Systems Security Certified Practitioner (SSCP) — Question 59

When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of the following actions should be done as a first step if you wish to prosecute the attacker in court?

Answer options

• A. Back up the compromised systems.
• B. Identify the attacks used to gain access.
• C. Capture and record system information.
• D. Isolate the compromised systems.

Correct answer: C

Explanation

The correct answer is C because capturing and recording system information is crucial for building a legal case, as it provides evidence of the intrusion. Options A, B, and D, while important in the incident response process, do not directly contribute to gathering necessary evidence for prosecution.