During a security incident, the analyst needs to preserve evidence from a compromised server. Which action should be performed FIRST?

  1. Restore the server from the most recent backup
  2. Create forensic images of all data
  3. Disconnect the server from the network while keeping it powered on ✓
  4. Shut down the server immediately to prevent further changes

Correct answer: Disconnect the server from the network while keeping it powered on

Option C is correct because the first priority in incident response evidence preservation is to isolate the system from the network to stop ongoing attacker access and prevent data exfiltration, while keeping it powered on preserves volatile memory (RAM), running processes, and active connections that would be lost on shutdown. Option A is incorrect because restoring from backup destroys forensic evidence and should only occur during the recovery phase, long after evidence has been collected. Option B is incorrect because creating forensic images is an important step but should come after isolation, since imaging a live networked system risks ongoing tampering of the evidence being captured. Option D is incorrect because immediately shutting down the server clears volatile memory, destroys running process data, and may overwrite temporary files, causing irreversible loss of forensic artifacts.

Topic: · incident response, digital forensics, evidence preservation, network isolation

Practice CompTIA CySA+ (CS0-003) Questions Free