Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 197 discussion

1. Isolate the Instance: Detach from Auto Scaling Group (ASG) and deregister from the ALB to prevent automatic termination or traffic routing to the instance. This ensures the instance remains available for forensic capture. 2.Capture EBS Snapshot: Take an EBS volume snapshot while the instance is still running. Though crash-consistent, this captures the disk state at a point in time. 3. Capture Memory Snapshot: Use tools like AWS Systems Manager or third-party utilities to capture the volatile memory (RAM) while the instance is running. Memory data is lost once the instance stops. 4. Stop the Instance: After capturing both disk and memory snapshots, stop the instance to prevent further changes.

https://docs.aws.amazon.com/security-ir/latest/userguide/collect-relevant-artifacts.html

1️⃣ Preserve the Forensic Evidence 2️⃣ Capture the Data 3️⃣ Stop the Instance

Agreed, we need to preserve RAM running memory BEFORE we Stop the instance, otherwise we'd loose critical info including: Running processes Network connections Encryption keys Unwritten logs Malicious activity in memory (e.g., malware)

Its C. Can not be D as stopping instance does not preserve the memory e.g. memory is lost so no memory snapshot is possible.

Why D? Should it not be C? How would you take a memory snapshot of a stopped instance. I looked through AWS documentation and nowhere doesit it say, it is possible to take memory snapshot of stopped EC2 instance

ANSWER D Detach from the Auto Scaling group: This ensures the Auto Scaling group does not terminate or replace the instance due to health checks or scaling policies. Deregister from the ALB: Deregistering ensures the instance stops serving traffic and avoids further modifications to its state by the application. Stop the instance: Stopping the instance prevents changes to the system state and data while preserving the current disk content and memory. Take a memory snapshot: Memory snapshots (often called RAM dumps) are essential for forensic investigations to capture data like process states, encryption keys, and active network connections. Take an EBS volume snapshot: Snapshots of EBS volumes preserve disk-level data for analysis, including deleted files and filesystem metadata.

The correct order of steps to preserve all forensic evidence from an Amazon EC2 instance is: B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. This sequence ensures that you capture both the memory and disk state of the instance before making any changes that could alter the evidence

C - correct order why not a - detach and deregister is too late, anything can happen on the system like it can go unhealthy, this causes the asg to terminate it why not b - stopping the instance when not deregistered from asg will cause the asg to terminate it, we cannot do other ops here onward why not d - memory is lost after stopping the instance

Option B

Option D

Option B does not detach the instance from the Auto Scaling group or deregister it from the ALB before stopping it, which can lead to unexpected instance termination or further data changes from incoming traffic. This makes it unsuitable for preserving forensic evidence effectively. Option C follows the correct sequence to ensure that the instance is properly isolated and that both memory and disk snapshots are taken in a way that preserves the integrity of forensic evidence. For these reasons, Option C is the correct approach to ensure the proper preservation of forensic evidence, while Option B may lead to potential data loss or contamination due to improper ordering of steps.

Correct answer is A. 1. Acquire Evidence 2. Isolation 3. Stop the Instance

This order ensures that the volatile memory is captured before the instance is stopped, preserving all necessary forensic evidence.

Correct answer is D. Instance should not be stopped