A security analyst at a financial services firm receives an alert that a senior trader's workstation has been communicating with a known command-and-control domain. Counsel has indicated that the matter is likely to result in civil litigation against a former employee. The workstation is still powered on and the user is at lunch. What should the analyst do FIRST?
- APull the network cable to contain the threat and then image the disk using a write-blocker before counsel arrives on site.
- BNotify the incident commander and legal counsel, then acquire volatile data and a forensic image under documented chain of custody following the firm's incident response plan. Correct
- CLog on to the workstation with the trader's account to triage running processes and copy suspicious files to a network share for the forensic team.
- DReimage the workstation from the gold build to eradicate the malware and restore productivity, then escalate the indicators of compromise to the threat intelligence team.
Why A is wrong: Containment instinct is reasonable, but unilaterally yanking the cable can alert malware to wipe artefacts, destroys volatile state needed for litigation, and bypasses the documented incident response and legal hold workflow that counsel must drive.
Why B is correct: The correct manager-led action is to engage the incident commander and counsel so a legal hold can be invoked, then capture volatile evidence and a forensic image with chain of custody intact, preserving admissibility for the anticipated litigation.
Why C is wrong: Logging in as the user contaminates the evidence by writing new timestamps, swapping memory pages and modifying registry hives, and copying files over SMB destroys metadata that a defensible image would have preserved.
Why D is wrong: Reimaging is an eradication step that must come after evidence preservation; doing it first destroys the disk artefacts and volatile memory that counsel and any subsequent civil action depend on.