CompTIA CASP+ (CAS-003) — Question 211

A security engineer discovers a PC may have been breached and accessed by an outside agent. The engineer wants to find out how this breach occurred before remediating the damage. Which of the following should the security engineer do FIRST to begin this investigation?

Answer options

• A. Create an image of the hard drive
• B. Capture the incoming and outgoing network traffic
• C. Dump the contents of the RAM
• D. Parse the PC logs for information on the attacker

Correct answer: A

Explanation

Creating an image of the hard drive is crucial as it preserves the current state of the system for analysis, allowing the engineer to investigate without altering the evidence. Capturing network traffic, dumping RAM, or parsing logs may provide useful information but should happen after ensuring that a complete and unaltered copy of the hard drive is secured for forensic analysis.