CS0-003 topic 1 question 132

issue is ongoing, making sure it doesnt spread more is the priority over making a copy

This information is directly from CertMaster Topic 8B:
Incident responders must make quick decisions regarding the most effective containment technique when a system is compromised. The course of action depends on several factors:

Ensure the safety and security of all personnel. The first concern of all managers involved with the security response is the safety and security of personnel.
Prevent further damage. This will be the overriding priority after the identification of the compromise.
Identify whether the intrusion is a primary or a secondary attack (part of a more complex campaign).
Avoid alerting the attacker that they have been discovered.
Preserve forensic evidence of the intrusion. While waiting for the forensics analyst to arrive, treat the system like any crime scene by preventing anyone from further compromising the system or destroying evidence.

Therefore, D would be the most logical answer if we are using this information because it prevents further damage.

READ BEFORE YOU TYPE... Searching for other mail users who may have been affected would be preventing further damage! Have you took the test? Or passed it? Please fix you inner self because it's very unprofessional to be calling people names based off a difference in opinion. God bless!

While searching for other mail users who have received the same file (option D) is important for understanding the attack's propagation and identifying potentially affected systems, it may not be the immediate next step after isolating the affected workstation. Acquiring the forensic image takes precedence to ensure that evidence is properly preserved before further actions are taken.

Both Option C and Option D can be part of a comprehensive incident response plan, but if prioritization is necessary, acquiring a bit-level image is often considered an early and essential step in preserving evidence and understanding the immediate impact on the affected system.

Think in terms of a hospital, whose patient PII has been ransomed. This is now a criminal matter. This device has been ransomwared, this device is now evidence. Ideally someone else on your team is going to alert others to not click on that link or investigate further, but you, with your one task of investigating that device, need to preserve the volatile/ephemeral evidence.

This is incorrect. You're willing to let the entire database of medical records get compromised just to save a piece of evidence? You want to isolate and prevent the spread of malware. Question states it's ongoing, so you can't just ignore all other workstations.

Search for other mail users who have received the same file (D): Since the ransomware came through a phishing email, it's crucial to identify other potential victims as quickly as possible to contain the spread of the attack. This would help in taking immediate remedial actions, like isolating affected machines or warning users not to open the malicious file.

Apologies. After careful analysis of the question, option D is the most logical choice for the proposed scenario.

This is the containment stage and not eradication, in containment you would go and prevent further damage to contain the incident, the isolated computer is already hit with ransomware bit level backup won't make a difference at this point, contain first then move to bit level and forensics to eradicate then wipe clean