CS0-003 · Question #51
CS0-003 Question #51: Real Exam Question with Answer & Explanation
The correct answer is D: Routing table. Evidence capture prioritizes collection activities based on the order of volatility, initially focusing on highly volatile storage. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows:
Question
An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
Options
- AHard disk
- BPrimary boot partition
- CMalicious files
- DRouting table
- EStatic IP address
Explanation
Evidence capture prioritizes collection activities based on the order of volatility, initially focusing on highly volatile storage. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows: CPU registers and cache memory (including cache on disk controllers, GPUs, and so on) Contents of system memory (RAM), including the following: Routing table, ARP cache, process table, kernel statistics Temporary file systems/swap space/virtual memory Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices) - including file system and free space Remote logging and monitoring data Physical configuration and network topology
Topics
Community Discussion
No community discussion yet for this question.