CHFI - Computer Hacking Forensic Investigator Cloud Forensics Questions and Answers

Question 1

An investigator suspects a compromised EC2 instance on Amazon Web Services (AWS) was used for malicious activity.
To preserve evidence for a forensic investigation, what is the most appropriate initial step to both contain the threat and preserve the state of the virtual machine's storage?

Accepted Answer

Isolate the instance using a restrictive security group and create a snapshot of its EBS volume.

Answer

Terminate the instance immediately to halt all malicious processes.

Answer

Log into the instance via SSH and create a tarball of the entire file system.

Answer

Submit a support ticket to AWS requesting a full physical disk image of the host server.

Question 2

A forensic analyst is investigating an incident in a Google Cloud Platform (GCP) environment and needs to determine which user account was responsible for creating a specific firewall rule that allowed malicious traffic. Which log source is the primary location to find this type of administrative activity?

Accepted Answer

Cloud Audit Logs (Admin Activity)

Answer

VPC Flow Logs

Answer

Cloud Storage usage logs

Answer

Logs from the virtual machine's OS

Question 3

Which of the following represents a major legal and logistical challenge that is significantly more prevalent in cloud forensics compared to traditional on-premises investigations?

Accepted Answer

Data sovereignty and cross-jurisdictional data access.

Answer

The need to maintain a chain of custody for evidence.

Answer

The requirement to use hashing algorithms to verify data integrity.

Answer

The process of recovering deleted files from unallocated space.

Question 4

A company utilizing a Software-as-a-Service (SaaS) application, such as Microsoft 365, experiences a data breach where an employee's account was used to access and exfiltrate sensitive documents from SharePoint Online. From a forensic standpoint, what is the primary limitation for the investigator?

Accepted Answer

Lack of access to the underlying cloud infrastructure and server logs.

Answer

Inability to create a forensic image of the user's workstation.

Answer

The data is always encrypted, making analysis impossible.

Answer

The inability to determine the IP address of the logged-in user.

Question 5

An investigator is analyzing a compromised Docker environment. It is suspected that an attacker gained access to the host and deployed a malicious container. To understand what file system changes the running container has made relative to its original image, which command would be most effective?

Accepted Answer

docker diff [container_id]

Answer

docker history [image_name]

Answer

docker inspect [container_id]

Answer

docker logs [container_id]

Question 6

During an investigation involving an IaaS provider, a forensic analyst successfully acquires a snapshot of a virtual disk. The analysis reveals that the disk was part of a volume group managed by a Logical Volume Manager (LVM). What is a key implication of this discovery for the forensic process?

Accepted Answer

The investigator must reassemble the logical volumes from the physical volume(s) before analyzing the file systems.

Answer

The data is unrecoverable as LVM is a proprietary format.

Answer

All files will be encrypted by default by the LVM system.

Answer

A snapshot is not a valid acquisition method for disks using LVM.