Azure forensics package¶

Internal provider functions¶

Azure internal provider functions

libcloudforensics.providers.azure.forensics module¶

Forensics on Azure.

libcloudforensics.providers.azure.forensics.CreateDiskCopy(resource_group_name, instance_name=None, disk_name=None, disk_type=None, region='eastus', src_profile=None, dst_profile=None)¶

Creates a copy of an Azure Compute Disk.

Parameters

resource_group_name (str) – The resource group in which to create the disk copy.
instance_name (str) – Optional. Instance name of the instance using the disk to be copied. If specified, the boot disk of the instance will be copied. If disk_name is also specified, then the disk pointed to by disk_name will be copied.
disk_name (str) – Optional. Name of the disk to copy. If not set, then instance_name needs to be set and the boot disk will be copied.
disk_type (str) – Optional. The sku name for the disk to create. Can be Standard_LRS, Premium_LRS, StandardSSD_LRS, or UltraSSD_LRS. The default behavior is to use the same disk type as the source disk.
region (str) – Optional. The region in which to create the disk copy. Default is eastus.
src_profile (str) – Optional. The name of the source profile to use for the disk copy, i.e. the account information of the Azure account that holds the disk. For more information on profiles, see GetCredentials() in libcloudforensics.providers.azure.internal.common.py. If not provided, credentials will be gathered from environment variables.
dst_profile (str) – Optional. The name of the destination profile to use for the disk copy. The disk will be copied into the account linked to this profile. If not provided, the default behavior is that the destination profile is the same as the source profile. For more information on profiles, see GetCredentials() in libcloudforensics.providers.azure.internal.common.py

Returns

An Azure Compute Disk object.

Return type

AZComputeDisk

Raises

ResourceCreationError – If there are errors copying the disk.
ValueError – If both instance_name and disk_name are missing.

libcloudforensics.providers.azure.forensics.StartAnalysisVm(resource_group_name, vm_name, boot_disk_size, ssh_public_key, cpu_cores=4, memory_in_mb=8192, region='eastus', attach_disks=None, tags=None, dst_profile=None)¶

Start a virtual machine for analysis purposes.

Look for an existing Azure virtual machine with name vm_name. If found, this instance will be started and used as analysis VM. If not found, then a new vm with that name will be created, started and returned. Note that if a new vm is created, you should provide the ssh_public_key parameter.

Parameters

resource_group_name (str) – The resource group in which to create the analysis vm.
vm_name (str) – The name for the virtual machine.
boot_disk_size (int) – The size of the analysis VM boot disk (in GB).
ssh_public_key (str) – A SSH public key data (OpenSSH format) to associate with the VM, e.g. ssh-rsa AAAAB3NzaC1y… This must be provided as otherwise the VM will not be accessible.
cpu_cores (int) – Number of CPU cores for the analysis VM.
memory_in_mb (int) – The memory size (in MB) for the analysis VM.
region (str) – Optional. The region in which to create the VM. Default is eastus.
attach_disks (List[str]) – Optional. List of disk names to attach to the VM.
tags (Dict[str, str]) – Optional. A dictionary of tags to add to the instance, for example {‘TicketID’: ‘xxx’}. An entry for the instance name is added by default.
dst_profile (str) – The name of the destination profile to use for the vm creation, i.e. the account information of the Azure account in which to create the vm. For more information on profiles, see GetCredentials() in libcloudforensics.providers.azure.internal.common.py

Returns

a tuple with a virtual machine object: and a boolean indicating if the virtual machine was created or not.

Return type

Tuple[AZComputeVirtualMachine, bool]