CompTIA Security+ (SY0-501) — Question 604

An incident responder is preparing to acquire images and files from a workstation that has been compromised. The workstation is still powered on and running.
Which of the following should be acquired LAST?

Answer options

• A. Application files on hard disk
• B. Processor cache
• C. Processes in running memory
• D. Swap space

Correct answer: A

Explanation

Application files on the hard disk should be acquired last because they are often the most volatile and can change as the system continues to run. In contrast, processor cache, processes in running memory, and swap space can provide immediate, valuable data about the current state of the system and should be captured first to preserve evidence of the compromise.