ISC2 Certified Cloud Security Professional (CCSP) Practice Question

While building an incident-response runbook, investigators note that, when servers were on-premises, they preserved evidence by taking hash-verified, bit-level images of each affected hard drive. The same workload now runs in a multitenant public IaaS cloud. Which cloud-specific limitation is MOST likely to prevent the team from using that identical physical-drive imaging technique after a breach?

Snapshot APIs in the cloud automatically zero deleted blocks, removing slack space needed for evidence.
Hypervisor event logs in the cloud cannot be exported in formats recognized by standard forensic suites.
The tenant cannot gain physical access to the multitenant storage hardware that underpins the virtual disks.
Provider-managed encryption of all customer data at rest with HSM-protected keys blocks direct imaging.

Report Issue

Answer Description

Because the underlying storage devices in a public IaaS cloud are owned and controlled by the provider and are shared among many tenants, customers cannot obtain physical custody of those disks or attach hardware imagers to them. This prevents the team from repeating the exact same physical-drive imaging process they used on-premises. Instead, they must shift to cloud-native approaches-such as provider-facilitated volume snapshots-to acquire bit-level copies and maintain chain of custody. The other listed issues (non-exportable hypervisor logs, provider-managed encryption, or snapshots that zero deleted blocks) can complicate analysis but do not in themselves stop investigators from creating a forensic image via the cloud provider's tooling.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.