An analyst needs to understand how an attacker compromised a server. Which of the following procedures will best deliver the information that is necessary to reconstruct the steps taken by the attacker?
A.
Scan the affected system with an anti-malware tool and check for vulnerabilities with a vulnerability scanner.
B.
Extract the server’s system timeline, verifying hashes and network connections during a certain time frame.
C.
Clone the entire system and deploy it in a network segment built for tests and investigations while monitoring the system during a certain time frame.
D.
Clone the server’s hard disk and extract all the binary files, comparing hash signatures with malware databases.
I think cloning the entire system is not be the best option to understanding the initial point of compromise. Extracting the server's system timeline as described in option B can be a more effective technique in understanding how the attacker compromised the system. By examining the system timeline and network connections during a certain time frame, an “analyst” can reconstruct the sequence of events that led to the compromise. This can include identifying the initial point of compromise, the attacker's actions leading up to the compromise, and any lateral movement or data exfiltration that occurred.
+ option C is a common technique in digital forensics and question mentioned “analyst”
The procedure that will best deliver the information necessary to reconstruct the steps taken by the attacker is:
B. Extract the server’s system timeline, verifying hashes and network connections during a certain time frame.
This procedure involves extracting the server's system timeline, which includes information such as system events, logs, and network connections during a specific time frame. By analyzing this information, the analyst can identify any suspicious activities, changes, or anomalies that occurred on the server. Verifying hashes can help detect any tampering with files or executables on the system. This method focuses on gathering and analyzing relevant data from the compromised server to reconstruct the attacker's actions, making it an effective approach for understanding the attack.
"Which of the following procedures will best deliver the information that is necessary to reconstruct the steps taken by the attacker?"
The best procedure is option C, cloning the system and investigate it in a proper lab for these kind of accidents.
Nope because the system you are cloning is already compromised. You are not going to run an exploit and investigate the behavior. Clone a compromised system is good for nothing, you already have this system, why to clone it?
GPT-4 calibrated to CS0-002: Extracting the server's system timeline, verifying hashes and network connections during a certain time frame (B) is the best method to reconstruct the steps taken by an attacker. This process is part of digital forensics, which involves capturing, recording, and analyzing system states, activities, and changes over time to reconstruct events. [Scanning the affected system with an anti-malware tool and checking for vulnerabilities with a vulnerability scanner (A) may help identify malware or vulnerabilities that were exploited, but it does not provide detailed information about the attacker's steps. Cloning the entire system and deploying it in a network segment built for tests and investigations while monitoring the system during a certain time frame (C) is more related to proactive security measures and attack simulation, not post-attack analysis. Cloning the server's hard disk and extracting all the binary files, comparing hash signatures with malware databases (D) is useful, but it does not provide a step-by-step account of the attacker's activities.]
By cloning the entire compromised system and deploying it in a controlled network segment, the analyst creates an isolated environment for investigation. This ensures that the original system remains untouched and unaffected, allowing for a thorough examination of the attacker's actions without risking further compromise or damage.This enables the reconstruction of the steps taken by the attacker and provides valuable insights into their techniques, tools, and methods used to compromise the server.
This section is not available anymore. Please use the main Exam Page.CS0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Hershey2025
Highly Voted 2 years agonovolyus
Most Recent 1 year, 7 months agoJakeH
1 year, 8 months agoDree_Dogg
1 year, 9 months agoRori791
1 year, 11 months agoRori791
1 year, 11 months agoStarburst
2 years agotutita
2 years agonovolyus
1 year, 7 months agojustauser
2 years agoKashim
2 years, 1 month agoCyberCEH
2 years, 1 month ago