Before shutting down a system suspected of an attack, the investigator should do what?
A.
Remove and back up the hard drive
B.
Dump memory contents to disk
C.
Remove it from the network
D.
Save data in the spooler queue and temporary files
Explanation:
B: If the computer was actually attacked or involved in a computer crime, there is a good possibility that useful information could still reside in memory. Specific tools can be used to actually dump this information and save it for analysis before the power is removed.
If the computer was actually attacked or involved in a computer crime, there is a good possibility that useful information could still reside in memory. Specific tools can be used to actually dump this information and save it for analysis before the power is removed.
0
0
如果計算機實際上攻擊或參與計算機犯罪,有一個很好的可能性,有用的信息可能仍然駐留在內存中。具體的工具可以用來實際轉儲信息並保存,以便分析斷電前。
0
0