When investigating a virus, what is the first step?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Digital Forensics, Investigation, and Response Test. Study with multiple choice questions that include hints and explanations. Enhance your understanding of digital forensics principles and get ready for your exam!

Multiple Choice

When investigating a virus, what is the first step?

Explanation:
Documenting the incident and preserving evidence up front creates a record of what was observed, when it was observed, which assets were affected, and what logs or artifacts existed at that moment. This establishes a timeline and maintains a defensible chain of custody, both of which are essential for effective analysis, containment decisions, and potential escalation or legal considerations. By capturing the initial state first, you also protect the integrity of the investigation; actions that alter the system can erase clues and complicate later discovery. Why this approach fits best is that it sets a solid foundation for everything that follows—containment, eradication, and recovery—without risking loss of evidence. The other options risk destroying or obscuring artifacts: removing the virus or isolating without documentation can change the system state and mask how the infection occurred, while a full system restore would wipe logs, malware artifacts, and other indicators needed to understand the incident’s scope and lineage.

Documenting the incident and preserving evidence up front creates a record of what was observed, when it was observed, which assets were affected, and what logs or artifacts existed at that moment. This establishes a timeline and maintains a defensible chain of custody, both of which are essential for effective analysis, containment decisions, and potential escalation or legal considerations. By capturing the initial state first, you also protect the integrity of the investigation; actions that alter the system can erase clues and complicate later discovery.

Why this approach fits best is that it sets a solid foundation for everything that follows—containment, eradication, and recovery—without risking loss of evidence. The other options risk destroying or obscuring artifacts: removing the virus or isolating without documentation can change the system state and mask how the infection occurred, while a full system restore would wipe logs, malware artifacts, and other indicators needed to understand the incident’s scope and lineage.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy