(ISC)2(ISC)2
SSCP · Question #920
SSCP Question #920: Real Exam Question with Answer & Explanation
Sign in or unlock SSCP to reveal the answer and full explanation for question #920. The question stem and answer options stay visible for context.
Submitted by tyler.j· Apr 18, 2026Incident Response and Recovery
Question
When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of the following actions should be done as a first step if you wish to prosecute the attacker in court?
Options
- ABack up the compromised systems.
- BIdentify the attacks used to gain access.
- CCapture and record system information.
- DIsolate the compromised systems.
Unlock SSCP to see the answer
You've previewed enough free SSCP questions. Unlock SSCP for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#Incident Response#Digital Forensics#Evidence Preservation#Order of Volatility