CHFI - Computer Hacking Forensic Investigator Cloud Forensics Questions and Answers

Question 1

An investigator suspects a compromised EC2 instance on Amazon Web Services (AWS) was used for malicious activity. To preserve evidence for a forensic investigation, what is the most appropriate initial step to both contain the threat and preserve the state of the virtual machine's storage?

Accepted Answer

Isolate the instance using a restrictive security group and create a snapshot of its EBS volume.

Answer

The correct procedure is to first isolate the instance to prevent it from causing further harm (e.g., attacking other systems) by modifying its security group to deny all traffic. Immediately following isolation, creating a snapshot of the Elastic Block Store (EBS) volume provides a forensically sound, point-in-time copy of the disk for later analysis without altering the original evidence. Terminating the instance destroys evidence, logging in alters the live system's state, and requesting a physical disk is not a standard procedure and would contain data from other tenants.

Question 2

A forensic analyst is investigating an incident in a Google Cloud Platform (GCP) environment and needs to determine which user account was responsible for creating a specific firewall rule that allowed malicious traffic. Which log source is the primary location to find this type of administrative activity?

Accepted Answer

Cloud Audit Logs (Admin Activity)

Answer

Cloud Audit Logs are the definitive source for tracking administrative changes and API calls within GCP. Specifically, the Admin Activity audit logs capture all API calls that modify the configuration or metadata of resources, such as creating or modifying a firewall rule. VPC Flow Logs track network traffic, Cloud Storage logs track object access, and VM OS logs would not see actions performed at the platform level.

Question 3

Which of the following represents a major legal and logistical challenge that is significantly more prevalent in cloud forensics compared to traditional on-premises investigations?

Accepted Answer

Data sovereignty and cross-jurisdictional data access.

Answer

Data sovereignty is a paramount challenge in cloud forensics. Because a cloud service provider may store a customer's data in data centers located in different countries, investigators often face legal hurdles related to jurisdiction. A warrant or subpoena issued in one country may not be valid in another where the data physically resides, requiring complex international legal agreements like Mutual Legal Assistance Treaties (MLATs). The other options are fundamental challenges in all forms of digital forensics.

Question 4

A company utilizing a Software-as-a-Service (SaaS) application, such as Microsoft 365, experiences a data breach where an employee's account was used to access and exfiltrate sensitive documents from SharePoint Online. From a forensic standpoint, what is the primary limitation for the investigator?

Accepted Answer

Lack of access to the underlying cloud infrastructure and server logs.

Answer

In a SaaS model, the customer has no access to the underlying physical servers, hypervisors, or host operating systems. The investigation is therefore limited to the logs and data export capabilities provided by the SaaS vendor (e.g., the Microsoft 365 Unified Audit Log). The investigator cannot perform low-level forensic analysis, such as acquiring a disk image of the SharePoint server or examining its memory. While the user's workstation can be imaged, the primary actions occurred on the cloud platform, for which the investigator has limited visibility.

Question 5

An investigator is analyzing a compromised Docker environment. It is suspected that an attacker gained access to the host and deployed a malicious container. To understand what file system changes the running container has made relative to its original image, which command would be most effective?

Accepted Answer

docker diff [container_id]

Answer

The `docker diff` command is specifically designed to inspect the changes made to a container's filesystem since it was created. It will show files and directories that have been added (A), changed (C), or deleted (D) in the container's writable layer. This is extremely useful for identifying malware droppers, modified configuration files, or data exfiltration staging files created by an attacker after the container was started. `docker history` shows image layers, `docker inspect` shows metadata, and `docker logs` shows application output.

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Cloud Forensics Questions and Answers