ISC2 Certified Cloud Security Professional (CCSP) Practice Question
During an incident response, your IaaS provider notifies you that a compromised Linux virtual machine running a Docker container will be auto-scaled down in the next five minutes. You are tasked with supporting digital forensics and must preserve volatile evidence from the running container while maintaining its admissibility in court. Which action should you perform first?
Generate a live memory snapshot of the container and immediately calculate a SHA-256 hash of the snapshot file.
Export the container's syslog files to on-premises storage using SCP over an encrypted tunnel.
Power off the virtual machine to freeze the container state and rely on the cloud provider's automated backups.
Spin up an identical container on the same host to replicate the attack traffic for later analysis.
Volatile data such as active processes, network connections, and in-memory malware will be lost once the container or its host is terminated. The first forensic priority is therefore to capture a live memory image. Calculating and recording a cryptographic hash at the time of acquisition establishes the evidence's integrity and supports chain-of-custody requirements. Copying log files alone omits volatile artifacts, shutting down the VM destroys live evidence, and duplicating the container does not preserve the original state.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is volatile evidence in digital forensics?
Open an interactive chat with Bash
What is a SHA-256 hash and why is it important for digital forensics?
Open an interactive chat with Bash
Why is chain of custody important for digital evidence?
Open an interactive chat with Bash
Why is a live memory snapshot critical for digital forensics?
Open an interactive chat with Bash
What is a SHA-256 hash, and why is it important for forensic evidence?