PrepAway - Latest Free Exam Questions & Answers

Which of the following incident response procedures wou…

In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in
question from the incident manager. Which of the following incident response procedures would he need to
perform in order to begin the analysis? (Choose two.)

PrepAway - Latest Free Exam Questions & Answers

A.
Take hashes

B.
Begin the chain of custody paperwork

C.
Take screen shots

D.
Capture the system image

E.
Decompile suspicious files

Explanation:
A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National Software
Library (NSRL). One of the purposes of the NSRL is to collect “known, traceable software
applications” through their hash values and store them in a Reference Data Set(RDS). The RDS can then be
used by law enforcement, government agencies, and businesses to determine which files are important as
evidence in criminal investigations.
D: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited
state can be helpful in revisiting the issue after the fact to learn more about it.


Leave a Reply