CompTIA CySA+ (CS0-003) — Question 10

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

Answer options

• A. Clone the virtual server for forensic analysis
• B. Log m to the affected server and begin analysis of the logs
• C. Restore from the last known-good backup to confirm there was no loss of connectivity
• D. Shut down the affected server immediately

Correct answer: A

Explanation

Cloning the virtual server for forensic analysis is crucial because it preserves the state of the server and allows for a thorough investigation without altering original evidence. Logging into the affected server to analyze logs could compromise data integrity, while restoring from backups and shutting down the server might result in loss of critical information needed for understanding the incident.