Azure Virtual Machines Forensics & Incident Response
Welcome to the next video in our series on Cloud Forensics and Incident Response: Azure Virtual Machines.
Virtual Machines
Azure Virtual Machines (VMs) are a cloud computing service from Microsoft that enables users to create, configure, and manage virtual machines in the cloud. VMs can be created from pre-configured images or from scratch and can be configured to run a variety of operating systems and applications. Azure VMs are available in a variety of sizes and can be scaled up or down to meet changing computing needs.
Azure provides the functionality to export the disk images of Virtual Machines in VHD format for forensic analysis. This can be done by selecting the disk, then selecting Create Snapshot. This can also be done on the command line using the az snapshot create command:
az snapshot create - name
- resource-group
[ - accelerated-network {false, true}]
[ - architecture {Arm64, x64}]
[ - copy-start {false, true}]
[ - disk-access]
[ - disk-encryption-set]
[ - edge-zone]
[ - encryption-type {EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys, EncryptionAtRestWithPlatformKey}]
[ - for-upload {false, true}]
[ - hyper-v-generation {V1, V2}]
[ - incremental {false, true}]
[ - location]
[ - network-access-policy {AllowAll, AllowPrivate, DenyAll}]
[ - no-wait]
[ - public-network-access {Disabled, Enabled}]
[ - size-gb]
[ - sku {Premium_LRS, Standard_LRS, Standard_ZRS}]
[ - source]
[ - source-storage-account-id]
[ - tags]
Detection in Azure
Creating a Snapshot for Forensics Manually
https://learn.microsoft.com/en-us/azure/virtual-machines/disks-incremental-snapshots?tabs=azure-cli
Also see SDK @ https://github.com/google/cloud-forensics-utils
Importing into Cado
https://docs.cadosecurity.com/cado-response/discovery-import/import/azure/azure-compute
Free 14-day trial
Receive unlimited access to the Cado Response Platform for 14 days.