CompTIA Security+ (SY0-501) — Question 258

An incident involving a workstation that is potentially infected with a virus has occurred. The workstation may have sent confidential data to an unknown internet server.
Which of the following should a security analyst do FIRST?

Answer options

• A. Make a copy of everything in memory on the workstation.
• B. Turn off the workstation.
• C. Consult information security policy.
• D. Run a virus scan.

Correct answer: A

Explanation

The correct initial action is to make a copy of everything in memory on the workstation to preserve volatile data that may provide insights into the incident. Turning off the workstation (B) can lead to loss of valuable data, while consulting the information security policy (C) and running a virus scan (D) are important steps but should follow the preservation of evidence.