Computer Hacking Forensic Investigator (CHFI v10) — Question 568

Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What is the next thing he should do as a security measure?

Answer options

• A. Delete the OS disk of the affected VM altogether
• B. Delete the snapshot from the source resource group
• C. Recommend changing the access policies followed by the company
• D. Create another VM by using the snapshot

Correct answer: B

Explanation

The correct action is to delete the snapshot from the source resource group to prevent any potential unauthorized access to the compromised data. Keeping the snapshot could expose sensitive information or allow further attacks. The other options either do not address the immediate security concern or could create additional risks.