Question 516 of 1,152
Security OperationseasyMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to capture volatile data such as memory and running processes first. This is because of the forensic principle known as the order of volatility, which dictates that the most fragile and easily lost evidence must be collected before anything else; RAM contents, active network connections, and process lists vanish the instant the laptop loses power or is shut down. On the Security+ SY0-701 exam, this concept tests your understanding of evidence preservation and incident response procedures, often appearing in scenario-based questions where a responder must prioritize actions. A common trap is to immediately pull the plug or image the hard drive, but that destroys the very evidence of active malware or attacker footholds. Remember the memory tip: “RAM is the first to scram” — capture what’s in memory before you even think about powering off.

SY0-701 Security Operations Practice Question

This SY0-701 practice question tests your understanding of security operations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A laptop is suspected of being compromised, and the responder wants to preserve useful evidence before shutting it down. What should be done first?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "first"

    Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

Question 1easymultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Capture volatile data such as memory and running processes if possible.

Option B is correct because volatile data (e.g., RAM contents, running processes, network connections) is lost when the laptop is powered off. Capturing this data first preserves critical evidence of the attacker's current activity, such as malware in memory or active network connections, which is essential for forensic analysis. This aligns with the forensic principle of order of volatility, where the most volatile data is collected first.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Power off the laptop immediately to stop all attacker activity.

    Why it's wrong here

    Immediate power-off can destroy volatile evidence such as running processes, network connections, and memory-resident malware. It may help containment, but not before evidence is considered.

  • Capture volatile data such as memory and running processes if possible.

    Why this is correct

    Capturing volatile data is the best first step when preserving evidence matters. Memory can contain malware code, encryption keys, active network sessions, and signs of lateral movement that disappear after shutdown. In incident response, responders try to preserve the most time-sensitive evidence before disrupting the system, as long as doing so is safe and approved.

    Clue confirmation

    The clue word "first" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Install a new antivirus product before collecting evidence.

    Why it's wrong here

    Installing software changes the system state and can overwrite important forensic evidence. It is better to preserve the original condition first.

  • Reimage the laptop so the user can return to work quickly.

    Why it's wrong here

    Reimaging too early destroys evidence and can make root-cause analysis impossible. Recovery should happen after containment and evidence capture.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often think immediate shutdown stops the attack, but CompTIA tests the forensic principle that volatile data must be captured first to preserve evidence that disappears on power loss.

Detailed technical explanation

How to think about this question

Under the hood, volatile data resides in RAM and includes process lists, network sockets, ARP cache, and kernel objects. Tools like `memdump` (Linux) or `FTK Imager` (Windows) can capture this data via a live acquisition before shutdown. In real-world scenarios, failing to capture memory can miss rootkits that only exist in RAM or encryption keys that decrypt live data, making the entire investigation blind to the attacker's methods.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A SOC analyst notices unusual lateral movement in the network at 2 AM. The IR playbook dictates: identify and contain (isolate the affected machine), then eradicate (remove the malware), then recover (restore from backup), then document. Skipping containment before eradication risks the attacker regaining access. Questions like this test the sequence and rationale of incident response phases.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Capture volatile data such as memory and running processes if possible. — Option B is correct because volatile data (e.g., RAM contents, running processes, network connections) is lost when the laptop is powered off. Capturing this data first preserves critical evidence of the attacker's current activity, such as malware in memory or active network connections, which is essential for forensic analysis. This aligns with the forensic principle of order of volatility, where the most volatile data is collected first.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "first". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on SY0-701

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?

easy
  • A.Install endpoint protection updates on the laptop right away.
  • B.Capture volatile evidence such as running processes and memory contents.
  • C.Delete suspicious files so the malware can no longer spread.
  • D.Reboot the laptop immediately to clear the suspected malware.

Why B: Option B is correct because volatile evidence, such as running processes, network connections, and memory contents, is lost when the system is powered off. Capturing this data first preserves critical forensic artifacts that can reveal the malware's behavior, persistence mechanisms, and indicators of compromise (IOCs). In a live incident, the responder must follow the order of volatility (RFC 3227) to collect the most ephemeral data before it disappears.

Variation 2. A Windows laptop is believed to be involved in a credential-theft incident. It is still powered on, connected to Wi-Fi, and the user reports that the screen recently locked by itself. The SOC can reach the device remotely through EDR. Which two actions should be taken before the laptop is shut down? Select two.

hard
  • A.Capture volatile data such as running processes and active network connections while the system is still live.
  • B.Place the endpoint into network isolation through the EDR console to stop further attacker communication.
  • C.Run a full antivirus scan immediately, because the scan report will serve as the primary evidence.
  • D.Reboot the laptop into Safe Mode so the attacker’s code will not load.
  • E.Power off the laptop immediately to prevent the incident from spreading further.

Why A: Option A is correct because capturing volatile data (e.g., running processes, active network connections, memory contents) is a critical first step in forensic response. This data resides in RAM and is lost when the system is powered off, so it must be collected while the laptop is still live to preserve evidence of the attacker's current activities, such as active credential theft tools or command-and-control connections.

Keep practising

More SY0-701 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.