An intrusion has been detected and contained. Which of the following steps represents the BEST practice for ensuring the integrity of the recovered system?
A.
Restore the application and data from a forensic copy.
B.
Install the OS, patches, and application from the original source.
C.
Restore the OS, patches, and application from a backup.
D.
Remove all signs of the intrusion from the OS and application.
Not a good question. The problems are
1. What has gone bad, Data or OS.
2. Restoring from backup, when was the backup. Was that a good backup?
If the intrusion is indeed unknown the first date, reinstall the OS, reinstall the application, get the good known data from backup. I will stay with backup since the place I work does the hourly backup and disk dup.
A. Restore the application and data from a forensic copy.
Restoring the system from a forensic copy ensures that you are using a known, clean, and unaltered version of the application and data. This is important because the original source (option B) and regular backups (option C) might also contain the same vulnerabilities or malware that allowed the intrusion in the first place. Option D, while important, is not sufficient on its own, as it may not guarantee the removal of all traces of the intrusion. Restoring from a forensic copy is a standard practice in digital forensics to ensure the integrity of the system and preserve evidence for further investigation if needed.
I dont think that you are right. Forensic copies are made to preserve incident evidence and are created under chain of custody to yield court-ready evidence material. The use case of forensic copies is to understand what happened during the incident. The use case of forensic copies is NOT to have a clean source for restoration purposes.
The right answer is B, since restoring the OS from a trusted source assures that the software packages are malware free. In case the incident was caused by a vulnerability, it is most likely that the vendor has either fixed the vulnerability or provided temporary workarounds for remediation purposes. Therefore, answer B is right.
The BEST practice for ensuring the integrity of the recovered system after an intrusion has been detected and contained is to install the operating system (OS), patches, and applications from the original source (Option B).
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
jo_456
Highly Voted 1 year, 8 months ago03allen
Most Recent 2 months, 3 weeks agoThavee
4 months, 3 weeks agooluchecpoint
12 months agoJosef4CISM
2 months agooluchecpoint
11 months, 1 week agooluchecpoint
11 months, 1 week agorichck102
1 year, 2 months agowello
1 year, 2 months agoSaisharan
1 year, 3 months agowello
1 year, 2 months agoBennyMao
11 months, 3 weeks agoSouvik124
1 year, 6 months agoaokisan
1 year, 8 months agoZiggybooboo
1 year, 9 months ago