CompTIA CySA+ (CS0-003) — Question 522

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Answer options

• A. Disk contents
• B. Backup data
• C. Temporary files
• D. Running processes

Correct answer: D

Explanation

The correct answer is D, as running processes are considered the most volatile data and can change rapidly. Collecting disk contents, backup data, and temporary files afterward is important, but they are less volatile than the information contained in running processes.