Azure Forensics and Incident Response

Incident response with Azure, like other cloud providers, is a little different.

Below we’ve outlined where to look if you’re performing Detection, Triage, Investigation or Acquisition in Azure.

We’ve built a for automating forensics and incident response in Azure — you can grab a free trial here .You can also download a free playbook we’ve written on how to respond to security incidents in Azure.

Detection

Azure Security Centre triggers alerts from signatures and heuristics:

And Azure also integrates with a number of third party solutions to provide detection capabilities, such as BitDefender:

Microsoft may also send you an alert if they notice clear evidence of a compromise coming from your account:

Triage

You can create Phantom style orchestration rules to automate some simple responses to alerts:

Investigation

Azure Security Centre includes built-in tools to search through logs, and record investigative findings:

Microsoft have written case studies of investigating Bitcoin mining attacks, SQL Server Compromise, Linux and PowerShell.

Acquisition

The investigative tools within Azure Security Centre are powerful — but sometimes you still need to analyse a full disk image. With a full disk image you can search the contents of files, and search redundant disk space for evidence that wasn’t captured in logs.

It is possible to acquire a snapshot of a machine within Azure in a number of ways, normally in VHD format.

You can then use traditional forensic tools such as Log2Timeline or X-Ways to analyse the images.

Microsoft provide advice on how to created a VDH disk image using the Azure web-console or Powershell. You can also snapshot the system into a VHD after stopping the system:

You can also spin up a new machine purely to perform forensic imaging — then attach the suspect hard drive and create an image.

Memory dumps can be acquired in the usual ways.

Acquisition — Hyper-V

Hyper-V is Microsoft’s virtualisation server technology, similar to VMware. Generally people have moved from on-premises Hyper-V to use Azure instead — but it is possible to run Hyper-V within Azure, and many still use Hyper-V on-prem.

Advice on acquiring and analysing Hyper-V is available from ForensicKb and Microsoft.

Further Reading

• Fluffy Forensics
• Azure Forensics for the Security Responder
• Digital Forensics, Incident Response, and Cloud Computing

We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.