SY0-501 Question #2: Real Exam Question with Answer & Explanation

Question

An incident responder receives a call from a user who reports a computer is exhibiting symptoms consistent with a malware infection. Which of the following steps should the responder perform NEXT?

Options

• ACapture and document necessary information to assist in the response.
• BRequest the user capture and provide a screenshot or recording of the symptoms
• CUse a remote desktop client to collect and analyze the malware m real time
• DAsk the user to back up files for later recovery

Explanation

When responding to a potential malware incident, the first action is to capture and document relevant information to properly scope and guide the response effort.

Common mistakes.

• B. While screenshots can be useful, asking the user to capture evidence risks disrupting the system state, missing volatile data, or being done incorrectly; documentation should be led by the responder, not delegated to the end user as a first step.
• C. Connecting via remote desktop during an active infection risks spreading malware, contaminating volatile memory evidence, and alerting the malware to analyst activity before proper containment and evidence collection procedures are established.
• D. Asking the user to back up files before proper analysis could propagate malware to backup media, destroy forensic evidence, and violates the principle of preserving the original system state during the identification phase of incident response.

Concept tested. Incident response identification and documentation steps

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

No community discussion yet for this question.