What is the MOST appropriate next step?

Isolation and containment measures lor a compromised computer have been taken and
information security management is now investigating. What is the MOST appropriate next step?

Isolation and containment measures lor a compromised computer have been taken and
information security management is now investigating. What is the MOST appropriate next step?

A.
Run a forensics tool on the machine to gather evidence

B.
Reboot the machine to break remote connections

C.
Make a copy of the whole system’s memory

D.
Document current connections and open Transmission Control Protocol/User Datagram
Protocol (TCP/ I’DP) ports

Explanation:

When investigating a security breach, it is important to preserve all traces of evidence left by the
invader. For this reason, it is imperative to preserve the memory’ contents of the machine in order
to analyze them later. The correct answer is choice C because a copy of the whole system’s
memory is obtained for future analysis by running the appropriate tools. This is also important from

a legal perspective since an attorney may suggest that the system was changed during the
conduct of the investigation. Running a computer forensics tool in the compromised machine will
cause the creation of at least one process that may overwrite evidence. Rebooting the machine
will delete the contents of the memory, erasing potential evidence. Collecting information about
current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP)
ports is correct, but doing so by using tools may also erase memory contents.



Leave a Reply 0

Your email address will not be published. Required fields are marked *