# Forensics - Create Azure Windows VM with VHD Explorer

__Notebook Version:__ 1.0<br>
__Python Version:__ Python 3.6 (including Python 3.6 - AzureML)<br>
__Required Packages:__ azure 4.0.0, azure-cli-profile 2.1.4<br>
__OS Supported:__<br>
    -  Windows
__Platforms Supported:__<br>
    -  Azure Notebooks Free Compute
    -  Azure Notebooks DSVM
__Data Source Required:__<br>
    -  no
    
### Description
The notebook provides sample code to create a Azure VM with pre-loaded forensic tools, i.e. VHD Explorer, on Windows.

<font color=red>When you switch between Azure Notebooks Free Compute and Data Science Virtual Machine (DSVM), you may need to select Python version: please select Python 3.6 for Free Compute, and Python 3.6 - AzureML for DSVM.</font>

## Prerequisite check

In [None]:
# only run once, current version 0.1.8
!pip install --upgrade Sentinel-Utilities

In [None]:
import SentinelUtils
# checking Python version
check = SentinelUtils.version_management.ModuleVersionCheck()
py_check = check.validate_python('3.6.0')
if py_check.requirement_met == False:
    print('Please select Python 3.6 or Python 3.6 - AzureML at the upper right corner')
else:
    print('Please continue')

In [None]:
# checking required packages
mods_check = check.validate_installed_modules(['azure>=4.0.0', 'azure-cli-profile>=2.1.4'])
for mod_info in mods_check:
    if mod_info.requirement_met == False:
        print('Please install {} {} at the following cell.'.format(mod_info.name, mod_info.required_version))

In [None]:
# Please install required packages based on the check at last cell
#!pip install azure

In [None]:
# this is needed only if you are going to use Device authentication
#!pip install azure-cli-profile

## Table of Contents

1. Authentication to Azure Resource Management 
2. Create Windows VM with Image having VHD Explorer
3. Remote Desktop to the VM
4. Delete VM

## 1. Authentication to Azure Resource Management

1. Select Authentication Methods<br>
If multi-factors authentication is enabled for your tenant, you must use either Device or Service Principal to authentication to Azure resource management.

In [None]:
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.storage import StorageManagementClient
import SentinelAzure

# select an auth method, Device is for tenants that has MFA enabled
import ipywidgets as widgets
from IPython.display import display
auth_method = ['Device', 'Service Principal', 'User ID/Password']
selected_auth = widgets.Dropdown(options=auth_method, value=auth_method[0],description='Auth Method:')
display(selected_auth)

2. Authentication

In [None]:
auth = SentinelAzure.azure_aad_helper.AADHelper()
subscription_id = input('subscription id:')
resource_group = input('resource group:')
if selected_auth.value == 'Device':
    from azure.common.client_factory import get_client_from_cli_profile
    # please enter your tenant domain below, for Microsoft, using: microsoft.onmicrosoft.com
    !az login --tenant ''
    compute_client = get_client_from_cli_profile(ComputeManagementClient, subscription_id = subscription_id)
    network_client = get_client_from_cli_profile(NetworkManagementClient, subscription_id = subscription_id)
    resource_client = get_client_from_cli_profile(ResourceManagementClient, subscription_id = subscription_id)
    storage_client = get_client_from_cli_profile(StorageManagementClient, subscription_id = subscription_id)
elif selected_auth.value == 'Service Principal':
    client_id=input('client id:')
    secret=input('secret:')
    tenant_id = input('tenant id:')
    compute_client, network_client, resource_client, storage_client = auth.authenticate('Service Principal', **{'client_id': client_id, 'secret' : secret, 'tenant_id' : tenant_id, 'subscription_id' : subscription_id})
else:
    from azure.common.credentials import UserPassCredentials
    import getpass
    uid = input('User ID:')
    pwd = getpass.getpass()
    compute_client, network_client, resource_client, storage_client = auth.authenticate('User ID Password', **{'user_id': uid, 'password' : pwd, 'subscription_id' : subscription_id})

compute = SentinelAzure.azure_compute_helper.ComputeHelper(compute_client, resource_group)
resource = SentinelAzure.azure_resource_helper.ResourceHelper(resource_client, resource_group)
storage = SentinelAzure.azure_storage_helper.StorageHelper(storage_client)

