To preserve chain of custody following an internal server compromise, which of the following should be the FIRST step?
A. Take a system image including memory dump
B. Safely shut down the server
C. Replicate the attack using the remaining evidence
D. Trace the attacking route
A. Take a system image including memory dump
B. Safely shut down the server
C. Replicate the attack using the remaining evidence
D. Trace the attacking route