This pattern deploys a set of processes that use AWS Lambda functions to provide the following:

• A way to initiate the incident-response process with minimum knowledge

• Automated, repeatable processes that are aligned with the AWS Security Incident Response Guide

• Separation of accounts to operate the automation steps, store artifacts, and create forensic environments

The Automated Incident Response and Forensics framework follows a standard digital forensic process consisting of the following phases:

1. Containment

2. Acquisition

3. Examination

4. Analysis

You can perform investigations on static data (for example, acquired memory or disk images) and on dynamic data that is live but on separated systems.

For more details, see the Additional information section.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automate-incident-response-and-forensics.html?did=pg_card&trk=pg_card