A security team is investigating suspicious behavior on a server that shut down after potential data exfiltration. The investigators suspect short-lived artifacts existed prior to the shutdown. Which approach can recover those artifacts for further analysis?
Inspect archived application logs on the system drive
Examine backups of removable media connected to the host
Review a saved copy of active processes from a prior dump
Check logs maintained by the enterprise security tool
A previously obtained snapshot of running processes captures information that disappears when power is removed. This includes data in memory that cannot be retrieved from stored records on drives or enterprise tools. The other approaches focus on more persistent records, which do not provide the transient details the team needs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a process dump, and how is it useful?
Open an interactive chat with Bash
Why can’t logs or backups replace process dumps during investigations?
Open an interactive chat with Bash
How can investigators create and use process dumps effectively?