Exam CS0-003 topic 1 question 20 discussion

D) Routing table. It's the only volatile data. CompTIA certmaster Topic 8B: Performing Incident Response Activities "Evidence capture prioritizes collection activities based on the order of volatility, initially focusing on highly volatile storage. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows: CPU registers and cache memory (including cache on disk controllers, GPUs, and so on) Contents of system memory (RAM), including the following: Routing table, ARP cache, process table, kernel statistics Temporary file systems/swap space/virtual memory Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)—including file system and free space Remote logging and monitoring data Physical configuration and network topology Archival media"

Excuse me The "Guide to Collecting and Archiving Evidence" (RFC 3227) establishes the following order of volatility - registers, cache - routing table, arp cache, process table, kernel statistics, memory - temporary file systems - disk - remote logging and monitoring data that is relevant to the system in question - physical configuration, network topology - archival media References: https://www.ciberforensic.com/directrices-rfc-3227 https://www.ietf.org/rfc/rfc3227.txt https://resources.infosecinstitute.com/certifications/retired/security-plus-basic-forensic-procedures-sy0-401/#:~:text=The%20order%20of%20volatility%20is,the%20computer%20is%20turned%20off. https://www.computer-forensics-recruiter.com/order-of-volatility/

Routing Table is volatile data.

Layer 3 cache is volatile storage

The hard disk is the piece of data that should be collected first in order to preserve sensitive information before isolating the server. The hard disk contains all the files and data stored on the server, which may include evidence of malicious activity, such as malware installation, data exfiltration, or configuration changes.

For incident response, CompTIA recommends preserving the most volatile dataset first.

Could anyone please post question # 265

The correct answer is D. Routing table are volatile data and will be lost at boot.

D. Routing table Explanation: Routing Table: The routing table should be collected first because it is stored in volatile memory (RAM) and could be lost once the server is isolated or powered down. The routing table can provide important information about network connections, routes, and possibly active connections, which could be crucial for understanding the scope of the incident and tracking any malicious activity.

I think this one is C because many malware packages are capable of deleting themselves upon detecting that the system they infect is being isolated.

How is it hard disk while the order of volatility is Registers Cache Routing table ARP cache and so on? from my research on google it even says routing table....

According to the order of volatility the routing tables should be the best option here. So D it is!

ORDER OF VOLATILE DATA Registers, Cache Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory Temporary File Systems Disk Remote Logging and Monitoring Data that is Relevant to the System in Question Physical Configuration, Network Topology Archival Media

D. Routing table data stored in memory or caches is considered highly volatile, since it will be lost if the system is turned off, whereas data stored in printed form or as a backup is considered much less volatile.

Malicious files found on the critical server are key pieces of evidence that could provide insights into the nature of the security incident, the methods used by the attackers, and the potential impact on the system. Collecting these files first allows the incident response team to preserve crucial evidence before taking any actions that might disrupt the server or alter its state. Once the malicious files are collected, the incident response team can proceed with isolating the server and conducting further investigation to gather additional evidence, such as analyzing the hard disk, examining the primary boot partition, reviewing the routing table, and documenting the static IP address configuration. However, collecting the malicious files should be prioritized to ensure that critical evidence is preserved in its original state.

The Hard Disk contains all the data stored on the server, including system files, application files, and user data. It’s crucial to collect a bit-by-bit copy (also known as a forensic image) of the hard disk first because it preserves the state of the system at the time of the incident. This includes any potential indicators of compromise (IoCs) and can provide valuable evidence for the investigation. The other options, while they may contain useful information, are either subsets of the data on the hard disk (Primary Boot Partition, Malicious Files) or are dynamic data that would not typically be preserved in an incident response scenario (Routing Table, Static IP Address).

incident response follows the principle of data volatility, prioritizing collecting the most fleeting information first. In this case, malicious files directly tied to the suspected breach take precedence. Answer should be C