CompTIA Security+ (SY0-601) — Question 731
During an incident response process involving a laptop, a host was identified as the entry point for malware. The management team would like to have the laptop restored and given back to the user. The cybersecurity analyst would like to continue investigating the intrusion on the host. Which of the following would allow the analyst to continue the investigation and also return the laptop to the user as soon as possible?
Answer options
- A. dd
- B. memdump
- C. tcpdump
- D. head
Correct answer: A
Explanation
The command 'dd' is used for creating a disk image, which allows the analyst to capture the current state of the laptop's storage without altering the original data. This enables further investigation while permitting the management to restore and return the laptop to the user. The other options, such as 'memdump' and 'tcpdump', are more focused on specific data capture that would not facilitate the quick return of the laptop.