CHFI (312-49) Digital Forensics Simulation
Welcome to the forensic simulation environment. In this scenario, you will apply CHFI principles to cloud forensics within a Google Cloud Platform (GCP) architecture. Learn to identify the correct centralized logging services needed to attribute administrative actions during a cloud-based security incident.
Investigation Scenario
A financial technology startup, AeroDynamics, hosts its core infrastructure entirely on Google Cloud Platform (GCP). At 03:00 AM UTC, the organization's SIEM generated a critical alert regarding an unauthorized firewall rule change in their production VPC network. The change exposed an internal MongoDB instance to the public internet (0.0.0.0/0).
The digital forensics team has been authorized to investigate. Due to the ephemeral nature of the cloud environment, the hypervisor cannot be imaged. The investigators must immediately identify the IAM identity that executed the API call to modify the firewall configuration, verify the IP address of the requestor, and determine if any data access operations followed the breach.
Evidence Collected
[TIMESTAMP] 2026-04-10T03:01:44Z
[SEVERITY] CRITICAL
[DESCRIPTION] Unsafe firewall rule detected on VPC 'prod-network-vpc'. Port 27017 exposed to 0.0.0.0/0.
[ACTION REQUIRED] Locate control plane logs to identify the API caller: 'compute.firewalls.insert'.
[ENVIRONMENT] GCP Project: aerodb-prod-993
Question
Expert Analysis
1. What the evidence shows: The SIEM has flagged a critical configuration change (`compute.firewalls.insert`) within a specific GCP project. To trace this administrative action back to a specific user, service account, and IP address, the investigator must analyze the cloud provider's control plane audit logs.
2. Forensic Stage: Collection / Examination.
3. Why the correct answer is correct: A. Cloud Logging. GCP Cloud Logging (formerly Stackdriver Logging) is the centralized service that aggregates and stores logs from Google Cloud services. Specifically, it hosts the Cloud Audit Logs, which encompass Admin Activity logs (always on by default), Data Access logs, and System Event logs. This is where an investigator would search for the `protoPayload` containing the identity that modified the firewall.
4. Why others are wrong:
• B. Cloud Monitoring: This tool collects metrics, events, and metadata to generate performance dashboards and alerts (uptime, CPU usage), not detailed forensic audit trails of API calls.
• C. Cloud Trace: This is a distributed tracing system designed to collect latency data from applications to find performance bottlenecks, completely irrelevant to security auditing.
• D. Cloud Debugger: A tool that lets developers inspect the state of a running application in real-time without stopping it. It is an operational development tool, not an audit logging service.
5. Real-world forensic action: An investigator would navigate to Cloud Logging, utilize the query language to filter by `resource.type="gce_firewall_rule"` and `logName="projects/aerodb-prod-993/logs/cloudaudit.googleapis.com%2Factivity"`. Once the pertinent logs are identified, they must be exported to a secure, immutable storage bucket (using a log sink) to establish and maintain the chain of custody for legal proceedings.
In traditional forensics, you typically rely on physical bit-by-bit disk images and host-based operating system logs (e.g., Windows Event Logs). In public cloud infrastructure (IaaS/PaaS), the investigator does not have physical access to the hypervisor. Consequently, the cloud provider's API Control Plane logs—such as AWS CloudTrail, Azure Activity Log, or GCP Cloud Logging—become the most critical artifacts. They provide the definitive "Who, What, When, and Where" for every administrative action taken in the environment.
Ready for the real exam?
Master digital forensics, incident response, and evidence analysis with our comprehensive CHFI practice environments.
Explore more CHFI simulations