Certified Information Security Manager (CISM) — Question 1142

To prepare for a third-party forensics investigation following an incident involving malware, the incident response team should:

Answer options

• A. clean the malware.
• B. isolate the infected systems.
• C. image the infected systems.
• D. preserve the evidence.

Correct answer: D

Explanation

Preserving the evidence is critical in a forensics investigation as it ensures that the data remains intact and unaltered for analysis. While cleaning the malware, isolating the infected systems, and imaging them are important steps, they should only be done after ensuring that evidence is properly preserved to maintain the integrity of the investigation.