ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-003 All Questions

View all questions & answers for the CAS-003 exam
Go to Exam

Exam CAS-003 topic 1 question 411 discussion

Actual exam question from CompTIA's CAS-003
Question #: 411
Topic #: 1
[All CAS-003 Questions]

A security engineer discovers a PC may have been breached and accessed by an outside agent. The engineer wants to find out how this breach occurred before remediating the damage. Which of the following should the security engineer do FIRST to begin this investigation?

  • A. Create an image of the hard drive
  • B. Capture the incoming and outgoing network traffic
  • C. Dump the contents of the RAM
  • D. Parse the PC logs for information on the attacker
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by infosec208 at April 4, 2021, 1:29 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
vorozco
3 years, 2 months ago
Selected Answer: C
We are collecting evidence to confirm whether there was a breach and RAM is most volatile (hence, the first thing that needs to be collected).
upvoted 1 times
...
sm24
3 years, 3 months ago
Selected Answer: C
You can find similar "order of volatility" questions in Sec+ and CySA+ too. As the analyst has determined not to remediate the damage as the first step, he would be going for the current memory contents.
upvoted 1 times
...
SoniSoni
3 years, 9 months ago
B. keyword: outside agent
upvoted 2 times
vorozco
3 years, 2 months ago
The device "MAY HAVE been breached and accessed by an outside agent" and the security engineer is verifying whether or not there is evidence of this being true. So, we are trying to look at evidence and need to implement the order of volatility for collection. I think if it had read as the PC being ACTIVELY breached in the present, then it could possibly be B.
upvoted 1 times
...
...
jagoichi
3 years, 10 months ago
Agree C The order of volatility is the sequence or order in which the digital evidence is collected. The order is maintained from highly volatile to less volatile data. Highly volatile data resides in the memory, cache, or CPU registers, and it will be lost as soon as the power to the computer is turned off.
upvoted 4 times
...
D1960
4 years ago
Maybe: C. Dump the contents of the RAM? The PC is not in the process of being breached. It is suspected of having been breached in the past. As such, checking ingoing and outgoing traffic won't tell you anything. You want to shut the system down ASAP because the system may be infecting other systems. But before you shut the system down, it is probably best to save RAM.
upvoted 2 times
...
infosec208
4 years, 1 month ago
This is a tricky one. A. Create an image of the hard drive -> Not what we normally do first. B. Capture the incoming and outgoing network traffic -> If the system is on this is first. C. Dump the contents of the RAM -> If the system is on this is second. Unfortunately a very poor question, but I think I'd answer B on the exam.
upvoted 2 times
D1960
3 years, 8 months ago
I think you can check incoming and outgoing network traffic by viewing the logs, after the system has been shutdown. No need to keep a, possibly infected, system running for any longer than you have to. Dump the volatile memory, and shut the system down.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago