ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security analyst must preserve disk evidence from a running Amazon EC2 instance that is suspected of hosting malware. According to forensic best practices, which initial action will BEST capture the data while maintaining the chain of custody and preventing accidental modification of the original evidence?
Use the no-reboot option to create an Amazon Machine Image (AMI) of the instance, then terminate the original instance to stop changes.
Stop the instance, detach all EBS volumes, and attach them to a separate forensic EC2 instance in the same account for analysis.
Install an up-to-date antivirus engine on the instance and perform a full malware scan before copying suspect files to Amazon S3.
Create an Amazon EBS snapshot of every attached volume from the AWS console and apply evidence tags before any other action.
Forensic preservation aims to collect data in a manner that does not alter the original evidence and allows investigators to prove its integrity. Creating an Amazon EBS snapshot from the AWS console (or CLI) produces an immutable, point-in-time, read-only copy of each attached volume without requiring volume detachment or system modification. The snapshot can be cryptographically hashed and securely shared with a dedicated investigation account to maintain a clear chain of custody. Selecting the "no-reboot" option to create an AMI still interacts with the instance and may leave artifacts that alter evidence. Detaching volumes or stopping the instance changes metadata such as access times and increases the risk of inadvertent writes. Running antivirus before acquisition directly alters the evidence and therefore violates forensic principles.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Amazon EBS snapshot?
Open an interactive chat with Bash
Why is chain of custody important in digital forensics?
Open an interactive chat with Bash
What does the 'no-reboot' option do when creating an AMI in AWS?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .