CompTIA CASP+ (CAS-004) — Question 201

During a recent security incident investigation, a security analyst mistakenly turned off the infected machine prior to consulting with a forensic analyst. Upon rebooting the machine, a malicious script that was running as a background process was no longer present. As a result, potentially useful evidence was lost. Which of the following should the security analyst have followed?

Answer options

• A. Order of volatility
• B. Chain of custody
• C. Verification
• D. Secure storage

Correct answer: A

Explanation

The correct answer is A, as the order of volatility dictates that volatile data, like that from a running process, should be preserved first before shutting down any systems. The other options, while important in their own right, do not address the critical need to capture live data before powering off an affected machine.