CompTIA CySA+ (CS0-002) — Question 372

A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response. Which of the following procedures is the NEXT step for further investigation?

Answer options

• A. Data carving
• B. Timeline construction
• C. File cloning
• D. Reverse engineering

Correct answer: B

Explanation

The correct answer is B, as constructing a timeline helps to organize events and identify the sequence of actions that occurred, which is crucial for understanding the incident. Options A, C, and D, while useful in different contexts, do not provide the immediate contextual clarity needed to analyze the incident effectively.