I just recently to perform a forensic analysis on a compromised Microsoft Azure VM, and I’d like to share a couple of useful tips.
The first step is the download of disk image of the VM.
Pretty simple: Azure dashboard allows the generation of a shared access signature URL, that can be used to download the VM’s VHD.
Another step is the mount on forensic workstation (in my case a Debian 9) of the VHD file.
In order to perform this step, we need to use the network block device kernel module.
So, first you need to load the module:
# modprobe nbd
Then, using qemu-nbd (a user space loopback block device server), link the VHD to the nbd device.
# qemu-nbd -r -c /dev/nbd0 -f vpc <vhd file name>
Basically, qemu-nbd knows a lot of disk image formats and is allowed to presents them to the kernel via nbd.
If your VHD image contains more then one partition (for example, in my case the VHD contains a Windows 10 VM, with a EFI partition), you should specify the correct partition:
qemu-nbd -P 2 -r -c /dev/nbd0 -f vpc <vhd file name>
Finally, mount the nbd device on a target mountpoint:
mount /dev/nbd0 /mnt/forensic
The unmount process is simply the same, but backward:
qemu-nbd -d /dev/nbd0
modprobe -r nbd