CompTIA CASP+ (CAS-004) — Question 447

An analyst is working to address a potential compromise of a corporate endpoint and discovers the attacker accessed a user’s credentials. However, it is unclear if the system baseline was modified to achieve persistence. Which of the following would most likely support forensic activities in this scenario?

Answer options

• A. Side-channel analysis
• B. Bit-level disk duplication
• C. Software composition analysis
• D. SCAP scanner

Correct answer: B

Explanation

Bit-level disk duplication is the best choice because it allows for an exact copy of the disk to be created for analysis, preserving all data and potential evidence of modifications made by the attacker. The other options, while useful in different contexts, do not provide the same level of detailed forensic information needed to determine if the system baseline has been altered.