How To Analyze Data From Azure VMs In Magnet AXIOM Cyber

Jamie McQuaid: Hello everyone, Jamie McQuaid from Magnet Forensics here with a quick video to show you how to do an Azure acquisition using Magnet AXIOM Cloud.

So, we’ve got AXIOM up here ready to go. So I’m going to go to ‘Evidence sources’, we’re going to go over to ‘Cloud’, and choose a cloud evidence just like any other cloud evidence. And you can see we’ve got a huge list of sources that we can grab, and Azure is here, all alphabetical.

Click on Azure. It’ll ask you to sign in. Now first, you need to have all this information. It requires a bit of prep work beforehand if you’ve never done it before. If you haven’t, click on this link: it tells you how to get all these details: Application ID, Tenant ID, Subscription ID, Client secret. All of these are required from either Azure admin or, if you are the Azure admin, you have to get them yourself.

Now, let me bring this over here to give you a quick rundown of it. We’ve got a great how-to article here to show you how to get all of those details. So how to create a role; accessing the CLI; all of that sort of stuff; verifying it… and it allows you to get all of the required information that you need: client secret, app IDs, excursion IDs. I’m not going to walk you through how to do that; that would depend on your environment and where you’re pulling from on how to set that up. But like I said: if you’ve got an admin, ask them for this type of information, you can provide them with this document; if you are the admin, follow the steps, and it should be pretty straightforward.

So let’s get up and start doing our acquisition. Now, I’ve already got this ready, so I’m going to pause the video and load in my details here and hit ‘Sign in.’ So, just one second….


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


OK, so it’s signed in, and we can see it’s pulled up this description that we want, and all of the details here. So again, a bit of detail for us: we’ve got a few VMs to grab, and this will pull down a VM. You can see they’re pretty big. You know, these are basically virtual machines that you’re going to be pulling down here. So, be prepared. The time it takes is going to be reflective of the time it takes to download that much data over your internet connection, at the very least.

And just be aware that there [are] some costs associated with this depending on your setup and how you’re pulling it down, so just be aware of that, in terms of storing the image or downloading it as well. So just be aware that there are additional costs to it. The default is to remove the image from the container. That’s usually what I leave, but if you want to leave it up there for completion’s sake, you can leave that up there.

So I’ve got a new VHD test here, just a sample one, this is a Linux image, 30GB. So I’m going to select that, hit ‘Next,’ and it adds in as a source.

Now from here, we can do everything that we normally would do. We can add other sources; we can go back into the cloud and add something else; we can do that AWS acquisition that we need to do; whatever you need to do. It might be good – just because it’s a very big download – to just do this one once, but if you’ve got multiple sources, you can easily add them in. I’m not going to go through the other items here.

I’m just going to go down to ‘Cloud artifacts.’ You can see all the cloud artifacts there, but obviously, we’d look for specific ones for that VM.

Hit ‘Go,’ ‘Analyze evidence,’ and it’ll start analyzing that data. Like it is now: this one’s 30GB, so however long it takes to download 30GB over my internet connection, that’s probably how long it’s going to take. It’s going to first create the data, and then download it. And then I’m just going to pause the video here and come back when it’s finished.

OK, we’re back and the search has completed. It took about 37 minutes or so to download and process the image. So with that, we’ve got a case up and ready. It processed… it was a Linux image, so it processed all of the artifacts and the file system as need be.

Just to take a quick look, we can see what actually got acquired here. You’ve got the JSON details, the zip of it, but if you drop dive in here, we can take a look at the VHD image here. It’s a bunch of folders deep, because Azure will create a bunch of folders to house the VM, and then AXIOM will as well, so it’s a few extra folders deep, but you’ll see as you dive in, you’ll get a VHD virtual machine image.

Now, you could open that up with a bunch of other tools too, as long as they… whether they’re forensics tools or other tools, as long as they support VHD images; or AXIOM can handle VMs and VHDs fine on its own, so if you receive a VHD and you didn’t do the acquisition, you can load the VHD itself in as an image. Either way – whether you use AXIOM for the acquisition or something else for the acquisition – you can load those in. And it’s basically just a snapshot of that VM at that given point in time.

Now, on the cloud it would have stored it, and then deleted it, based on our settings. And at the end, you get some basic case summaries here. The VM’s here, and we can go into the artifacts and you can see the regular artifacts that you would normally get in whatever image we’re looking at. Like I said, this one’s not a very large one, it was just a 30GB sample image that I used so that you can see anything that could be valuable there.

So, that’s how you do an Azure acquisition with AXIOM Cloud. Thanks for watching.

Leave a Comment