0Pricing
AWS Security Academy · Lesson

Snapshotting Volumes for Forensics

Capture disk state for investigation before changing anything.

Why Snapshot First

Before you touch a compromised instance, capture its disk. An EBS snapshot is a point-in-time copy of an Elastic Block Store volume, stored durably in S3.

It freezes the exact state of the disk at the moment of capture, giving investigators an unchanging baseline to analyze even as the live system is contained or rebuilt.

What a Snapshot Captures

An EBS snapshot is block-level and incremental: the first captures all used blocks, later ones store only changes. Despite that, each snapshot is a complete, restorable copy of the volume.

It preserves the file system, malware on disk, logs, and configuration exactly as they were — the raw material of a forensic investigation.

aws ec2 create-snapshot \
  --volume-id vol-0abc123 \
  --description "forensic-i-0abc123"

All lessons in this course

  1. Signs of Leaked Access Keys
  2. Revoking and Rotating Exposed Secrets
  3. Quarantining a Compromised EC2 Instance
  4. Snapshotting Volumes for Forensics
← Back to AWS Security Academy