# Forensics - Run Process Investigator

__Notebook Version:__ 1.0<br>
__Python Version:__ Python 3.6 (including Python 3.6 - AzureML)<br>
__Required Packages:__ azure 4.0.0,  azure-cli-profile 2.1.4<br>
__OS Supported:__<br>
    -  Linux
    -  Windows
__Platforms Supported:__<br>
    -  Azure Notebooks Free Compute
    -  Azure Notebooks DSVM
__Data Source Required:__<br>
    -  no
    
### Description
The notebook provides sample code to use custom script extension to run Processor Investigator (memory dump) on Linux and Windows.

<font color=red>When you switch between Azure Notebooks Free Compute and Data Science Virtual Machine (DSVM), you may need to select Python version: please select Python 3.6 for Free Compute, and Python 3.6 - AzureML for DSVM.</font>

## Prerequisite check

In [None]:
# only run once, current version 0.1.8
!pip install --upgrade Sentinel-Utilities

In [None]:
import SentinelUtils
# checking Python version
check = SentinelUtils.version_management.ModuleVersionCheck()
py_check = check.validate_python('3.6.0')
if py_check.requirement_met == False:
    print('Please select Python 3.6 or Python 3.6 - AzureML at the upper right corner')
else:
    print('Please continue')

In [None]:
# checking required packages
mods_check = check.validate_installed_modules(['Azure>=4.0.0', 'azure-cli-profile>=2.1.4'])
for mod_info in mods_check:
    if mod_info.requirement_met == False:
        print('Please install {} {} at the following cell.'.format(mod_info.name, mod_info.required_version))

In [None]:
# Please install required packages based on the check at last cell
#!pip install azure

In [None]:
# this is needed only if you are going to use Device authentication
#!pip install azure-cli-profile

## Table of Contents

1. Authentication to Azure Resource Management 
2. Manage Blob Storage
3. Create VM Extension
4. Read Memory Dump Data
5. Delete VM Extension

## 1. Authentication to Azure Resource Management

1. Select Authentication Methods<br>
If multi-factors authentication is enabled for your tenant, you must use either Device or Service Principal to authentication to Azure resource management.

In [None]:
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.storage import StorageManagementClient
import SentinelAzure

# select an auth method, Device is for tenants that has MFA enabled
import ipywidgets as widgets
from IPython.display import display
auth_method = ['Device', 'Service Principal', 'User ID/Password']
selected_auth = widgets.Dropdown(options=auth_method, value=auth_method[0],description='Auth Method:')
display(selected_auth)

2. Authentication

In [None]:
auth = SentinelAzure.azure_aad_helper.AADHelper()
subscription_id = input('subscription_id:')
resource_group = input('resource_group:')
if selected_auth.value == 'Device':
    from azure.common.client_factory import get_client_from_cli_profile
    # please enter your tenant domain below, for Microsoft, using: microsoft.onmicrosoft.com
    !az login --tenant 'microsoft.onmicrosoft.com'
    compute_client = get_client_from_cli_profile(ComputeManagementClient, subscription_id = subscription_id)
    storage_client = get_client_from_cli_profile(StorageManagementClient, subscription_id = subscription_id)
elif selected_auth.value == 'Service Principal':
    client_id=input('client_id:')
    secret=input('secret:')
    tenant_id = input('tenant_id:')
    compute_client, network_client, resource_client, storage_client = auth.authenticate('Service Principal', **{'client_id': client_id, 'secret' : secret, 'tenant_id' : tenant_id, 'subscription_id' : subscription_id})
else:
    from azure.common.credentials import UserPassCredentials
    import getpass
    uid = input('User ID:')
    pwd = getpass.getpass()
    compute_client, network_client, resource_client, storage_client = auth.authenticate('User ID Password', **{'user_id': uid, 'password' : pwd, 'subscription_id' : subscription_id})

compute = SentinelAzure.azure_compute_helper.ComputeHelper(compute_client, resource_group)
storage = SentinelAzure.azure_storage_helper.StorageHelper(storage_client)

## 2. Manage Blob Storage

1. Storage Account

In [None]:
import ipywidgets as widgets
from IPython.display import display
storage_account_creation = ['Creating new account', 'Using exist account']
selected_method = widgets.Dropdown(options=storage_account_creation, value=storage_account_creation[0],description='storage_account_creation:')
display(selected_method)

In [None]:
storage_account = None
if selected_method.value == 'Creating new account':
    # usert input storage account name
    storage_account_name = input('storage_account_name:')
    storage_location = input('storage_location:')
    name_availability = storage.is_storage_account_name_available(storage_account_name)
    if name_availability.name_available == False:
        print('Name is already used, please re-run this cell and provide a different name')
    else:
        async_storage_creation = storage.create_storage_account_async(storage_account_name, resource_group, **{'storage_location' : storage_location})
else:
    storage_account_list = storage.get_storage_account_names(resource_group)
    import ipywidgets as widgets
    from IPython.display import display
    selected_storage_account_name = widgets.Dropdown(options=storage_account_list, value=storage_account_list[0],description='existing_storage_accounts:')
    display(selected_storage_account_name)

