GIAC Certified Enterprise Defender (GCED) — Question 9

Which type of media should the IR team be handling as they seek to understand the root cause of an incident?

Answer options

• A. Restored media from full backup of the infected host
• B. Media from the infected host, copied to the dedicated IR host
• C. Original media from the infected host
• D. Bit-for-bit image from the infected host

Correct answer: A

Explanation

The correct answer is A because restored media from a full backup of the infected host contains pre-incident data that can provide insights into what led to the incident. Options B and C involve media that may have been altered or infected, and D provides a snapshot of the infected system, which may not include the necessary context to understand the root cause.