A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)
Trap 1: A list of cafeteria purchases
Purchases are unrelated to malware state.
Trap 2: A printed office map
The map does not preserve host compromise evidence.
- A
Memory image or live response data
Fileless activity may exist mainly in memory.
- B
Active network connections and running processes
Live state helps reconstruct behaviour.
- C
A list of cafeteria purchases
Why wrong: Purchases are unrelated to malware state.
- D
A printed office map
Why wrong: The map does not preserve host compromise evidence.