> For the complete documentation index, see [llms.txt](https://wongkenny240.gitbook.io/computerforensics/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wongkenny240.gitbook.io/computerforensics/cloud/azure-forensic.md).

# Azure Forensic

## Azure Security Centre

Azure Security Centre triggers alerts from signatures and heuristics:

![](/files/-MQRgS7thTE7ILn68NGQ)

![](/files/-MQRgYeBF-2gqSw8PGHK)

And Azure also integrates with a number of third party solutions to provide detection capabilities, such as BitDefender:

![](/files/-MQRgcBvReKs323Saama)

Microsoft may also send you an alert if they notice clear evidence of a compromise coming from your account:

![](/files/-MQRggtPtxVboBRHFGeH)

Azure Security Centre includes built-in tools to search through logs, and record investigative findings:

![](/files/-MQRgpsYt5qPbGZjdS1_)

Source: <https://medium.com/@cloudyforensics/azure-forensics-and-incident-response-c13098a14d8d>

## Azure Acquisition

It is possible to acquire a snapshot of a machine within Azure in a number of ways, normally in VHD format.

### Magnet AXIOM

1. Go to 'Evidence sources' and select 'Cloud'
2. Select Azure and fill out the details including: Application ID, Tenant ID, Subscription ID, Client secret

   How to article to obtain the details: <https://support.magnetforensics.com/s/article/Find-Azure-authentication-details>
3. Select the VM and click Next
4. Hit ‘Go,’ ‘Analyze evidence,’

   ![](/files/-MQRbVcKCC5YxTRdp6BY)

![](/files/-MQRe3mbtJ0cTkVLBgaA)

### libcloudforensic

### Create a snapshot of VM using the portal or Powershell

#### Use the Azure portal

To create a snapshot, complete the following steps:

1. On the Azure portal, select **Create a resource**.
2. Search for and select **Snapshot**.
3. In the Snapshot window, select **Create**. The Create snapshot window appears.
4. Enter a Name for the snapshot.
5. Select an existing Resource group or enter the name of a new one.
6. Select an Azure datacenter Location.
7. For **Source disk**, select the managed disk to snapshot.
8. Select the Account type to use to store the snapshot. Select Standard\_HDD, unless you need the snapshot to be stored on a high-performing disk.
9. Select **Create**.

#### Use Powershell

* Set some parameters:

```
$resourceGroupName = 'myResourceGroup' 
$location = 'eastus' 
$vmName = 'myVM'
$snapshotName = 'mySnapshot'
```

* Get the VM:

```
$vm = Get-AzVM `
    -ResourceGroupName $resourceGroupName `
    -Name $vmName
```

* Create the snapshot configuration. For this example, the snapshot is of the OS disk:

```
$snapshot =  New-AzSnapshotConfig `
    -SourceUri $vm.StorageProfile.OsDisk.ManagedDisk.Id `
    -Location $location `
    -CreateOption copy
```

* Take the snapshot:

  ```
  New-AzSnapshot `
   -Snapshot $snapshot `
   -SnapshotName $snapshotName `
   -ResourceGroupName $resourceGroupName
  ```

### Spin up a new VM for investigation

1. Select **Create a Resource** and search for ‘**Managed Disks**’.&#x20;
2. When creating your Managed Disk, fill out the standard information. However, under ‘Source type’ make sure this is set to ‘**Snapshot**’ and then select your Snapshot that you have created.
3. From the Managed Disk screen you should see an option to ‘**Create VM**’, click this option.
4. Fill out the required information on the Create VM page

![Create snapshot](/files/-MQReObSOXhoqcc0DW7f)

![name your snapshot and allocate it to a resource group](/files/-MQReWUb9fMVQfPVi8Jf)

![Create a resource > Create Managed Disk](/files/-MQRf03yA4XsXJvSgPbC)

![Source type select Snapshot](/files/-MQRf9tqBCcYzsZPYala)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wongkenny240.gitbook.io/computerforensics/cloud/azure-forensic.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.