Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Computer forensics chain of custody in AzureDigital forensics is a science that addresses the recovery and investigation of digital data to support criminal investigations or civil proceedings. Computer forensics is a branch of digital forensics that captures and analyzes data from computers, virtual machines (VMs), and digital storage media. Companies must guarantee that digital evidence they provide in response to legal requests demonstrates a valid Chain of Custody (CoC) throughout the evidence acquisition, preservation, and access process. To ensure a valid CoC, digital evidence storage must demonstrate adequate access control, data protection and integrity, monitoring and alerting, and logging and auditing. Architecture
Download a Visio file of this architecture. WorkflowThis standard Azure hub-spoke architecture deploys VMs on the Production spoke, and encrypts them with Azure Disk Encryption (ADE). The Azure Key Vault in the Production subscription stores the VMs' BitLocker encryption keys (BEKs), and key encryption keys (KEKs) if applicable. The SOC team has exclusive access to a different Azure SOC subscription, for resources that must be kept protected, unviolated, and monitored. The Azure Storage account in the SOC subscription hosts copies of disk snapshots in immutable Blob storage, and keeps the snapshots' SHA-256 hash values and copies of the VMs' BEKs and KEKs in its own SOC key vault. In response to a request to capture a VM's digital evidence, a SOC team member signs in to the Azure SOC subscription, and uses a Hybrid Runbook Worker VM in Azure Automation to execute the Copy-VmDigitalEvidence runbook. The Hybrid Runbook Worker provides control of all mechanisms involved in the capture. The Copy-VmDigitalEvidence runbook:
Components
AlternativesIf necessary, you can grant time-limited read-only SOC Storage account access to IP addresses from outside, on-premises networks, for investigators to download the digital evidence. You can also deploy a Hybrid Runbook Worker on on-premises or other cloud networks, which they can use to run the Copy‑VmDigitalEvidence Azure Automation runbook on their resources. Azure Storage accountThe Storage account in the SOC subscription hosts the disk snapshots in a container configured as Azure immutable Blob storage. Immutable Blob storage stores business-critical data objects in a Write Once, Read Many (WORM) state, which makes the data non-erasable and non-modifiable for a user-specified interval. Secure transfer must be enabled on the Storage account. The Storage account also hosts an Azure file share to use as a temporary repository for calculating the snapshot's SHA-256 hash value. For better performance you can choose a Standard Storage Account, with the "large file share" feature enabled, or a Premium Storage Account. Azure Key VaultThe SOC subscription has its own key vault, which hosts a copy of the BEK that ADE uses to protect the target VM, as well as the KEK if applicable. The primary copy of the key stays in the key vault used by the target VM, so that VM can continue normal operation. The SOC key vault also contains the SHA-256 hash values for the disk snapshots. Azure AutomationThe SOC team uses an Azure Automation account to create and maintain the Copy-VmDigitalEvidence runbook. They also use Azure Automation to create the Hybrid Runbook Workers that run the runbook. Hybrid Runbook WorkerThe Hybrid Runbook Worker VM is part of the Automation account, and is used exclusively by the SOC Team to execute the Copy-VmDigitalEvidence runbook. The Hybrid Runbook Worker VM must be hosted in the same subnet that grants access to the Storage account. Access to this virtual network is granted only to the Hybrid Runbook Worker, using the service endpoint mechanism. The Hybrid Runbook Worker must have a managed identity or a Service Principal in order to access the target VM's subscription and execute the runbook. The identity must have at least the following permissions:
If the VM is behind a Firewall (Network Virtual Appliance (NVA), Azure Firewall, Network Security Group) or a Proxy, ensure to allow the connectivity between the VM and the Storage Account. Log AnalyticsAn Azure Log Analytics workspace in Azure Monitor stores activity logs to audit all the events on the SOC subscription. Scenario detailsPotential use cases
Regulatory ComplianceOne of the requirements when validating a CoC solution is compliance with security standards and regulations. All the components included in the above architecture are Azure standard services built upon a foundation of trust, security and compliance. Azure has a wide range of compliance certifications, including certifications specific for global regions and countries and for key industries like healthcare, government, finance and education. Updated audit reports, with information about standards compliance for the services adopted in this solution can be found on Microsoft Compliance Guide. As an example, the report Cohasset Assessment - Microsoft Azure WORM Storage gives details about Microsoft Azure Storage compliance with following requirements:
