Why is it important for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system during the Recovery phase?
A.
To create custom IPS signatures
B.
To test the effectiveness of the current assigned policy settings in the Symantec Endpoint ProtectionManager (SEPM)
C.
To have a copy of the file for policy enforcement
D.
To document and preserve any pieces of evidence associated with the incident
During theRecovery phaseof an incident response, it is critical for an Incident Responder to copy malicious files to theSEDR file storeor create an image of the infected system. This action preserves evidence associated with the incident, allowing for thorough investigation and analysis. By securing a copy of the malicious files or system state, responders maintain a record of the incident that can be analyzed for root cause assessment, used for potential legal proceedings, or retained for post-incident review. Documenting and preserving evidence ensures that key information is available for future reference or audits.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit