CompTIA CySA+ (CS0-002) — Question 420

A security analyst identified one server that was compromised and used as a data mining machine, and a clone of the hard drive that was created. Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located?

Answer options

• A. System timeline reconstruction
• B. System registry extraction
• C. Data carving
• D. Volatile memory analysis

Correct answer: A

Explanation

The correct answer is A, as system timeline reconstruction helps in analyzing events over time, providing insights into when and how the security breach occurred. Options B, C, and D focus on different aspects of forensic analysis, such as registry data, recovering deleted files, and analyzing memory, but do not specifically track the timeline of events related to the compromise.