Investigation Decisions

At this point, you can choose between an offline investigation (immediately shutting down the instance) or an online investigation (keeping the instance running). One advantage to the offline investigation is that after the instance is shut down, it can no longer affect the existing environment. Additionally, you can create a copy of the affected instance from the EBS snapshots, and review it in an isolated AWS account with an isolated environment that is designed specifically for your investigation. However, you can choose to not shut down the instance immediately, if an online investigation enables you to potentially capture volatile evidence from the host operating system, such as memory or network traffic.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure Domain Incidents

Capturing Volatile Data