You are the lead responder for a suspected credential-stealing malware infection on a finance server. The host has already been isolated on a quarantine VLAN so no further malicious traffic can leave the network. Management wants the system rebuilt immediately, but you instruct the team to capture a full memory image, create a bit-level disk copy, and archive the server's logs to write-protected storage before any remediation begins.
Which objective BEST explains why you are performing this forensic acquisition step at this point in the response?
To accelerate service restoration by identifying which system binaries should be reinstalled
To reconstruct the attacker's actions and preserve admissible evidence for future analysis or legal proceedings
To update stakeholders about the outage duration and planned recovery milestones
To deploy compensating security controls such as additional firewall rules to prevent re-infection
Forensic acquisition is performed so analysts can later reconstruct the exact sequence of attacker actions, identify the initial point of compromise, and preserve admissible evidence. Without a forensically sound copy of volatile memory, disk artifacts, and log files, critical details such as command-and-control traffic, credential dumps, and timestamps might be overwritten during rebuilding. Restoring systems, updating security controls, or issuing stakeholder communications are important but can occur only after the evidence necessary for timeline and root-cause analysis has been secured.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the importance of volatile memory in forensic analysis?
Open an interactive chat with Bash
Why is creating a bit-level disk copy essential in digital forensics?
Open an interactive chat with Bash
How does preserving server logs aid forensic investigations?