Certified Cloud Security Engineer (CCSE) — Question 6

An IT company uses two resource groups, named Production-group and Security-group, under the same subscription ID. Under the Production-group, a VM called Ubuntul8 is suspected to be compromised. As a forensic investigator, you need to take a snapshot (ubuntudisksnap) of the OS disk of the suspect virtual machine Ubuntu18 for further investigation and copy the snapshot to a storage account under Security-group. Identify the next step in the investigation of the security incident in Azure?

Answer options

• A. Generate shared access signature
• B. Mount the snapshot onto the forensic workstation
• C. Create a backup copy of snapshot in a blob container
• D. Copy the snapshot to file share

Correct answer: C

Explanation

The correct answer is C, as creating a backup copy of the snapshot in a blob container ensures that the data is securely stored for further analysis. Option A is incorrect because generating a shared access signature is not a necessary immediate step for copying the snapshot. Option B is wrong since mounting the snapshot onto a forensic workstation is not the next logical action before ensuring the snapshot is safely stored. Option D is also incorrect because copying the snapshot to a file share does not align with the requirement of using a blob container for backup.