CompTIA CASP+ (CAS-003) — Question 83

First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss. In a rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately without investigation and then isolated.
Which of the following were missed? (Choose two.)

Answer options

• A. CPU, process state tables, and main memory dumps
• B. Essential information needed to perform data restoration to a known clean state
• C. Temporary file system and swap space
• D. Indicators of compromise to determine ransomware encryption
• E. Chain of custody information needed for investigation

Correct answer: D, E

Explanation

The correct answers are D and E because shutting down the hosts without investigation means that they lost critical indicators of compromise that could help identify how the ransomware operated (D) and also neglected to preserve the chain of custody information necessary for a proper investigation (E). Options A, B, and C, while important, do not directly pertain to immediate indicators of compromise or legal investigation protocols.