Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located?

A security analyst identified one server that was compromised and used as a data making machine, and a few of the hard drive that was created.

Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located?
A . System timeline reconstruction
B . System registry extraction
C . Data carving
D . Volatile memory analysts

View Answer

Answer: A

Explanation:

System timeline reconstruction is a forensic analysis technique that involves creating a chronological record of events that occurred on a system based on various sources of evidence such as log files, registry entries, file timestamps, network traffic, etc. System timeline reconstruction can provide information about when and how the machine was compromised and where the malware is located by showing when suspicious activities or changes took place on the system, such as unauthorized access attempts, file creation or modification, process execution, network connections, etc.

Reference: Timeline Analysis – ForensicsWiki