Cisco Cyber Security Practice Exam

Disable ads (and more) with a membership for a one time $4.99 payment

Enhance your Cisco Cyber Security knowledge. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your Cisco Cyber Security Exam with our comprehensive quiz!

Start Multiple Choice Practice Test
Start Flash Cards

Practice this question and more.

When collecting evidence following a system breach, which data should be collected first?

  1. Data on external storage devices

  2. Data in backups

  3. Data on the CPU

  4. Data from network traffic logs

The correct answer is: Data on the CPU

Collecting data from the CPU first following a system breach is critical because the CPU contains volatile data that reflects the real-time state and activities of the system at the moment of the incident. This includes active processes, loaded modules, and pertinent information about the execution state of the system. Since the CPU operates with volatile memory, which gets erased when the system is powered off or restarted, gathering this information immediately helps to capture time-sensitive evidence that could provide insights into the nature of the breach, such as unauthorized processes or potential malware activities. Furthermore, the data on the CPU can reveal crucial indicators that contribute to understanding how the breach occurred and what specific actions were taken by an attacker. In a cybersecurity incident response, timing is essential, and prioritizing CPU data enables responders to maintain a clearer view of the situation as it unfolded. Collecting evidence from external storage devices, backups, or network traffic logs has its value, but these aspects can be systematically retrieved and analyzed later. They do not replace the significance of capturing volatile data which may be lost if the system is not preserved in its current operational state.

More Questions Like This