CCSP Domain 5: Forensics Flashcards
What is the most common means of capturing disk images from virtual machines in IaaS environments?
use of the provider’s snapshot tool
What step typically comes after forensic artifacts are identified?
preservation
Organization wants to preserve forensics artifacts from a running instance in their cloud environment. What two key steps should they take to ensure they can perform forensic analysis?
- create a snapshot of the running instance
- make bit-for-bit copies of any mounted volumes
What should he do to validate forensic data after capturing disk snapshots for the VM’s OS and data disks from an Azure-hosted VM?
compare hashes of the VM’s OS and data disks and the snapshots of each
Organization wants to conduct a forensic analysis of potentially malicious traffic in a SaaS environment. What tools should they use to conduct this analysis?
analyzing network traffic in a SaaS environment is typically not possible for customers
What technique is used to reduce the possibility that captured data is not affected while the copies are being made?
forensic imaging
Does forensic investigation require the participation of the cloud provider?
in many cases yes; customer is not able to (legally, technically or both) to capture the necessary material in a manner or with the detail required for the satisaction of a court
What does chain of custody provide?
nonrepudiation
What needs to be assured with the cloud provider in terms of chain of custody?
that their chain of custody process aligns with our own
What is recommended to do when a forensic analysis is required?
obtain services of fornesic professionals certified and licensed to perform forensic activities
Which ISO standards are an excellent guide for collecting, preserving and analyzing forensic data?
ISO 27037 and ISO 27042
What process does Digital Forensics outline?
process of collecting evidence in a manner that it may be used in court with reliability
Which organizations provide guidance on best practices for collecting digital evidence and conducting forensic investigations in the cloud?
ISO/IEC and CSA
What is the “Cloud Computing Forensic Science Challenges” standard?
NIST NISTIR 8006
What does NISTIR from NIST NISTIR 8006 stand for?
NIST Interagency or Internal Reports