CompTIA Exam Questions

Which of the following incident response procedures is best suited to restore the server?

A server dedicated to the storage and processing of sensitive information was compromised with a
rootkit and sensitive data was extracted. Which of the following incident response procedures is
best suited to restore the server?

A.
Wipe the storage, reinstall the OS from original media and restore the data from the last known
good backup.

B.
Keep the data partition, restore the OS from the most current backup and run a full system
antivirus scan.

C.
Format the storage and reinstall both the OS and the data from the most current backup.

D.
Erase the storage, reinstall the OS from most current backup and only restore the data that was
not compromised.

Explanation:
Rootkits are software programs that have the ability to hide certain things from the operating
system. With a rootkit, there may be a number of processes running on a system that do not show
up in Task Manager or connections established or available that do not appear in a netstat
display—the rootkit masks the presence of these items. The rootkit is able to do this by
manipulating function calls to the operating system and filtering out information that would
normally appear. Theoretically, rootkits could hide anywhere that there is enough memory to
reside: video cards, PCI cards, and the like. The best way to handle this situation is to wipe the
server and reinstall the operating system with the original installation disks and then restore the
extracted data from your last known good backup. This way you can eradicate the rootkit and
restore the data.