GCP forensics package

Internal provider functions

libcloudforensics.providers.gcp.forensics module

Forensics on GCP.

libcloudforensics.providers.gcp.forensics.AddDenyAllFirewallRules(project_id, network, deny_ingress_tag, deny_egress_tag, exempted_src_ips=None, enable_logging=False)

Add deny-all firewall rules, of highest priority.

Parameters

  • project_id (str) – Google Cloud Project ID.

  • network (str) – URL of the network resource for thesee firewall rules.

  • deny_ingress_tag (str) – Target tag name to apply deny ingress rule, also used as a deny ingress firewall rule name.

  • deny_egress_tag (str) – Target tag name to apply deny egress rule, also used as a deny egress firewall rule name.

  • exempted_src_ips (List[str]) – List of IPs exempted from the deny-all ingress firewall rules, ex: analyst IPs.

  • enable_logging (bool) – Optional. Enable firewall logging. Default is False.

Raises

InvalidNameError – If Tag names are invalid.

Return type

None

libcloudforensics.providers.gcp.forensics.CreateDiskCopy(src_proj, dst_proj, zone, instance_name=None, disk_name=None, disk_type=None)

Creates a copy of a Google Compute Disk.

Parameters

  • src_proj (str) – Name of project that holds the disk to be copied.

  • dst_proj (str) – Name of project to put the copied disk in.

  • zone (str) – Zone where the new disk is to be created.

  • instance_name (str) – Optional. Instance using the disk to be copied.

  • disk_name (str) – Optional. Name of the disk to copy. If None, instance_name must be specified and the boot disk will be copied.

  • disk_type (str) – Optional. URL of the disk type resource describing which disk type to use to create the disk. The default behavior is to use the same disk type as the source disk.

Returns

A Google Compute Disk object.

Return type

GoogleComputeDisk

Raises
libcloudforensics.providers.gcp.forensics.CreateDiskFromGCSImage(project_id, storage_image_path, zone, name=None)

Creates a GCE persistent disk from a image in GCS.

The method supports raw disk images and most virtual disk file formats. Valid import formats are: [raw (dd), qcow2, qcow , vmdk, vdi, vhd, vhdx, qed, vpc].

The created GCE disk might be larger than the original raw (dd) image stored in GCS to satisfy GCE capacity requirements: https://cloud.google.com/compute/docs/disks/#introduction However the bytes_count and the md5_hash values of the source image are returned with the newly created disk. The md5_hash can be used to verify the integrity of the created GCE disk, it must be compared with the hash of the created GCE disk from byte 0 to bytes_count. i.e: result[‘md5Hash’] = hash(created_gce_disk,

start_byte=0, end_byte=result[‘bytes_count’])

Parameters

  • project_id (str) – Google Cloud Project ID.

  • storage_image_path (str) – Path to the source image in GCS.

  • zone (str) – Zone to create the new disk in.

  • name (str) – Optional. Name of the disk to create. Default is imported-disk-[TIMESTAMP(‘%Y%m%d%H%M%S’)].

Returns

A key value describing the imported GCE disk.
Ex: {

‘project_id’: ‘fake-project’, ‘disk_name’: ‘fake-imported-disk’, ‘zone’: ‘fake-zone’, ‘bytes_count’: ‘1234’ # Content-Length of source image in bytes. ‘md5Hash’: ‘Source Image MD5 hash string in hex’

}

Return type

Dict

Raises

InvalidNameError – If the GCE disk name is invalid.

libcloudforensics.providers.gcp.forensics.InstanceNetworkQuarantine(project_id, instance_name, exempted_src_ips=None, enable_logging=False)

Put a Google Cloud instance in network quarantine.

Network quarantine is imposed via applying deny-all ingress/egress firewall rules on each network interface.

Parameters

  • project_id (str) – Google Cloud Project ID.

  • instance_name (str) – : The name of the virtual machine.

  • exempted_src_ips (List[str]) – List of IPs exempted from the deny-all ingress firewall rules, ex: analyst IPs.

  • enable_logging (bool) – Optional. Enable firewall logging. Default is False.

Return type

None

libcloudforensics.providers.gcp.forensics.StartAnalysisVm(project, vm_name, zone, boot_disk_size, boot_disk_type, cpu_cores, attach_disks=None, image_project='ubuntu-os-cloud', image_family='ubuntu-1804-lts')

Start a virtual machine for analysis purposes.

Parameters

  • project (str) – Project id for virtual machine.

  • vm_name (str) – The name of the virtual machine.

  • zone (str) – Zone for the virtual machine.

  • boot_disk_size (int) – The size of the analysis VM boot disk (in GB).

  • boot_disk_type (str) – URL of the disk type resource describing which disk type to use to create the disk. Use pd-standard for a standard disk and pd-ssd for a SSD disk.

  • cpu_cores (int) – The number of CPU cores to create the machine with.

  • attach_disks (List[str]) – Optional. List of disk names to attach.

  • image_project (str) – Optional. Name of the project where the analysis VM image is hosted.

  • image_family (str) – Optional. Name of the image to use to create the analysis VM.

Returns

A tuple with a virtual machine object

and a boolean indicating if the virtual machine was created or not.

Return type

Tuple(GoogleComputeInstance, bool)

libcloudforensics.providers.gcp.forensics.VMRemoveServiceAccount(project_id, instance_name, leave_stopped=False)

Remove a service account attachment from a GCP VM.

Service account attachments to VMs allow the VM to obtain credentials via the instance metadata service to perform API actions. Removing the service account attachment will prevent credentials being issued.

Note that the instance will be powered down, if it isn’t already for this action.

Parameters

  • project_id (str) – Google Cloud Project ID.

  • instance_name (str) – The name of the virtual machine.

  • leave_stopped (bool) – Optional. True to leave the machine powered off.

Returns

True if the service account was successfully removed, False otherwise.

Return type

bool