An analyst is responding to a security incident on a live Windows server that is suspected of being compromised by fileless malware. To preserve evidence and investigate the running processes, what is the analyst's BEST first action?
According to the digital forensics principle of 'order of volatility,' an analyst should always collect the most transient data first. System memory (RAM) is highly volatile and contains critical evidence such as running processes, network connections, and in-memory malware artifacts, which would be lost if the machine were powered down or if drive imaging altered the system state. Therefore, capturing the contents of RAM is the most critical first step before proceeding with less volatile evidence collection like drive imaging or log analysis.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to capture system memory before drive imaging?
Open an interactive chat with Bash
What are examples of transient or volatile data in system memory?
Open an interactive chat with Bash
How does drive imaging potentially overwrite volatile memory data?