2. Get Storage Account Key

In [None]:
if selected_method.value == 'Using exist account':
    storage_account = storage.get_storage_account_properties(selected_storage_account_name.value, resource_group)
    storage_account_name = storage_account.name

storage_key = storage.get_storage_account_key(storage_account_name, resource_group)

3. Blob Storage Container

In [None]:
import ipywidgets as widgets
from IPython.display import display
blob_container_creation = ['Creating new container', 'Using exist container']
selected_blob_method = widgets.Dropdown(options=blob_container_creation, value=blob_container_creation[0],description='blob_container_creation:')
display(selected_blob_method)

In [None]:
from azure.storage.blob import BlockBlobService, PageBlobService, AppendBlobService
from azure.storage.blob.models import BlobBlock, ContainerPermissions, ContentSettings

blob_container = None
blob_container_name = input('blob_container_name:')
storage.initialize_block_blob_service(storage_account_name, storage_key, blob_container_name)

if selected_blob_method.value == 'Creating new container':
    blob_conteiner = storage.create_blob_container()
else:
    blob_conteiner = storage.get_blob_container()

In [None]:
sas_expiration_in_days = 10
target_os_type = input('target_os_type:')
sas_url = storage.generate_blob_container_sas_url(sas_expiration_in_days)
upload_container_path = storage.build_upload_container_path(target_os_type, sas_url)
print(upload_container_path)

## 3. Create VM Extension

1. Initialization

In [None]:
# Input parameters, no need to modify
if target_os_type == 'Windows':
    command_to_execute = 'powershell -File installNotebookExtension.ps1 "{0}" >> out.txt'.format(upload_container_path)
    file_list = ['https://pinotebookresults.blob.core.windows.net/results/installNotebookExtension.ps1?sp=r&st=2019-03-28T21:34:09Z&se=2019-06-01T05:34:09Z&spr=https&sv=2018-03-28&sig=83jlp%2Fr%2BVcuGRLRij6jssqMerCgkk2pp0s007sLUPpM%3D&sr=b', 'https://pinotebookresults.blob.core.windows.net/results/piextension.zip?sp=r&st=2019-03-28T21:44:08Z&se=2019-06-01T05:44:08Z&spr=https&sv=2018-03-28&sig=UoBRXLRK9C4xurBjYu%2FkqqlkjCSi%2B3FlmFiWcsqlu6E%3D&sr=b']
    vm_extension_properties = SentinelAzure.WindowsVMExtensionProperties(command_to_execute, file_list)
elif target_os_type == 'Linux':
    command_to_execute = './piondemand.sh "' + upload_container_path + '"'
    file_list = ['https://pilinuxstorage.blob.core.windows.net/release/ondemand/latest/piondemand.sh?sp=r&st=2019-03-26T18:25:43Z&se=2019-08-24T02:25:43Z&spr=https&sv=2018-03-28&sig=Cd89A/kt3Yjwx64Sk2l6rKMDQmdDaH1AX/WBfpH7D70=&sr=b','https://pilinuxstorage.blob.core.windows.net/release/ondemand/latest/pilinux.ondemand.tar.bz2?sp=r&st=2019-03-26T18:24:54Z&se=2019-07-20T02:24:54Z&spr=https&sv=2018-03-28&sig=nNJHV8ESXXZQXV/1BO4TGaagdINWaZGo/f6Kxh2QGd0=&sr=b']
    vm_extension_properties = SentinelAzure.LinuxVMExtensionProperties(command_to_execute, file_list)

In [None]:
vm_extension_name = 'sentinelmemoryinvestigator'
vm_name = input('vm_name:')
vm_location = input('vm_location:')

2. Create VM Extension

In [None]:
vm_extension = compute.initialize_vm_extension(vm_extension_properties, vm_location)
create_vm_async = compute.create_vm_extension_async(vm_name, vm_extension_name, vm_extension)
print(create_vm_async.provisioning_state)

## 4. Read Memory Dump Data

In [None]:
from pandas.io.json import json_normalize
returned_json = compute.get_uploaded_result(upload_container_path)

1. Machine Information

In [None]:
if returned_json.get('machine'):
    df_stats = json_normalize(returned_json['machine'])
    display(df_stats)
elif returned_json.get('Machine'):
    df_machine = json_normalize(returned_json['Machine'])
    display(df_machine)

2. Procrss List

In [None]:
if returned_json.get('ProcessList'):
    df_process_list = json_normalize(returned_json['ProcessList'])
    display(df_process_list)
elif returned_json.get('processList'):
    df_process_list = json_normalize(returned_json['processList'])
    display(df_process_list)

3. Conclusion

In [None]:
if returned_json.get('Stats'):
    df_stats = json_normalize(returned_json['Stats'])
    display(df_stats)
elif returned_json.get('scanSummary'):
    df_summary = json_normalize(returned_json['scanSummary'])
    display(df_summary)

## 5. Delete VM Extension as a final step

In [None]:
del_result = compute.delete_vm_extension_async(vm_name, vm_extension_name)