Eccouncil 112-57 Exam - Topic 4 Question 9 Discussion

Jennifer's actions match the responsibilities of an incident responder, whose job spans immediate containment, preservation, and stabilization activities during an active or recently active security incident. In standard digital forensics and incident response (DFIR) procedures, responders first take steps to preserve evidence (e.g., documenting the scene, capturing volatile data when appropriate, and collecting relevant system artifacts) and then execute containment measures to prevent further harm. Disconnecting a compromised host from the network is a classic containment control used to stop malware propagation, block command-and-control communications, and prevent lateral movement to other systems.

An incident analyzer typically focuses on deeper technical analysis---timeline reconstruction, root cause determination, and correlating artifacts across hosts and logs---rather than performing immediate containment. An evidence manager is primarily responsible for maintaining evidence integrity, chain of custody, storage, labeling, and access control, not operational containment. An expert witness provides formal testimony and interpretation in legal or disciplinary proceedings and is not usually involved in live containment actions. Since Jennifer both gathered evidence and then isolated the system to stop spread, the role most consistent with documented DFIR responsibilities is Incident responder (A).