nerdexam
ExamsGCIHQuestions#568
GIAC

GCIH · Question #568

GCIH Question #568: Real Exam Question with Answer & Explanation

The correct answer is D: Dump logs from the compromised machine to another system for analysis. Attacking back is always a bad idea. Forensic analysis should never be performed on the original hard drive. Pinging the originating IP from the compromised machine may alert the attacker to the fact that you found the compromised machine. Dumping logs to another system for analy

Question

As an incident handler for the XYZ Widget Company, you have responded to the breach of your mail server. The server is not in a DMZ but on your internal network and was being used as a launching point to attack other systems on the same network. Of the choices listed below, which is the BEST next step to take as the lead incident handler?

Options

  • APing the IP address where the attack is originating from the compromised machine
  • BPerform a forensic analysis on the original hard drive
  • CSend a SYN flood to the originating IP address
  • DDump logs from the compromised machine to another system for analysis

Explanation

Attacking back is always a bad idea. Forensic analysis should never be performed on the original hard drive. Pinging the originating IP from the compromised machine may alert the attacker to the fact that you found the compromised machine. Dumping logs to another system for analysis will help give you information needed for analysis and is the only viable option presented.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice