CISA Certified Information Systems Auditor – Question0463

To preserve chain of custody following an internal server compromise, which of the following should be the FIRST step?

A.
Take a system image including memory dump
B. Safely shut down the server
C. Replicate the attack using the remaining evidence
D. Trace the attacking route

Correct Answer: A