Skip to main content

How to import Oracle Cloud Virtual Machines

First, you need to take a clone of the instance boot volume. Note that this will affect the instance as it performs a shutdown task and will restart the instance on completion.

Open the Oracle Cloud Infrastructure (“OCI”) console, and browse to Compute -> Instances:

Oracle

Select the instance you want to acquire:

Oracle

From the Resources section, select Boot volume and then click on the Boot volume that is attached to the instance: Oracle

This will take you to the Boot volume's details page -> select Boot Volume Clones from the Resources menu on the left: Oracle

Click Create Clone button -> Give the clone volume an appropriate name -> then click the Create Clone button at the bottom of the page:

Oracle

Deploy your pre-built forensics instance, in this case example Kali Linux:

Oracle

For Kali Linux, the SSH daemon is not installed by default and connections to the instance are made using Cloud Shell. Select Console connection from the Resources list on the left of the screen.

Click on Launch Cloud Shell connection:

Oracle

Attach the cloned disk to the forensic instance, selecting Paravirtualized as the attachment type. As this is a Boot volume we are not able to select Read only - shareable as the Access type:

Oracle

Once the volume is attached you can switch over to your Cloud Shell session to acquire an image. We have used the command lsblk to identify the device identified for the attached disk, in this case it is sdb:

Oracle

To create the disk image, you can use dc3dd:

Oracle

Looking at the size of the image file test-clone.dd, 47GB, it's going to take time to transfer the image out of OCI:

Oracle

To make the process easier, you can use gzip to compress it: Oracle

As the dd.gz file is less than 5GB in size, you can use our cado-host binary to upload the file directly to an S3 bucket and it will be automatically imported into an investigation for processing and analysis.

The first step is to create an investigation in the Cado platform, from there we will use the Cado Host import capability:

Oracle

When you select Cado Host, you are presented with a series of options and in this case as we are using Kali Linux we will select Linux as the Target Operating System. We are not going to using any additional Runtime Options so we can skip that step and you can see that we automatically generate a command block, to be used to transfer the image:

Oracle

The cado-host binary is available from our public s3 bucket so you can use curl to download it onto the Kali instance:

Oracle

One of the switches for cado-host is –single_file_unzipped, which will upload a single file to the Cado bucket using the presigned_data details from the command that’s generated from the import page:

Oracle

Switching over to our Cado platform, you can see that the file has been successfully imported and processing tasks have been started:

Oracle

Once the processing has been completed, you can move onto analyzing the captured image:

Oracle Oracle Oracle