Computer Hacking Forensic Investigator (CHFI v10) — Question 423

A sophisticated cyber-attack has targeted an organization, and the forensic team is called upon for incident response. Their assets are largely hosted on AWS, particularly using S3 and EC2 instances. As a forensic investigator, your first step to retaining valuable evidence in the EC2 instances is:

Answer options

• A. Retrieve and analyze log data from the affected EC2 instances
• B. Encrypt all the data present in the EC2 instances to avoid further unauthorized access
• C. Immediately isolate the affected EC2 instances from the network to avoid data corruption
• D. Create a snapshot of the EBS volume in the affected EC2 instance and share it with the forensic team for analysis

Correct answer: D

Explanation

Creating a snapshot of the EBS volume in the affected EC2 instance is the most effective way to preserve the current state of the instance and its data, allowing for comprehensive analysis without altering evidence. While analyzing logs and isolating instances are important, they do not ensure that the data remains intact for investigation. Encrypting data does not help in preserving evidence, as it may complicate the forensic analysis process.