Exam CS0-003 topic 1 question 132 discussion

Answer is D. The analyst has already contained the original infected machine. Next would be to identify the scope of the malware (how many users have been affected). After the spread has been contained, the analyst can go back and acquire the bit level image for further forensics. Incident response steps guys.

This information is directly from CertMaster Topic 8B: Incident responders must make quick decisions regarding the most effective containment technique when a system is compromised. The course of action depends on several factors: Ensure the safety and security of all personnel. The first concern of all managers involved with the security response is the safety and security of personnel. Prevent further damage. This will be the overriding priority after the identification of the compromise. Identify whether the intrusion is a primary or a secondary attack (part of a more complex campaign). Avoid alerting the attacker that they have been discovered. Preserve forensic evidence of the intrusion. While waiting for the forensics analyst to arrive, treat the system like any crime scene by preventing anyone from further compromising the system or destroying evidence. Therefore, D would be the most logical answer if we are using this information because it prevents further damage.

The analyst should acquire a bit-level image of the affected workstation. This step is critical because creating a forensic image preserves all digital evidence on the compromised device, which is essential for understanding the attack, supporting investigations, and potentially meeting legal or regulatory requirements. Wiping or restoring the system too soon can destroy valuable forensic artifacts, and shutting down other systems or searching for additional victims should come after evidence is preserved

The correct answer is: C. Acquire a bit-level image of the affected workstation Explanation: After isolating the affected workstation, the next step in incident response—especially for ransomware and forensic investigations—is to preserve evidence. Creating a bit-level image of the affected system ensures that all data, including potentially hidden or deleted files and malware artifacts, is preserved for further analysis or legal investigation.

I am gonna say C first because you always always preserve your evidence before doing anything else so it doesn't loose its integrity.

In a real world scenario, you will have teammates. One can do the bit-level, while the others can focus on the real priority which is to contain the spread of ransomware. Based on severity, containing the spread takes precedence over image. So I'm going with D.

D refers to searching for mail users who have received the same file, not necessarily those who are already infected. This distinction is critical because just receiving the file doesn't mean the ransomware has been executed on their systems.

As a Computer forensic analyst at a sheriff's office office, our training has always been "C. Acquire a bit-level image of the affected workstation" first. While this is an important follow-up action to prevent further spread of the ransomware, it is secondary to preserving the forensic evidence from the affected workstation. Identifying other recipients helps in understanding the scope of the attack but should come after securing and analyzing the evidence from the primary affected machine.

answer is C. Creating a bit-level image of the affected workstation captures a complete snapshot of the entire disk. This image can be used for forensic analysis later to understand the attack scope, identify potential entry points, and potentially recover data if decryption isn't feasible.

Certmaster topic 8 is not very clear on ransomware but it gives this link https://www.cisa.gov/stopransomware/ransomware-guide From that guide the steps are somewhat clearer, but sort of confusing. From the link I get that it should be Isolate , but then the next steps are to shutdown and disconnect from network, then also investigate other affected users to include "email". So this questions is very confusing. So is it B, C, or D. It does use the word "NEXT" -- so it would mean shut down - B --- what do you all think? based on that link.

issue is ongoing, making sure it doesnt spread more is the priority over making a copy

creating a bit level image called forensic image captures the entire content of the hard drive at that point in time.

Acquiring a bit-level image (also known as a forensic image) of the affected workstation is crucial for a couple of reasons: Evidence Preservation: It ensures that all the data on the workstation is preserved in its current state, which is essential for any subsequent forensic investigation. This can help in understanding how the ransomware infection occurred, which could be useful in preventing future attacks. Analysis: With a complete image of the workstation, analysts can perform in-depth analysis without the risk of further contaminating the network or losing critical data. The other options, while potentially relevant in certain contexts, are not the immediate next steps:

While searching for other mail users who have received the same file (option D) is important for understanding the attack's propagation and identifying potentially affected systems, it may not be the immediate next step after isolating the affected workstation. Acquiring the forensic image takes precedence to ensure that evidence is properly preserved before further actions are taken.

Both Option C and Option D can be part of a comprehensive incident response plan, but if prioritization is necessary, acquiring a bit-level image is often considered an early and essential step in preserving evidence and understanding the immediate impact on the affected system.

Wow this is a good one. I feel like D is the next move because it's just not clear whether the threat has been contained after workstation was isolated. If it is, then people need to be warned first of an ongoing threat so they don't click on any bait. Secure the scene first before starting investigation.

Think in terms of a hospital, whose patient PII has been ransomed. This is now a criminal matter. This device has been ransomwared, this device is now evidence. Ideally someone else on your team is going to alert others to not click on that link or investigate further, but you, with your one task of investigating that device, need to preserve the volatile/ephemeral evidence.