Apr 27 2017 11:44 AM
We had an Azure ARM server undergo a brute force attack.  The attacker got into the server by attacking a service account on our domain.  Once inside the server, the attacker encrypted the server with a variation .dharma. The server was less than a week old, so staff had entered only small data batches into the new server.
I created the server with a 1TB size drive. Â Our security consultant would like a download of the VHD to test if the attacker breached any data in addition to encrypting data on the server. Â I would mount the VHD file to in a segregated Hyper-V environment for the security consultant to test for a data breach. Â The consultant does not want to test for the breach on the now deallocated server to preserve the chain of evidence.
Thank you for your thoughts.
Apr 30 2017 06:53 AM
SolutionAzcopy, or Microsoft storage explorere should only download the actual data, and once it relizes the rest is empty the file should be generated. But the file will still indicate on you end that it is and requires 1 TB
May 01 2017 04:13 AM
I ended up using Microsoft Azure Storage Explorer and the VHD download successfully and in a reasonable amount of time. Thanks.
Apr 30 2017 06:53 AM
SolutionAzcopy, or Microsoft storage explorere should only download the actual data, and once it relizes the rest is empty the file should be generated. But the file will still indicate on you end that it is and requires 1 TB