The CSA Security Guidance v4.0, Domain 9: Incident Response highlights that traditional forensic techniques don't always apply in cloud-native environments like containers and serverless platforms. Instead, forensic investigators must capture ephemeral data such as logs, snapshots, and execution traces early and often.
“Forensic techniques must adapt to cloud-native environments such as containers and serverless. Important forensic data — including container logs, snapshots, and function execution logs — may be short-lived or non-persistent, so timely collection is critical.”
— CSA Security Guidance v4.0, Domain 9: Incident Response
Key points:
Containers and serverless functions are often short-lived.
You need to capture logs and memory state before they're destroyed.
Serverless platforms (like AWS Lambda, Azure Functions) often provide execution logs via services like CloudWatch or Application Insights.
Incorrect options:
A: EDR is typically focused on traditional endpoints, not containers/serverless.
B: Useful in general, but not specific or always applicable to serverless/container forensics.
C: Antivirus doesn’t apply well to ephemeral or function-based environments.
[References:, CSA Security Guidance v4.0 – Domain 9: Incident Response (Container and Serverless Forensics), CCM v3.0.1 – DSI-05, IVS-04 (Covers logging and snapshot control), , , ]
