CompTIA Security+ (SY0-501) — Question 713

While working on an incident, Joe, a technician, finished restoring the OS and applications on a workstation from the original media. Joe is about to begin copying the user's files back onto the hard drive.
Which of the following incident response steps is Joe working on now?

Answer options

• A. Recovery
• B. Eradication
• C. Containment
• D. Identification

Correct answer: A

Explanation

Joe is in the Recovery phase because he has restored the operating system and applications and is now focused on retrieving the user's files. The Eradication phase involves removing the cause of the incident, Containment is about limiting the damage, and Identification is the process of determining the nature of the incident, none of which are applicable to Joe's current task.