A security analyst arrives at a Linux web server suspected of hosting fileless malware. Before anyone shuts down or reboots the host, the SOC manager directs the analyst to preserve the system's current volatile state so investigators can perform later forensic analysis. Which action should the analyst perform FIRST to meet this requirement?
Enable full-disk encryption on the server to protect data at rest.
Use a trusted live-response tool to create a full memory image (RAM dump) on an external, write-protected drive.
Physically disconnect the Ethernet cable to cut off outbound traffic.
Capture a bit-level disk image of the system's root partition using dd.
Creating a full memory image with a trusted acquisition tool snapshots everything currently resident in RAM, including malicious code, encryption keys, network connections, and other artifacts that would vanish on power-off. Capturing a disk image, disconnecting the network, or enabling full-disk encryption may all be useful later, but none of those actions preserves volatile memory, and some could even alter it.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is volatile memory and why is it important during incident response?
Open an interactive chat with Bash
How is a memory image created, and what tools are commonly used?
Open an interactive chat with Bash
Why is encrypting the disk or disconnecting the system from the network insufficient for preserving volatile memory?