SY0-501 Question #373: Real Exam Question with Answer & Explanation

Question

An incident involving a workstation that is potentially infected with a virus has occurred. The workstation may have sent confidential data to an unknown internet server. Which of the following should a security analyst do FIRST?

Options

• AMake a copy of everything in memory on the workstation.
• BTurn off the workstation.
• CConsult the information security policy.
• DRun a virus scan.

Explanation

During an incident response involving a potentially infected workstation, preserving volatile evidence (RAM) is the highest priority before any other action disrupts the system state.

Common mistakes.

• B. Turning off the workstation immediately destroys all volatile data in RAM, permanently losing critical forensic evidence such as active connections and in-memory malware artifacts needed to investigate the incident.
• C. Consulting the information security policy is a valid step but is not the first priority when live volatile evidence is at risk of being lost; policy consultation should occur as part of broader incident response planning, not ahead of evidence preservation.
• D. Running a virus scan can alter file timestamps, overwrite artifacts, and modify the system state, which contaminates forensic evidence and should only occur after volatile data and disk images have been properly preserved.

Concept tested. Incident response order of volatility evidence preservation

Reference. https://www.nist.gov/publications/guide-integrating-forensic-techniques-incident-response

No community discussion yet for this question.