Conducting Forensic Analysis and Incident Response Using Cisco Technologies (CBRFIR) — Question 14
An engineer is investigating a ticket from the accounting department in which a user discovered an unexpected application on their workstation. Several alerts are seen from the intrusion detection system of unknown outgoing internet traffic from this workstation. The engineer also notices a degraded processing capability, which complicates the analysis process. Which two actions should the engineer take? (Choose two.)
Answer options
- A. Restore to a system recovery point.
- B. Replace the faulty CPU.
- C. Disconnect from the network.
- D. Format the workstation drives.
- E. Take an image of the workstation.
Correct answer: C, E
Explanation
The correct actions are to disconnect from the network to prevent further data exfiltration and to take an image of the workstation for forensic analysis. Restoring to a recovery point (A) or formatting drives (D) may compromise evidence, and replacing the CPU (B) is unnecessary for addressing the immediate security concern.