You are a forensic examiner responding to a data breach incident at a medium-sized company. The incident response team has identified a Windows Server 2019 that may contain evidence of unauthorized access. The server is running and logged in with administrative privileges. The server has 32 GB of RAM, a 1 TB SSD (bitlocker encrypted, but unlocked), and is connected to the corporate network. The server is running several critical business applications, and the IT manager asks you to minimize downtime. You have a forensic workstation with write blockers, a hardware acquisition tool, and various software tools. What is the best course of action to acquire evidence while preserving integrity and minimizing downtime?
This preserves volatile data and minimizes downtime.
Why this answer
Option B is correct because it prioritizes capturing volatile data (RAM and network connections) first, which would be lost on shutdown, then creates a logical image of the unlocked BitLocker SSD while the server remains online to minimize downtime. This approach preserves the integrity of volatile evidence and allows critical business applications to continue running, aligning with the IT manager's request to minimize downtime.
Exam trap
EC-Council often tests the principle of order of volatility and the need to capture volatile data before powering down, leading candidates to mistakenly choose a shutdown-based option (C or D) that destroys critical evidence.
How to eliminate wrong answers
Option A is wrong because Guymager is a Linux-based imaging tool typically used for local or direct disk imaging, not for network acquisition over a live network; network imaging over a corporate network introduces risk of data alteration and is slower, potentially compromising integrity and increasing downtime. Option C is wrong because immediately powering off the server destroys volatile evidence (RAM, network connections) and risks data loss from the unlocked BitLocker SSD due to improper shutdown, while also causing unnecessary downtime for critical applications. Option D is wrong because pulling the power cord causes an abrupt shutdown that corrupts volatile data and may damage the file system on the SSD, and imaging via a forensic bridge after removal is invasive and increases downtime without capturing volatile evidence.