Certified Incident Handler (CIH) Practice Ecam

In which of the following incident response steps did John accumulate logs and event IDs in the above scenario?

• A. Evidence gathering and forensic analysis
• B. Containment and analysis
• C. Initial response assessment
• D. Resolution and recovery

The correct answer is: Evidence gathering and forensic analysis

The correct answer relates to the process of gathering relevant information and artifacts that can help in understanding the incident's impact, how it occurred, and its potential next steps. In the context of incident response, the stage of evidence gathering and forensic analysis is crucial. This phase involves collecting logs, event IDs, and other relevant data from systems that have been affected. These logs are essential as they provide insight into the events surrounding the incident, allowing the incident responder to reconstruct timelines, identify malicious activities, and understand how the attacker exploited vulnerabilities. By accumulating logs and event IDs, John is able to collect concrete evidence that not only supports the analysis of the incident but also prepares the ground for further investigation. This meticulous gathering of evidence is foundational for any future legal proceedings or compliance checks that might arise from the incident. To contrast this with the other stages: initial response assessment is more about evaluating the situation and determining the scope and impact of the incident rather than focusing on logs; containment and analysis includes actions taken to limit the spread of the incident and to analyze the impact but does not primarily focus on acquiring evidence; resolution and recovery comes afterwards, focusing on restoring systems to normal operations and ensuring defenses are in place, rather than initially gathering evidence.