CompTIA CASP+ (CAS-004) — Question 417

A security manager discovers that a system's log files contain evidence of potential criminal activity. Which of the following actions should be done next?

Answer options

• A. Power off all systems immediately to block any further actions.
• B. Perform a thorough investigation with law enforcement.
• C. Contact the user who appears in the log files.
• D. Take a system snapshot to preserve any evidence.
• E. Reach out to the human resources department.

Correct answer: D

Explanation

Taking a system snapshot is crucial to preserve evidence before any changes can occur that might alter or destroy it. Powering off systems could lead to loss of volatile data, while contacting users or HR does not directly address the need to secure evidence. Collaborating with law enforcement is important, but it should come after ensuring that the evidence is intact.