How would you approach collecting data from a live host while minimizing further damage or data loss?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

How would you approach collecting data from a live host while minimizing further damage or data loss?

Explanation:
The key idea is to preserve volatile evidence on a live host while minimizing impact on the system, using a controlled, documented live-response process. Volatile data, such as memory contents, running processes, open network connections, and encryption keys resident in RAM, can vanish in moments if the system is shut down or rebooted. Capturing this data first ensures you don’t lose critical indicators of compromise or attacker activity. Using approved tools that are validated for forensics helps guarantee data integrity and reproducibility, and avoiding unnecessary changes prevents altering the system state in ways that could hide or contaminate evidence. Documenting the scope keeps the collection focused on what’s needed for investigation, while minimizing changes reduces the chance of interfering with the system’s operation or alerting users and defenders. Securing evidence with proper chain-of-custody ensures the data remains admissible and traceable through the investigation. After volatile data is captured, you can proceed with non-volatile data collection if needed, but only in a controlled manner. The other options fall short because they either miss essential volatile data, risk immediate loss of evidence, or introduce changes that could complicate or contaminate the investigation.

The key idea is to preserve volatile evidence on a live host while minimizing impact on the system, using a controlled, documented live-response process. Volatile data, such as memory contents, running processes, open network connections, and encryption keys resident in RAM, can vanish in moments if the system is shut down or rebooted. Capturing this data first ensures you don’t lose critical indicators of compromise or attacker activity. Using approved tools that are validated for forensics helps guarantee data integrity and reproducibility, and avoiding unnecessary changes prevents altering the system state in ways that could hide or contaminate evidence.

Documenting the scope keeps the collection focused on what’s needed for investigation, while minimizing changes reduces the chance of interfering with the system’s operation or alerting users and defenders. Securing evidence with proper chain-of-custody ensures the data remains admissible and traceable through the investigation. After volatile data is captured, you can proceed with non-volatile data collection if needed, but only in a controlled manner.

The other options fall short because they either miss essential volatile data, risk immediate loss of evidence, or introduce changes that could complicate or contaminate the investigation.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy