Describe a typical process for evidence triage during a multi-host incident.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Describe a typical process for evidence triage during a multi-host incident.

Explanation:
In an incident that spans multiple hosts, the key is to triage quickly to understand scope and focus on data that will tell you what happened while it’s still recoverable. Begin by scoping the incident so you know which systems are affected, what assets are critical, and what your objectives are. Then prioritize critical hosts—the machines most likely to hold time-sensitive, volatile evidence (RAM contents, active processes, open network connections, recent log events, and running malware). Collect this volatile data promptly before it’s lost due to power changes or further compromise, and do so in a way that preserves evidence integrity. Preserving the data with solid chain-of-custody ensures you can later validate and share findings with stakeholders, investigators, and legal teams. Coordinating with stakeholders keeps the response aligned on scope, data handling requirements, permissible actions, and reporting expectations, which helps prevent missteps or duplicate effort across teams. This approach beats random data collection, which wastes time and may miss critical volatile artifacts; it also avoids focusing only on network devices, which misses host-based evidence; and it prevents delaying collection while waiting for approvals, which risks losing volatile data and delaying containment and remediation.

In an incident that spans multiple hosts, the key is to triage quickly to understand scope and focus on data that will tell you what happened while it’s still recoverable. Begin by scoping the incident so you know which systems are affected, what assets are critical, and what your objectives are. Then prioritize critical hosts—the machines most likely to hold time-sensitive, volatile evidence (RAM contents, active processes, open network connections, recent log events, and running malware). Collect this volatile data promptly before it’s lost due to power changes or further compromise, and do so in a way that preserves evidence integrity.

Preserving the data with solid chain-of-custody ensures you can later validate and share findings with stakeholders, investigators, and legal teams. Coordinating with stakeholders keeps the response aligned on scope, data handling requirements, permissible actions, and reporting expectations, which helps prevent missteps or duplicate effort across teams.

This approach beats random data collection, which wastes time and may miss critical volatile artifacts; it also avoids focusing only on network devices, which misses host-based evidence; and it prevents delaying collection while waiting for approvals, which risks losing volatile data and delaying containment and remediation.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy