Computer Hacking Forensic Investigator (CHFI v10) — Question 420

A CHFI is analyzing suspicious activity on a company's AWS account. She suspects an unauthorized user accessed and deleted a crucial bucket object. To trace the potential perpetrator, she should primarily rely on the following:

Answer options

• A. S3 Server Access logs to understand actions performed on a bucket object
• B. AWS CloudTrail logs to determine when and where the specific API calls were made
• C. Amazon CloudWatch logs to monitor system and application log data in real time
• D. Amazon VPC Flow Logs to scrutinize the IP traffic entering and leaving the specific VPC

Correct answer: B

Explanation

The correct answer is B because AWS CloudTrail logs provide detailed records of API calls made in the account, allowing the CHFI to pinpoint when and how the unauthorized access occurred. The other options, while useful, do not specifically track API calls related to the bucket object deletion, making them less relevant in this context.