SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact Us
Physical disk forensics has a physical problem: the disk has to be in the room. When the target is a virtualized disk sitting in a cloud data center, you cannot attach a Tableau write-blocker to it. The acquisition model changes entirely in the cloud, and in most ways, it changes for the better.
This post covers what cloud-native acquisition gives you that physical acquisition does not, and how to create a forensic snapshot on AWS, Azure, and Google Cloud.
Physical acquisition chains responders to hardware. Write-blockers prevent writes during imaging but require physical co-location with the target drive. When that drive is a virtual disk inside a cloud provider's infrastructure, co-location is not an option, as you are not seizing hardware from a data center cage.
When physical access is feasible, the process still introduces friction: investigator travel, secure media shipment, and documented chain-of-custody at every handoff. Each step adds delay and creates an opportunity for evidentiary challenges.
Speed is another constraint. Physical imaging is bounded by the storage bus. A 1 TB drive over USB 3.0 takes 40 minutes at SSD speeds—and 1.5 to 3 hours for a typical spinning disk—before any analysis begins. Cloud snapshots are copy-on-write operations at the storage layer. They complete in seconds regardless of disk size, because the provider is not copying bytes synchronously at acquisition time.
Scale changes as well. Physical acquisition is one drive per investigator per imaging rig. Cloud snapshots can be automated across dozens of instances simultaneously. AWS Automated Forensics Orchestrator for Amazon EC2 is a published solution that demonstrates this pattern: event-driven, automated snapshot and isolation across an entire fleet in response to a GuardDuty finding.
Physical drives can sustain damage in transit, or contain bad sectors that cause inconsistent reads and complicate bit-for-bit verification. Cloud storage has no equivalent surface-level defect. A snapshot API call either succeeds or fails; there is no partial read corruption introduced by a degraded spindle.
Cloud VM snapshots were designed for backup continuity, not forensic investigation. But that same API gives responders capabilities that exceed a write-blocker in most IR scenarios: remote access, API-level logging of every action, immutable storage options, and cryptographic hash integration.
The acquisition workflow is consistent across AWS, Azure, and Google Cloud:
Apply these permissions to a dedicated forensic IAM role, service account, or managed identity, not a named user account. Named accounts complicate attribution in audit logs and create credential-sharing risk.
ec2:DescribeInstances
ec2:DescribeVolumes
ec2:CreateSnapshot
ec2:DescribeSnapshots
ec2:CreateVolume
ec2:AttachVolume Microsoft.Compute/virtualMachines/read
Microsoft.Compute/disks/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/disks/write
Microsoft.Compute/snapshots/read compute.instances.list
compute.disks.list
compute.instances.get
compute.disks.get
compute.disks.createSnapshot
compute.disks.create
compute.snapshots.useReadOnly
compute.instances.attachDisk
compute.disks.useAuthenticate
aws login Identify target volume(s)
aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=<InstanceID>Create snapshot
aws ec2 create-snapshot --volume-id <VolID> Create a new volume from the snapshot (for mounting)
aws ec2 create-volume --snapshot-id <SnapID> --availability-zone <AZ> Authenticate
az loginIdentify the target managed disk
az vm show -g <ResourceGroup> -n <VMName> --query "storageProfile.osDisk.managedDisk.id" Create snapshot
az snapshot create -g <RG> -n <SnapName> --source <DiskResourceID> Create a new disk from the snapshot (for mounting)
az disk create -g <RG> -n <DiskName> --source <SnapID> Note: The VM does not need to be stopped to create a snapshot, but Microsoft recommends a clean shutdown for filesystem consistency. Document your choice either way.
Authenticate
gcloud auth login Identify attached disks on the target instance
gcloud compute instances describe <VMName> --zone <Zone> --format="get(disks)" Create snapshot
gcloud compute disks snapshot <DiskName> --snapshot-names=<SnapName> --zone=<Zone>Create a new disk from the snapshot (for mounting)
gcloud compute disks create <DiskName> --source-snapshot <SnapName> Note: Wait until snapshot status reaches UPLOADING before resuming any paused application writes on the source.
A new disk based on the snapshot you took is the result of step one. Part 2 covers what to do with it: mounting a read-only evidence disk to a forensic VM within the cloud environment versus exporting or downloading the image for offline analysis.
Part 2 will also address a Google Cloud unallocated space caveat where we will see that a true full disk image capture is not possible.
Leveraging AWS, Azure, and Google Cloud resources to gather evidence during investigations is a capability analysts train in FOR509: Enterprise Cloud Forensics and Incident Response.


Megan is a Senior Security Engineer at Datadog, SANS DFIR faculty, and co-author of FOR509. She holds two master’s degrees, serves as CFO of Mental Health Hackers, and is a strong advocate for hands-on cloud forensics training and mental wellness.
Read more about Megan Roddie-Fonseca