CompTIA CySA+ (CS0-003) — Question 515

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

Answer options

• A. Hard disk
• B. Primary boot partition
• C. Malicious files
• D. Routing table
• E. Static IP address

Correct answer: D

Explanation

The routing table is critical to collect first because it contains information about the network paths and connections that can help in understanding the attack's context. Collecting the hard disk, primary boot partition, or malicious files later may risk altering or losing sensitive data. The static IP address is also less relevant than the routing table in the initial stages of investigation.