CompTIA CySA+ (CS0-002) — Question 226

An analyst needs to understand how an attacker compromised a server. Which of the following procedures will best deliver the information that is necessary to reconstruct the steps taken by the attacker?

Answer options

• A. Scan the affected system with an anti-malware tool and check for vulnerabilities with a vulnerability scanner.
• B. Extract the server’s system timeline, verifying hashes and network connections during a certain time frame.
• C. Clone the entire system and deploy it in a network segment built for tests and investigations while monitoring the system during a certain time frame.
• D. Clone the server’s hard disk and extract all the binary files, comparing hash signatures with malware databases.

Correct answer: B

Explanation

Option B is correct because extracting the server's system timeline allows for a thorough examination of events and connections that occurred during the attack, providing insight into the attacker's actions. Other options, while useful for general analysis, do not focus on reconstructing the specific sequence of events as effectively as analyzing the system timeline does.