What is a best practice step when containing a cyber incident to preserve evidence?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Get ready for the Cybersecurity and Digital Forensics Test with comprehensive multiple choice questions, flashcards, and detailed explanations. Enhance your skills and prepare for success in the digital security field!

Multiple Choice

What is a best practice step when containing a cyber incident to preserve evidence?

Explanation:
During incident containment, the most effective step is to isolate the affected hosts, preserve evidence, and document actions taken. Isolating the systems stops the attacker from spreading and minimizes further damage, while preserving evidence ensures you capture the original state and artifacts (disk images, memory snapshots, logs, network captures) before any changes are made, which is vital for a later forensic analysis and a defensible trail. Documenting actions creates a clear chain of custody and a chronological record of what was done, by whom, and when, supporting the investigation and any potential legal or regulatory reviews. Other approaches don’t fit as well because reimaging all systems immediately can destroy volatile data and contaminate the evidence, posting incident details publicly can expose sensitive information and hinder the investigation, and ignoring logs eliminates critical data needed to reconstruct what happened and how the breach occurred.

During incident containment, the most effective step is to isolate the affected hosts, preserve evidence, and document actions taken. Isolating the systems stops the attacker from spreading and minimizes further damage, while preserving evidence ensures you capture the original state and artifacts (disk images, memory snapshots, logs, network captures) before any changes are made, which is vital for a later forensic analysis and a defensible trail. Documenting actions creates a clear chain of custody and a chronological record of what was done, by whom, and when, supporting the investigation and any potential legal or regulatory reviews. Other approaches don’t fit as well because reimaging all systems immediately can destroy volatile data and contaminate the evidence, posting incident details publicly can expose sensitive information and hinder the investigation, and ignoring logs eliminates critical data needed to reconstruct what happened and how the breach occurred.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy