Certified Information Systems Security Professional (CISSP) — Question 84

Which evidence collecting technique would be utilized when it is believed an attacker is employing a rootkit and a quick analysis is needed?

Answer options

• A. Forensic disk imaging
• B. Live response
• C. Memory collection
• D. Malware analysis

Correct answer: B

Explanation

The correct answer is B, Live response, as it allows for immediate analysis of a system in real-time, which is crucial when dealing with rootkits that may hide their presence. Forensic disk imaging (A) is more suitable for later analysis rather than immediate response, while Memory collection (C) focuses on RAM data and does not provide the same breadth of live analysis. Malware analysis (D) typically occurs after evidence is collected and does not address immediate assessment needs.