Question 8
Domain 4: Security Operations, Monitoring, and Incident ResponseDuring a cloud security incident, an organization needs to preserve volatile memory from compromised virtual machines. Which challenge is UNIQUE to cloud forensics compared to traditional forensics?
Correct answer: B
Explanation
Cloud forensics is unique because investigators often cannot physically access the host hardware or hypervisor controlling the virtual machines. In traditional forensics, physical access supports direct acquisition of volatile memory; in cloud environments, the provider controls the underlying infrastructure, making preservation of RAM from compromised VMs harder.
Why each option is right or wrong
A. The need to document evidence chain of custody
B. Lack of physical access to underlying infrastructure
Cloud investigations are constrained by the provider’s control of the host layer: under the shared-responsibility model, the customer may administer the guest VM but not the physical servers, hypervisor, or storage fabric. That makes direct seizure or live acquisition of RAM from the underlying machine impossible without provider cooperation, unlike traditional forensics where investigators can physically image the hardware and capture volatile data on-site.
C. The requirement to maintain system availability
D. The need for forensic imaging tools