During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?
The first action an analyst should take is to clone the virtual server for forensic analysis. Cloning preserves the current state of the server, including data, configurations, and logs, without risking the loss or alteration of evidence. This allows for a thorough investigation while maintaining the integrity of the original server, which is crucial for legal and detailed analysis. Logging into the affected server or shutting it down could alter or destroy important data, and restoring from a backup should only be done after a proper forensic analysis.
A. Clone the virtual server for forensic analysis Cloning the virtual server allows the analyst to capture a snapshot of the system as it is, including all current data, configurations, and state. This cloned version can be analyzed in detail without affecting the integrity of the original server, which is crucial for any potential legal proceedings and for understanding the scope and details of the attack.
The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence.
D is ridiculous
Correct!
Should be B right? Investigate logs first then decide whether proceed to forensic analysis.
Yeah, in the answer, the server is suddenly virtual, a bit weird.
Answer is A. Why in the world would you shut down a server and risk losing temporary information on it? D is NOT correct.
C and D are the worst options since you risk losing volatile / temporary data.
Clone and keep the original safe is my opinion. Any testing or sandbox tasks should be done with the clone. And not the original (to keep the integrity)
You should NEVER EVER shut down a system as the logs may be wiped and you will affect the integrity of the data
I think its A. When investigating a security incident, it is crucial to preserve the integrity of the original system and any potential evidence it may contain. The first action the analyst should take is to clone the virtual server for forensic analysis. By creating a copy or snapshot of the server, the analyst can conduct a thorough investigation without altering or tampering with the original system.
B: Because this is the FIRST action. When you went to go deep into forensics then you log into a VM. This question is crap by the way.
To add to this, at which point does the question state its a 'Virtual Server'? Also, the question DOES state: "the server was up to date and configured with appropriate auditing and logging." Hence why my choice is 'B'. Cause lets be honest 'D' is just plain WRONG.
The best answer is A. Shutting down, although the question mentions the server is now okay, will not lead to anything.
D should not be the answer
answer D is 100% incorrect the answer is again in the question
Why would it be A and not B? The question does not say it is a virtual machine, or what type of security incident. Wouldn't you want to first look at the logs?
Log review is not enough. There is a lot to review such as registries, configurations and files and processes in the system. Cloning the server would help you do more analysis in a non-intrusive way, meaning not in the production or operational server. Preventing any disruption.
In no world is this D.
The answer is C. Restore from the last known-good backup to confirm there was no loss of connectivity.
I don't see how restoring from back-up ensures that there was no loss of connectivity