It is Cohasset's opinion that Microsoft Azure Storage, with the Immutable Storage for Azure Blobs feature and Policy Lock option, retains time-based Blobs (records) in a non-erasable and non-rewritable format and meets relevant storage requirements of SEC Rule 17a-4(f), FINRA Rule 4511(c), and the principles-based requirements of CFTC Rule 1.31(c)-(d). ConsiderationsThese considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework. Consider the following requirements when proving the validity of a CoC: Least access/privilegeOnly two individuals within the SOC team should have rights to modify the controls governing access to the subscription and its data. Grant other individuals only bare minimum access to data subsets they need to perform their work. Configure and enforce access through Azure role-based access control (Azure RBAC). Only the virtual network in the SOC subscription has access to the Storage account. Evidence acquisitionAzure Audit Logs can show evidence acquisition by recording the action of taking a VM disk snapshot, with elements like who took the snapshot, how, and where. Evidence integrityYou must guarantee that actions taken to move evidence to its final archive destination haven't altered the evidence. You can mitigate the risk of alteration by using native Azure mechanisms like Functions or Azure Automation. If you apply Legal Hold to the destination Azure storage, the evidence is frozen in time as soon as it's written. Legal Hold effectively shows that the CoC was maintained entirely in Azure, and there was no opportunity to tamper between the time the disk image existed on a live VM and became evidence in the Storage account. Another useful integrity mechanism is the use of hash algorithms. Azure offers an MD5 hash value for each disk, but you can calculate stronger values, like SHA-256 in the current example. Evidence productionInvestigators need access to evidence in order to perform analyses, and this access must be tracked. Provide investigators with a Storage Shared Access Signatures (SAS) URI key for accessing evidence. Using a SAS URI produces relevant log information when the SAS is generated, and every time it's used to get a copy of the evidence. You also need to provide investigators with the BEKs and KEKs archived in the SOC key vault before they can use the encrypted disk copies. For example, if a legal team needs a preserved virtual hard drive (VHD) transferred to them, one of the two data custodians generates a read-only SAS URI key that expires after eight hours, to ensure the window of availability to the data is kept to a minimum, and that the data cannot be altered. Monitoring and alertingAzure provides services to all customers to monitor and alert on anomalies involving their subscription and its resources. These services include:
Regional storeFor compliance, some standards or regulations require evidence and all support infrastructure to be maintained in the same Azure region. Deploy this scenarioThe following PowerShell code samples of the Copy-VmDigitalEvidence runbook are available in GitHub:
The Hybrid Runbook Worker must map the Azure File share containing the disk, used to calculate its hash values. Further details for the mounting procedure are available for both Windows and Linux systems and must be integrated in the PowerShell code. Note Scripts are provided as a starting point, are not intended to be downloaded a run directly in a customer environment. Be sure to replace placeholders and adapt them to your customer scenario. Before run the script remember to complete the section Mounting fileshare with the code to mount the Azure file share. The code is strictly tied to your implementation. To generate the correct code follow the documentation links contained in the scripts. Capture workflowThe SOC team has created the Copy‑VmDigitalEvidence runbook and the dedicated Hybrid Runbook Worker VM in their Azure Automation account. When the team receives a request to capture digital evidence, a SOC team member follows this workflow:
The Copy-VmDigitalEvidence runbook performs the following actions:
Evidence retrievalAfter the execution of the Copy-VmDigitalEvidence runbook, the evidence is stored on the SOC Blob Storage account as a file with .vhd extension. Different methods are available to retrieve the evidence from the .vhd image. In the following examples the .vhd file is used to create an Azure managed disk that is attached as a data disk to an Azure Virtual Machine used to analyze the evidence. Below actions must be executed:
At the end of the procedure, the Virtual Machine has a new encrypted data disk connected to it. To decrypt the disk, follow the procedures described in below sessions. Windows disks unlockThe Azure Windows data disk is locked by BitLocker. Once the disk is attached on a Windows machine the content is not readable, until it's unlocked. To unlock an Azure data disk connected, for example, on G:\ execute below actions:
Linux disks unlockThe Azure Linux data disk is locked by DM-Crypt. The content of the disk is not accessible until the disk is unlocked. To unlock an Azure data
disk and mount it under the directory
After the script execution, you will be prompted for the encryption passphrase. Copy it from the script output to unlock and access the content of the Azure data disk. ContributorsThis article is maintained by Microsoft. It was originally written by the following contributors. Principal authors:
Next stepsFor more information about Azure data-protection features, see:
For more information about Azure logging and auditing features, see:
For more information about Microsoft Azure Compliance, see:
FeedbackSubmit and view feedback for What type of acquisition is typically done on a computer seized during a police raid?Forensics MT MC3. What is a data acquisition method used when a suspect computer can't be shut down to perform a static acquisition?live acquisitions. A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition. Data is collected from the local computer or over a remote network connection. The captured data might be altered during the acquisition because it's not write-protected.
Which acquisition method captures only specific files and collect fragments of unallocated data?Sparse acquisition is similar to logical acquisition. Through this method, investigators can collect fragments of unallocated (deleted) data.
What are two types of data copying methods used in software acquisitions?Two types of data-copying methods are used in software acquisitions: Physical copying of the entire drive. Logical copying of a disk partition.
|