2 min read

Quick and Easy Imaging of GCP Compute

Suppose we have a suspected compromised GCP Compute VM and we want to investigate further. In today's age, we'd likely leverage some kind of EDR; ideally it'd be pre-installed and we could simply look at the logs there. But suppose we don't, or suppose we want to do some actual disk forensics. How easy is it?

There's a couple of resources on this topic, and I often find myself coming back to this video from Cloud Next '18.

Taking an image

At a high-level, the process goes something like this:

  1. Create a snapshot from the GCE attached disk
  2. Create an image from the snapshot
  3. Export the disk image

Quick aside. You may be wondering why you need to create a snapshot and can't instead just create an image directly from the disk? Because the disk is in use by the instance, it won't let us create an image directly.

$ gcloud compute disks list
NAME: web-server
LOCATION: us-central1-a
LOCATION_SCOPE: zone
SIZE_GB: 10
TYPE: pd-balanced
STATUS: READY

$ gcloud compute images create web-server-image --source-disk=web-server
ERROR: (gcloud.compute.images.create) Could not fetch resource:
 - The disk resource 'projects/project/zones/us-central1-a/disks/web-server' is already being used by 'projects/project/zones/us-central1-a/instances/web-server'

So firstly we create a snapshot of the disk: 

$ gcloud compute disks snapshot web-server --snapshot-names=web-server-snapshot

Creating snapshot(s) web-server-snapshot...done.

Then we can use this to create an image:

$ gcloud compute images create web-server-image --source-snapshot=web-server-snapshot

Created [https://www.googleapis.com/compute/v1/projects/project/global/images/web-server-image].
NAME: web-server-image
PROJECT: project
FAMILY:
DEPRECATED:
STATUS: READY

And finally we can export the image:

Supported formats include raw (default), vmdk, vhdx, vpc, vdi, and qcow2.

💡
You'll need to create a cloud bucket first. If you're doing this in a production environment, you'll likely need to make some IAM changes, so make sure to prepare these in advance and save the headache and delay in the middle of an investigation!
$ gcloud compute images export --destination-uri=gs://forensics-bucket/web-server.raw --image web-server-image

<...snip...>

$ gsutil ls gs://forensics-bucket
gs://forensics-bucket/web-server.raw

And with that, we can mount the image or investigate using our favourite disk forensics tools!

$ cat /mnt/tmp/flag.txt
RkxBR3tHQ1BfRElTS19GT1JFTlNJQ1NfRlVOfQ==

Published by: