An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?
Trap 1: Immediately disconnect the system from the network to contain the…
Isolating from network before memory capture may lose volatile evidence.
Trap 2: Check the Windows Event Logs for related entries.
While logs are useful, memory capture should take priority as it captures the current state of the system.
Trap 3: Reboot the system to clear any malicious processes from memory.
Rebooting destroys volatile evidence and may allow malware to hide.
- A
Capture a full memory dump using a tool like FTK Imager (Memory Capture) or DumpIt.
Memory capture preserves running processes, network connections, and other volatile data crucial for analysis.
- B
Immediately disconnect the system from the network to contain the threat.
Why wrong: Isolating from network before memory capture may lose volatile evidence.
- C
Check the Windows Event Logs for related entries.
Why wrong: While logs are useful, memory capture should take priority as it captures the current state of the system.
- D
Reboot the system to clear any malicious processes from memory.
Why wrong: Rebooting destroys volatile evidence and may allow malware to hide.