A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?
Correct. Memory is the most volatile data and should be captured first to preserve evidence such as running processes, network connections, and malware in memory. Any delay or system shutdown may cause this data to be lost.
Why this answer
The order of volatility dictates that the most volatile data (memory) must be captured first because it contains critical evidence like running processes, network connections, and encryption keys that will be lost when the system is powered off. A full memory dump preserves this volatile data before any other actions that could alter the system state.
Exam trap
The trap here is that candidates often think shutting down the server is the safest first step to contain damage, but CompTIA tests the forensic principle that volatile data must be preserved before any containment or remediation actions.
How to eliminate wrong answers
Option B is wrong because shutting down the server destroys volatile memory data and may trigger ransomware encryption routines or anti-forensic mechanisms. Option C is wrong because creating a forensic disk image is a lower-priority step that should occur after capturing memory, as disk data is less volatile. Option D is wrong because running a full antivirus scan modifies file access times, writes logs, and can alter the very evidence you are trying to preserve, violating forensic integrity.