Exam CS0-003 topic 1 question 55 discussion

A. Clone the virtual server for forensic analysis Cloning the virtual server allows the analyst to capture a snapshot of the system as it is, including all current data, configurations, and state. This cloned version can be analyzed in detail without affecting the integrity of the original server, which is crucial for any potential legal proceedings and for understanding the scope and details of the attack.

The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence.

Question didnt say a VM, so why clone? Server is up to date and config for logging. So answer will be Log on to server and start analyzing logs to know what happened.

It is NOT D if you shut it down how will you get the logs... Also not B, since you don't want to alter evidence. A is the answer. Refer to the Incident Response Order Of Operations by NIST

The answer is D, while cloning will explain what happened, the question states what should he do FIRST....you have to shut down the server so nothing else is affected. One thing that I have learned about CompTia is the way word questions.

D. Shut down the affected server immediately: Shutting down the server could be necessary in certain situations to prevent further damage, but it could also result in the loss of volatile data (e.g., data stored in memory). It is generally better to clone the server first, preserving all possible evidence. Given the situation, Option A is the correct first step. It allows the security team to perform a thorough forensic analysis while preserving the integrity of the evidence.

Answer is A...alot of yall don't seem to know that vServers are a thing.

The answer is option D. stop crying

D should not be the answer

B: Because this is the FIRST action. When you went to go deep into forensics then you log into a VM. This question is crap by the way.

D is ridiculous

answer D is 100% incorrect the answer is again in the question

Why would it be A and not B? The question does not say it is a virtual machine, or what type of security incident. Wouldn't you want to first look at the logs?

In no world is this D.

Should be B right? Investigate logs first then decide whether proceed to forensic analysis.

Answer is A. Why in the world would you shut down a server and risk losing temporary information on it? D is NOT correct.

The answer is C. Restore from the last known-good backup to confirm there was no loss of connectivity.