CompTIA Security+ (SY0-501) — Question 227

Joe a computer forensic technician responds to an active compromise of a database server. Joe first collects information in memory, then collects network traffic and finally conducts an image of the hard drive.
Which of the following procedures did Joe follow?

Answer options

• A. Order of volatility
• B. Chain of custody
• C. Recovery procedure
• D. Incident isolation

Correct answer: A

Explanation

The correct answer is A, Order of volatility, as it dictates the sequence in which data should be collected, prioritizing volatile data first. The other options, while relevant to forensic processes, do not pertain to the specific order in which Joe collected evidence during the incident.