New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Eccouncil 312-40 Exam - Topic 2 Question 27 Discussion

Actual exam question for Eccouncil's 312-40 exam
Question #: 27
Topic #: 2
[All 312-40 Questions]

An IT company uses two resource groups, named Production-group and Security-group, under the same subscription ID. Under the Production-group, a VM called Ubuntu18 is suspected to be compromised. As a forensic investigator, you need to take a snapshot (ubuntudisksnap) of the OS disk of the suspect virtual machine Ubuntu18 for further investigation and copy the snapshot to a storage account under Security-group.

Identify the next step in the investigation of the security incident in Azure?

Show Suggested Answer Hide Answer
Suggested Answer: B

When an IT company suspects that a VM called Ubuntu18 in the Production-group has been compromised, it is essential to perform a forensic investigation. The process of taking a snapshot and ensuring its integrity and accessibility involves several steps:

Snapshot Creation: First, create a snapshot of the OS disk of the suspect VM, named ubuntudisksnap. This snapshot is a point-in-time copy of the VM's disk, ensuring that all data at that moment is captured.

Snapshot Security: Next, to transfer this snapshot securely to a storage account under the Security-group, a shared access signature (SAS) needs to be generated. A SAS provides delegated access to Azure storage resources without exposing the storage account keys.

Data Transfer: With the SAS token, the snapshot can be securely copied to a storage account in the Security-group. This method ensures that only authorized personnel can access the snapshot for further investigation.

Further Analysis: After copying the snapshot, it can be mounted onto a forensic workstation for detailed examination. This step involves examining the contents of the snapshot for any malicious activity or artifacts left by the attacker.

Generating a shared access signature is a critical step in ensuring that the snapshot can be securely accessed and transferred without compromising the integrity and security of the data.


Microsoft Azure Documentation on Shared Access Signatures (SAS)

Azure Security Best Practices and Patterns

Cloud Security Alliance (CSA) Security Guidance for Critical Areas of Focus in Cloud Computing

by Ronny at Apr 10, 2025, 12:47 AM

Limited Time Offer

25%

Off

Get Premium 312-40 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
King
2 months ago
Copying to a file share? That's not the right move here.
upvoted 0 times
...
Izetta
2 months ago
Wait, can you really just mount the snapshot directly? Seems risky.
upvoted 0 times
...
Gerald
2 months ago
Totally agree, that's the safest way to handle it!
upvoted 0 times
...
Merilyn
3 months ago
You need to create a backup copy of the snapshot in a blob container.
upvoted 0 times
...
Dalene
3 months ago
Generating a shared access signature is also important for access control.
upvoted 0 times
...
Halina
3 months ago
Mounting the snapshot onto the forensic workstation sounds like something we might do later, but I don't think that's the immediate next step.
upvoted 0 times
...
Britt
3 months ago
I practiced a similar question where we had to create a backup copy of a snapshot, so I feel like option C could be the right choice here.
upvoted 0 times
...
Cornell
4 months ago
I think generating a shared access signature might be important for accessing the snapshot later, but I can't recall if it's the next step.
upvoted 0 times
...
Laurena
4 months ago
I remember we talked about snapshots in class, but I'm not sure if we should copy it to a file share or a blob container.
upvoted 0 times
...
Jaclyn
4 months ago
Yeah, that makes sense. Creating a backup in a blob container seems like the most appropriate next step in this forensic investigation.
upvoted 0 times
...
Brent
4 months ago
Based on the question, I believe the correct answer is to create a backup copy of the snapshot in a blob container under the Security-group. That way, it's stored securely and can be accessed for further investigation.
upvoted 0 times
...
Joesph
4 months ago
I'm a bit confused on the best way to do that. Should I just copy it to a file share or is there a more secure option?
upvoted 0 times
...
Mariann
5 months ago
Okay, I think I've got this. The key is to copy the snapshot to a secure location, like a storage account under the Security-group.
upvoted 0 times
...
Linn
5 months ago
Hmm, this looks like a tricky one. I'll need to carefully think through the steps to make sure I don't miss anything.
upvoted 0 times
...
Howard
10 months ago
Haha, I bet the exam writer is just trying to trick us with all these options. Option D is the only one that makes sense - get that snapshot onto a forensic machine and let the magic happen!
upvoted 0 times
Winfred
8 months ago
Definitely, that's the best way to analyze the compromised VM.
upvoted 0 times
...
Daron
8 months ago
Yeah, mounting the snapshot onto a forensic workstation is crucial for further investigation.
upvoted 0 times
...
Theron
9 months ago
I agree, option D seems like the most logical next step.
upvoted 0 times
...
...
Sabrina
10 months ago
D is the correct answer. You need to mount the snapshot on a forensic workstation to analyze the compromised VM. Why complicate things with a blob container when you can just mount it directly?
upvoted 0 times
Paris
8 months ago
D) Mount the snapshot onto the forensic workstation
upvoted 0 times
...
Dalene
9 months ago
C) Create a backup copy of snapshot in a blob container
upvoted 0 times
...
Blair
9 months ago
B) Generate shared access signature
upvoted 0 times
...
...
Margart
10 months ago
I agree with Elvis. Option C is the way to go. Keeping the snapshot in a secure location under the Security-group is crucial for a proper forensic investigation.
upvoted 0 times
Stefanie
9 months ago
C) Create a backup copy of snapshot in a blob container
upvoted 0 times
...
Tamar
10 months ago
B) Generate shared access signature
upvoted 0 times
...
...
Lindsey
11 months ago
I believe creating a backup copy of the snapshot in a blob container is also important for preserving evidence.
upvoted 0 times
...
Elvis
11 months ago
Option C seems the most logical choice to me. Storing the snapshot in a blob container under the Security-group would ensure better security and control during the investigation.
upvoted 0 times
Florencia
10 months ago
D) Mount the snapshot onto the forensic workstation
upvoted 0 times
...
Lashaunda
10 months ago
C) Create a backup copy of snapshot in a blob container
upvoted 0 times
...
Jesse
10 months ago
B) Generate shared access signature
upvoted 0 times
...
Mona
10 months ago
D) Mount the snapshot onto the forensic workstation
upvoted 0 times
...
Aretha
10 months ago
C) Create a backup copy of snapshot in a blob container
upvoted 0 times
...
Maryann
10 months ago
B) Generate shared access signature
upvoted 0 times
...
...
Sina
11 months ago
I agree with Donte, mounting the snapshot will allow us to analyze the compromised VM.
upvoted 0 times
...
Donte
11 months ago
I think the next step is to mount the snapshot onto the forensic workstation.
upvoted 0 times
...

Save Cancel