CCSP Domain 5: Forensics

Question 1

What is the most common means of capturing disk images from virtual machines in IaaS environments?

Answer 1

use of the provider’s snapshot tool

Question 2

What step typically comes after forensic artifacts are identified?

Answer 2

preservation

Question 3

Organization wants to preserve forensics artifacts from a running instance in their cloud environment. What two key steps should they take to ensure they can perform forensic analysis?

Answer 3

1. create a snapshot of the running instance
2. make bit-for-bit copies of any mounted volumes

Question 4

What should he do to validate forensic data after capturing disk snapshots for the VM’s OS and data disks from an Azure-hosted VM?

Answer 4

compare hashes of the VM’s OS and data disks and the snapshots of each

Question 5

Organization wants to conduct a forensic analysis of potentially malicious traffic in a SaaS environment. What tools should they use to conduct this analysis?

Answer 5

analyzing network traffic in a SaaS environment is typically not possible for customers

Question 6

What technique is used to reduce the possibility that captured data is not affected while the copies are being made?

Answer 6

forensic imaging

Question 7

Does forensic investigation require the participation of the cloud provider?

Answer 7

in many cases yes; customer is not able to (legally, technically or both) to capture the necessary material in a manner or with the detail required for the satisaction of a court

Question 8

What does chain of custody provide?

Answer 8

nonrepudiation

Question 9

What needs to be assured with the cloud provider in terms of chain of custody?

Answer 9

that their chain of custody process aligns with our own

Question 10

What is recommended to do when a forensic analysis is required?

Answer 10

obtain services of fornesic professionals certified and licensed to perform forensic activities

Question 11

Which ISO standards are an excellent guide for collecting, preserving and analyzing forensic data?

Answer 11

ISO 27037 and ISO 27042

Question 12

What process does Digital Forensics outline?

Answer 12

process of collecting evidence in a manner that it may be used in court with reliability

Question 13

Which organizations provide guidance on best practices for collecting digital evidence and conducting forensic investigations in the cloud?

Answer 13

ISO/IEC and CSA

Question 14

What is the “Cloud Computing Forensic Science Challenges” standard?

Answer 14

NIST NISTIR 8006

Question 14

What does NISTIR from NIST NISTIR 8006 stand for?

Answer 14

NIST Interagency or Internal Reports

Question 15

What does NIST NISTIR 8006 address?

Answer 15

common issues and solutions needed to address DFIR (Digital Forensics and Incident Response) in cloud environments

Question 16

When would you use NIST NISTIR 8006?

Answer 16

when responding to incidents that have occurred in a cloud-computing ecosystem; it aggregates, categorizes and discusses the forensic challenges faced by experts

Question 17

What does CSA Security Guidance offer?

Answer 17

guidance on legal concerns related to security, privacy and contractual obligations

Question 18

What does ISO/IEC 27050 offer?

Answer 18

framework, governance and best practices for forensics, eDiscovery, and evidence management

Question 19

ISO/IEC 27037:2012 offeres guidance for what?

Answer 19

collecting, identifying and preserving electronic evidence

Question 20

ISO/IEC 27041:2015 offeres guidance for what?

Answer 20

incident investigation

Question 21

ISO/IEC 27042:2015 offeres guidance for what?

Answer 21

evidence analysis

Question 22

ISO/IEC 27043:2015 offeres guidance for what?

Answer 22

incident investigation principles and processes