## 2. Crerate Windows VM

1. Storage Account

In [None]:
import ipywidgets as widgets
from IPython.display import display
storage_account_creation = ['Creating new account', 'Using exist account']
selected_method = widgets.Dropdown(options=storage_account_creation, value=storage_account_creation[0],description='storage_account_creation:')
display(selected_method)

In [None]:
storage_account = None
if selected_method.value == 'Creating new account':
    # usert input storage account name
    storage_account_name = input('storage account name:')
    storage_location = input('storage location:')
    name_availability = storage.is_storage_account_name_available(storage_account_name)
    if name_availability.name_available == False:
        print('Name is already used, please re-run this cell and provide a different name')
    else:
        async_storage_creation = storage.create_storage_account_async(storage_account_name, resource_group, **{'storage_location' : storage_location})
else:
    storage_account_list = storage.get_storage_account_names(resource_group)
    import ipywidgets as widgets
    from IPython.display import display
    selected_storage_account_name = widgets.Dropdown(options=storage_account_list, value=storage_account_list[0],description='existing_storage_accounts:')
    display(selected_storage_account_name)

2. Get Storage Account Key

In [None]:
if selected_method.value == 'Using exist account':
    storage_account = storage.get_storage_account_properties(selected_storage_account_name.value, resource_group)
    storage_account_name = storage_account.name

storage_key = storage.get_storage_account_key(storage_account_name, resource_group)

3. Blob Storage Container

In [None]:
import ipywidgets as widgets
from IPython.display import display
blob_container_creation = ['Creating new container', 'Using exist container']
selected_blob_method = widgets.Dropdown(options=blob_container_creation, value=blob_container_creation[0],description='blob_container_creation:')
display(selected_blob_method)

In [None]:
from azure.storage.blob import BlockBlobService, PageBlobService, AppendBlobService
from azure.storage.blob.models import BlobBlock, ContainerPermissions, ContentSettings

blob_container = None
blob_container_name = input('blob container name:')
storage.initialize_block_blob_service(storage_account_name, storage_key, blob_container_name)

if selected_blob_method.value == 'Creating new container':
    blob_conteiner = storage.create_blob_container()
else:
    blob_conteiner = storage.get_blob_container()

In [None]:
print(storage_account_name)
print(storage_key)
print(blob_container_name)

4. Copy VM Image

In [None]:
storage.initialize_block_blob_service(storage_account_name, storage_key, blob_container_name)
file_name = 'abcd.vhd'
file_path = 'https://pitestgenstorage.blob.core.windows.net/vhdexplorer/abcd?sp=r&st=2019-04-11T21:59:51Z&se=2019-06-09T05:59:51Z&spr=https&sv=2018-03-28&sig=6fJBWiWTVObShmwLbZYaiuklRV9JzfJscakBi56IT2g%3D&sr=b'
storage.copy_vhd(file_name, file_path)

5. Create VM

In [None]:
# User input
import getpass
nic_name = 'for_vm_nic'
snapshot_name = 'forensic_snapshot'
os_type = 'Windows'
vm_name = input('vm name:')
resource_group_location = input('resource group location:')
resource_group_name = input('resource group name:')
vm_user_id = input('vm user id:')
vm_password = getpass.getpass()

In [None]:
network = SentinelAzure.azure_network_helper.NetworkHelper(network_client, nic_name)
network.prepare_network_for_vm_creation(resource_group_name, resource_group_location)
nic = network.get_nic(resource_group_name)

In [None]:
result = compute.create_vm(nic, **{'vm_location' : resource_group_location, 'user_name' : vm_user_id, 'password' : vm_password, 'vm_name' : vm_name, 'snapshot_name' : snapshot_name, 'os_type' : os_type, 'stroage_account_name' : storage_account_name, 'blob_container_name' : blob_container_name})

## 3. Remote Desktop to VM

With VM creation completed, you may remote desktop to the newly created VM, and start using pre-loaded VHD Explorer on C:\AzureForensicTools.
Online document: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/connect-logon

## 4. Delete VM

In [None]:
del_result = compute.delete_vm_async(vm_name)