Computer Hacking Forensic Investigator (CHFI v10) — Question 454

During an incident response to a data breach in a company's AWS environment, a forensic investigator is tasked to analyze and extract data from different storage types for further examination. What would be the most appropriate and effective course of action given that Amazon S3, EBS, and EFS were used?

Answer options

• A. Implement ACL permissions for S3 buckets, and attach the affected EFS to a Linux instance for data extraction
• B. Create IAM policies to restrict access, and proceed with data extraction from EBS and EFS storage types
• C. Extract all data directly from Amazon S3 and EBS, and attach the EFS to a Linux instance for data extraction
• D. Snapshot the affected EBS volumes and S3 buckets, and mount EFS to a Linux instance for analysis

Correct answer: D

Explanation

The correct choice is D because creating snapshots of EBS volumes and S3 buckets ensures data integrity and allows for safe analysis without altering the original data. Options A and C do not prioritize data integrity through snapshots, and B does not include S3, which is crucial for a comprehensive forensic investigation.