload your UAC collection.

https://docs.min.io/docs/python-client-api-reference.html
https://github.com/minio/minio-py/blob/master/examples/get_presigned_url.py