Question 17
Domain 4: Security Operations, Monitoring, and Incident ResponseWhich capability is MOST critical for effective forensic investigation of compromised cloud instances?
Correct answer: B
Explanation
Memory dump capture before instance termination preserves volatile evidence that disappears when a cloud instance is shut down. Forensic practice prioritizes collecting RAM data first because it can contain running processes, encryption keys, network connections, and injected malware that are not retained on disk.
Why each option is right or wrong
A. Automated termination of suspected instances
B. Memory dump capture before instance termination
Volatile evidence in RAM is lost immediately when a cloud VM is stopped, terminated, or reimaged, so the investigator must preserve it first under standard live-response practice. In cloud environments, this is especially critical because the provider may recycle the instance and its ephemeral memory state without notice; a memory acquisition taken before termination can still capture running processes, open sockets, injected code, and cryptographic material that would not survive a disk-only collection.
C. Immediate password rotation for all users
D. Disabling of all network access