During an incident response engagement, the security team identifies that a compromised host has been communicating with multiple external IP addresses using encrypted channels. The team needs to determine which processes initiated the connections. Which type of evidence collection should be performed first to preserve the most volatile data?
Trap 1: Export the Windows event logs related to network activity
Event logs are less volatile than memory but still should be collected after memory.
Trap 2: Execute a network scan from the compromised host to identify active…
Running commands on a live system can alter evidence and should be avoided; memory capture is preferred.
Trap 3: Capture a full disk image using FTK Imager
Disk imaging is important but captures non-volatile data; volatile data would be lost if the system is shut down first.
- A
Export the Windows event logs related to network activity
Why wrong: Event logs are less volatile than memory but still should be collected after memory.
- B
Execute a network scan from the compromised host to identify active connections
Why wrong: Running commands on a live system can alter evidence and should be avoided; memory capture is preferred.
- C
Capture a full disk image using FTK Imager
Why wrong: Disk imaging is important but captures non-volatile data; volatile data would be lost if the system is shut down first.
- D
Perform a memory capture using a tool like DumpIt or winpmem
Memory capture preserves the most volatile data, including running processes and network connections, which is critical for identifying malicious processes.