Which evidence collecting technique would be utilized when it is believed an attacker is employing a rootkit and a quick analysis is needed?
Correct Answer: D
Live response is an evidence collecting technique that involves analyzing a system while it is still running, without shutting it down or altering it. Live response can be useful when it is believed that an attacker is employing a rootkit and a quick analysis is needed. A rootkit is a type of malicious software that hides itself and other malware from detection and removal by modifying the system's core components, such as the kernel, drivers, or libraries. A rootkit may also erase or alter the evidence of its presence or activities on the system, such as log files, registry entries, or processes. Therefore, live response can help capture the volatile data that may be lost or changed if the system is powered off or rebooted, such as memory contents, network connections, or running processes. Live response can also help identify and isolate the rootkit before it causes more damage or spreads to other systems. References: CISSP All-in-One Exam Guide, Chapter 10: Legal, Regulations, Investigations, and Compliance, Section: Forensics, pp. 1328-1329.