U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Eccouncil 112-57 Exam - Topic 4 Question 9 Discussion

Jennifer, a forensics investigation team member, was inspecting a compromised system. After gathering all the evidence related to the compromised system, she disconnected the system from the network to stop the spread of the incident to other systems.Identify the role played by Jennifer in the forensics investigation.
A) Incident responder
B) Incident analyzer
C) Evidence manager
D) Expert witness

Eccouncil 112-57 Exam - Topic 4 Question 9 Discussion

Actual exam question for Eccouncil's 112-57 exam
Question #: 9
Topic #: 4
[All 112-57 Questions]

Jennifer, a forensics investigation team member, was inspecting a compromised system. After gathering all the evidence related to the compromised system, she disconnected the system from the network to stop the spread of the incident to other systems.

Identify the role played by Jennifer in the forensics investigation.

Show Suggested Answer Hide Answer
Suggested Answer: A

Jennifer's actions match the responsibilities of an incident responder, whose job spans immediate containment, preservation, and stabilization activities during an active or recently active security incident. In standard digital forensics and incident response (DFIR) procedures, responders first take steps to preserve evidence (e.g., documenting the scene, capturing volatile data when appropriate, and collecting relevant system artifacts) and then execute containment measures to prevent further harm. Disconnecting a compromised host from the network is a classic containment control used to stop malware propagation, block command-and-control communications, and prevent lateral movement to other systems.

An incident analyzer typically focuses on deeper technical analysis---timeline reconstruction, root cause determination, and correlating artifacts across hosts and logs---rather than performing immediate containment. An evidence manager is primarily responsible for maintaining evidence integrity, chain of custody, storage, labeling, and access control, not operational containment. An expert witness provides formal testimony and interpretation in legal or disciplinary proceedings and is not usually involved in live containment actions. Since Jennifer both gathered evidence and then isolated the system to stop spread, the role most consistent with documented DFIR responsibilities is Incident responder (A).


Contribute your Thoughts:

0/2000 characters
Ulysses
19 hours ago
I could see her being an evidence manager too, but the immediate action of disconnecting the system feels more like an incident responder role.
upvoted 0 times
...
Shaun
2 months ago
This reminds me of a practice question where the responder was also the one to contain the incident. I feel like that's what Jennifer is doing here.
upvoted 0 times
...
Thurman
2 months ago
I'm not entirely sure, but I remember something about incident analyzers focusing more on the analysis phase rather than immediate response.
upvoted 0 times
...
Rosendo
2 months ago
I think Jennifer is acting as an incident responder since she disconnected the system to prevent further damage. That seems to fit the role.
upvoted 0 times
...

Save Cancel