CompTIA SecurityX (CAS-005) — Question 92

An analyst is working to address a potential compromise of a corporate endpoint and discovers the attacker accessed a user's credentials. However, it is unclear if the system baseline was modified to achieve persistence. Which of the following would most likely support forensic activities in this scenario?

Answer options

• A. Side-channel analysis
• B. Bit-level disk duplication
• C. Software composition analysis
• D. SCAP scanner

Correct answer: B

Explanation

Bit-level disk duplication is crucial for forensic analysis as it creates an exact image of the disk, preserving all data for investigation. This enables the analyst to check for any changes that may indicate persistence. The other options do not provide the same level of detail needed for thorough forensic examination.