PrepAway - Latest Free Exam Questions & Answers

Which of the following incident response procedures is best suited to restore the server?

A server dedicated to the storage and processing of sensitive information was compromised with a
rootkit and sensitive data was extracted. Which of the following incident response procedures is best
suited to restore the server?

PrepAway - Latest Free Exam Questions & Answers

A.
Wipe the storage, reinstall the OS from original media and restore the data from the last known good
backup.

B.
Keep the data partition, restore the OS from the most current backup and run a full system antivirus
scan.

C.
Format the storage and reinstall both the OS and the data from the most current backup.

D.
Erase the storage, reinstall the OS from most current backup and only restore the data that was not
compromised.

Explanation:
Rootkits are software programs that have the ability to hide certain things from the operating system.
With a rootkit, there may be a number of processes running on a system that do not show up in Task
Manager or connections established or available that do not appear in a netstat display—the rootkit
masks the presence of these items. The rootkit is able to do this by manipulating function calls to the
operating system and filtering out information that would normally appear. Theoretically, rootkits could
hide anywhere that there is enough memory to reside: video cards, PCI cards, and the like. The best wayto handle this situation is to wipe the server and reinstall the operating system with the original
installation disks and then restore the extracted data from your last known good backup. This way you
can eradicate the rootkit and restore the data.
Incorrect Answers:
B: Keeping the data partition will not ensure that the rootkit is eradicated.
C: Formatting the storage is not guaranteed to eradicate the rootkit since a rootkit is capable of
manipulating function calls to the operating system. And also reinstalling the OS and data from the most
recent backup may result in reinstalling the rootkit.
D: Erasing the storage will not eradicate the rootkit. Furthermore you need to make use of the last known
good backup and not the most current backup.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 301, 429


Leave a Reply