A sophisticated cyber-attack has targeted an organization, and the forensic team is called upon for incident response. Their assets are largely hosted on AWS, particularly using S3 and EC2 instances. As a forensic investigator, your first step to retaining valuable evidence in the EC2 instances is:
The primary concern when dealing with a sophisticated cyber-attack is to preserve evidence for further analysis. Creating a snapshot of the EBS volume in the affected EC2 instance is crucial because it captures the state of the instance's storage at the time of the snapshot. This allows forensic investigators to analyze the data without altering the original evidence. Isolating the instance from the network might also be important, but creating a snapshot ensures that the necessary data is preserved for detailed examination. Therefore, creating a snapshot is the best first step for retaining valuable evidence.
Amazon EBS is a block-level storage volume that can be attached with any running EC2 instance Once attached to an instance, it can be used like any physical hard drive. Customers can make an EBS volume snapshot and create another volume from that snapshot which can be attached to a different EC2 instance
Cfhi v10: step 1 isolate the ec2 instance