CompTIA Security+ (SY0-601) — Question 460

An external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in the perimeter network and moved to the sensitive information, generating multiple logs as the attacker traversed through the network. Which of the following will best assist with this investigation?

Answer options

• A. Perform a vulnerability scan to identify the weak spots.
• B. Use a packet analyzer to investigate the NetFlow traffic.
• C. Check the SIEM to review the correlated logs.
• D. Require access to the routers to view current sessions.

Correct answer: C

Explanation

The correct answer is C because the SIEM (Security Information and Event Management) system aggregates and correlates logs from various sources, providing valuable insights into the breach's timeline and impact. Options A and B, while useful, do not directly address the need for correlating the logs generated during the attack. Option D, accessing routers for current sessions, will not provide historical data needed to understand the breach's progression.