A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and
sensitive data was extracted. Which of the following incident response procedures is best suited to restore theserver?
Wipe the storage, reinstall the OS from original media and restore the data from the last known good
Keep the data partition, restore the OS from the most current backup and run a full system antivirus scan.
Format the storage and reinstall both the OS and the data from the most current backup.
Erase the storage, reinstall the OS from most current backup and only restore the data that was not
Rootkits are software programs that have the ability to hide certain things from the operating system. With a
rootkit, there may be a number of processes running on a system that do not show up in Task Manager or
connections established or available that do not appear in a netstat display—the rootkit masks the presence of
these items. The rootkit is able to do this by manipulating function calls to the operating system and filtering out
information that would normally appear. Theoretically, rootkits could hide anywhere that there is enough
memory to reside: video cards, PCI cards, and the like. The best way to handle this situation is to wipe the
server and reinstall the operating system with the original installation disks and then restore the extracted data
from your last known good backup. This way you can eradicate the rootkit and restore the data.