Which volatile data sources should be collected during an in-progress incident?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Prepare for the Security Operations Exam with targeted practice questions. Enhance your understanding with detailed explanations and tips to successfully pass your exam!

Multiple Choice

Which volatile data sources should be collected during an in-progress incident?

Explanation:
In an in-progress incident, volatile data—data that vanishes if the system is rebooted or shut down—needs to be captured first to see the system’s live state. RAM holds the current execution state, including which processes are running, current network connections, and any injected or decrypted artifacts active in memory. Capturing open network connections and sockets reveals who the host is talking to in real time, which can expose command-and-control activity, lateral movement, or data exfiltration. The set of running services and processes shows what is actively loaded and may highlight malicious processes masquerading as legitimate ones or unusual startup items. Together, these volatile sources give a real-time snapshot of the attack as it unfolds and what evidence could disappear if the system changes state. Disk-based event logs and archived files are important for post-incident analysis, but they are not volatile data and don’t reflect the live in-progress state. A full memory dump is useful, but limiting collection to only a memory dump misses the broader live context provided by active network connections and running processes. Network data from the perimeter firewall alone misses host-side activity and hidden processes.

In an in-progress incident, volatile data—data that vanishes if the system is rebooted or shut down—needs to be captured first to see the system’s live state. RAM holds the current execution state, including which processes are running, current network connections, and any injected or decrypted artifacts active in memory. Capturing open network connections and sockets reveals who the host is talking to in real time, which can expose command-and-control activity, lateral movement, or data exfiltration. The set of running services and processes shows what is actively loaded and may highlight malicious processes masquerading as legitimate ones or unusual startup items. Together, these volatile sources give a real-time snapshot of the attack as it unfolds and what evidence could disappear if the system changes state.

Disk-based event logs and archived files are important for post-incident analysis, but they are not volatile data and don’t reflect the live in-progress state. A full memory dump is useful, but limiting collection to only a memory dump misses the broader live context provided by active network connections and running processes. Network data from the perimeter firewall alone misses host-side activity and hidden processes.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy