CompTIA SecurityX (CAS-005) — Question 145

During an incident response activity, the response team collected some artifacts from a compromised server, but the following information is missing:

• Source of the malicious files
• Initial attack vector
• Lateral movement activities

The next step in the playbook is to reconstruct a timeline. Which of the following best supports this effort?

Answer options

• A. Executing decompilation of binary files
• B. Analyzing all network routes and connections
• C. Performing primary memory analysis
• D. Collecting operational system logs and storage disk data

Correct answer: D

Explanation

Collecting operational system logs and storage disk data is crucial for reconstructing a timeline as it provides detailed information about system activities and changes. The other options, while useful for different aspects of investigation, do not directly offer the chronological data needed to piece together the sequence of events related to the incident.