nerdexam
ExamsCAS-001Questions#216
CompTIA

CAS-001 · Question #216

CAS-001 Question #216: Real Exam Question with Answer & Explanation

The correct answer is A: Shut the server down and image the hard drive.. Non-volatile evidence resides on persistent storage (the hard drive) and survives a shutdown. The correct forensic procedure is to shut the server down cleanly to stop any ongoing changes, then create a bit-for-bit forensic image of the drive before any analysis. This preserves t

Question

A production server has been compromised. Which of the following is the BEST way to preserve the non-volatile evidence?

Options

  • AShut the server down and image the hard drive.
  • BRemove all power sources from the server.
  • CInstall remote backup software and copy data to write-once media.
  • DLogin remotely and perform a full backup of the server.

Explanation

Non-volatile evidence resides on persistent storage (the hard drive) and survives a shutdown. The correct forensic procedure is to shut the server down cleanly to stop any ongoing changes, then create a bit-for-bit forensic image of the drive before any analysis. This preserves the integrity of the evidence. Abruptly removing power (B) risks file system corruption and could damage evidence. Installing remote backup software (C) or logging in remotely (D) both modify the live system - potentially overwriting artifacts, altering timestamps, or triggering malware - which contaminates the evidence chain of custody.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice