Exam CV0-003 topic 1 question 254 discussion

The question is not asking for disaster recovery, it is asking to identify the scope of an incident, therefore it cannot be C or A. so D is the answer

Explanation: In an IaaS (Infrastructure as a Service) environment, identifying the scope of an incident typically involves preserving evidence before conducting further analysis. Taking a snapshot of all volumes attached to the affected instance ensures that the current state of the system is captured, allowing for forensic analysis without altering data.

It's B, not all incidents will develop into a routine of traffic emitting from the infected endpoint. Traffic captures tend to happen in real-time and rarely are they used in the Firewall policies or anywhere else considering they bottleneck the dataplane so it's always used in troubleshooting. If there was a logic bomb for instance or something that would be more specific to targeting the machine with a rootkit without external network connections you wouldn't be able to see it through a traffic capture. B., is the answer because most the system has been targeted with a snapshot it can interrogated and sent for forensics.

I would think that you would want to check traffic logs to see what your up against.

B. Snapshot all volumes attached to an instance. In an IaaS (Infrastructure as a Service) platform, the first step a systems administrator would usually take to identify the scope of an incident is to snapshot all volumes attached to the affected instance. This action creates a copy of the instance's storage volumes at a specific point in time, preserving the state of the data, configurations, and potential evidence related to the incident.

You want to