Hello Reader,
     If you read #DFIR twitter daily, I mean who doesn’t!, then you likely saw this post by Jordan Barth

Let me explain what Jordan’s talking about and  why you should care if your doing DFIR in Azure.

 Full disclosure Jordan is a fellow KPMGer and he knows his Azure.

So first, AZCopy is an utility created by Microsoft for moving data to or from Azure. You can read more about it here: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

Second SAS urls or SAS tokens stand for Shared Access Signature tokens which allow you to provide access to a resource with a single URL rather than providing login credentials. This let’s you take let’s say a compromised VHD and provide read only access to it even if:
1. You’re not in the same subscription/tenant
2. You’re not in the same organization
3. You don’t have an account in that tenant

Just like in Google Docs you can provide a ‘edit’ or ‘view’ link to others without adding them to your account, you can do the same with Azure resources. This allows you to quickly allow let’s say a IR tenant read only access to your production tenant without typing off an attacker anything has happened or starting up new instances in the compromised environment.

What Jordan is talking about though is not the security and convenience of AZCopy with SAS tokens, but rather the speed you will get when you make use of the Azure API rather than the browser. I’m sure this is even faster within Azure itself to make copies.

So make sure you know your cloud environment and start getting things in place to allow you to test and simulate incidents before you need them!