When an IT company suspects that a VM called Ubuntu18 in the Production-group has been
compromised, it is essential to perform a forensic investigation. The process of taking a snapshot and
ensuring its integrity and accessibility involves several steps:
Snapshot Creation: First, create a snapshot of the OS disk of the suspect VM, named ubuntudisksnap.
This snapshot is a point-in-time copy of the VM's disk, ensuring that all data at that moment is
captured.
Snapshot Security: Next, to transfer this snapshot securely to a storage account under the Security-
group, a shared access signature (SAS) needs to be generated. A SAS provides delegated access to
Azure storage resources without exposing the storage account keys.
Data Transfer: With the SAS token, the snapshot can be securely copied to a storage account in the
Security-group. This method ensures that only authorized personnel can access the snapshot for
further investigation.
Further Analysis: After copying the snapshot, it can be mounted onto a forensic workstation for
detailed examination. This step involves examining the contents of the snapshot for any malicious
activity or artifacts left by the attacker.
Generating a shared access signature is a critical step in ensuring that the snapshot can be securely
accessed and transferred without compromising the integrity and security of the data.
Reference:
Microsoft Azure Documentation on Shared Access Signatures (SAS)
Azure Security Best Practices and Patterns
Cloud Security Alliance (CSA) Security Guidance for Critical Areas of Focus in Cloud Computing
