CS0-003 Exam QuestionsBrowse all questions from this exam

CS0-003 Exam - Question 55


During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

Show Answer
Correct Answer: A

The first action an analyst should take is to clone the virtual server for forensic analysis. Cloning preserves the current state of the server, including data, configurations, and logs, without risking the loss or alteration of evidence. This allows for a thorough investigation while maintaining the integrity of the original server, which is crucial for legal and detailed analysis. Logging into the affected server or shutting it down could alter or destroy important data, and restoring from a backup should only be done after a proper forensic analysis.

Discussion

15 comments
Sign in to comment
GwayOption: A
Sep 16, 2023

A. Clone the virtual server for forensic analysis Cloning the virtual server allows the analyst to capture a snapshot of the system as it is, including all current data, configurations, and state. This cloned version can be analyzed in detail without affecting the integrity of the original server, which is crucial for any potential legal proceedings and for understanding the scope and details of the attack.

kmordalvOption: A
Sep 8, 2023

The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence.

Nixon333Option: A
Jul 26, 2023

I think its A. When investigating a security incident, it is crucial to preserve the integrity of the original system and any potential evidence it may contain. The first action the analyst should take is to clone the virtual server for forensic analysis. By creating a copy or snapshot of the server, the analyst can conduct a thorough investigation without altering or tampering with the original system.

ms123451Option: A
Sep 3, 2023

You should NEVER EVER shut down a system as the logs may be wiped and you will affect the integrity of the data

nmap_king_22Option: A
Sep 5, 2023

Clone and keep the original safe is my opinion. Any testing or sandbox tasks should be done with the clone. And not the original (to keep the integrity)

[Removed]Option: A
Nov 22, 2023

Answer is A. Why in the world would you shut down a server and risk losing temporary information on it? D is NOT correct.

[Removed]
Nov 27, 2023

C and D are the worst options since you risk losing volatile / temporary data.

BigFoot101TOption: B
Dec 24, 2023

Should be B right? Investigate logs first then decide whether proceed to forensic analysis.

Mehe323
May 15, 2024

Yeah, in the answer, the server is suddenly virtual, a bit weird.

152deffOption: A
May 26, 2024

D is ridiculous

Christof
May 28, 2024

Correct!

fgiroux83Option: A
Sep 19, 2023

The best answer is A. Shutting down, although the question mentions the server is now okay, will not lead to anything.

hasquaatiOption: B
Jun 19, 2024

B: Because this is the FIRST action. When you went to go deep into forensics then you log into a VM. This question is crap by the way.

LoneStarChief
Jul 21, 2024

To add to this, at which point does the question state its a 'Virtual Server'? Also, the question DOES state: "the server was up to date and configured with appropriate auditing and logging." Hence why my choice is 'B'. Cause lets be honest 'D' is just plain WRONG.

AlizadeOption: C
Nov 15, 2023

The answer is C. Restore from the last known-good backup to confirm there was no loss of connectivity.

daddylonglegs
Jan 26, 2024

I don't see how restoring from back-up ensures that there was no loss of connectivity

CyberJackalOption: A
Mar 29, 2024

In no world is this D.

ChaliceOption: B
Apr 2, 2024

Why would it be A and not B? The question does not say it is a virtual machine, or what type of security incident. Wouldn't you want to first look at the logs?

emotetsu
Jun 20, 2024

Log review is not enough. There is a lot to review such as registries, configurations and files and processes in the system. Cloning the server would help you do more analysis in a non-intrusive way, meaning not in the production or operational server. Preventing any disruption.

captaintoadyoOption: A
May 1, 2024

answer D is 100% incorrect the answer is again in the question

zee_RiddleOption: A
Jul 20, 2024

D should not be the answer