CompTIA Security+ (SY0-501) — Question 488

A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the following should the first responder collect FIRST?

Answer options

• A. Virtual memory
• B. BIOS configuration
• C. Snapshot
• D. RAM

Correct answer: C

Explanation

The correct answer is C, as taking a snapshot of the virtual host preserves the current state of the system, including memory and disk contents, which is crucial for forensic analysis. Options A and D, while important, come after the snapshot since they can be extracted from it. Option B is less relevant for immediate evidence collection compared to the other options.