アナリストは、攻撃者がどのようにサーバーを侵害したかを理解する必要があります。次の手順のうち、攻撃者が実行した手順を再構築するために必要な情報を最も適切に提供できるのはどれですか?
正解:B
The correct answer is B. Extract the server's system timeline, verifying hashes and network connections during a certain time frame. A system timeline is a chronological record of the events and activities that occurred on a system, such as file creation, modification, or deletion, process execution, registry changes, or network connections. A system timeline can help an analyst to understand how an attacker compromised a server by showing the sequence of actions and artifacts left by the attacker. An analyst can also verify the hashes of the files and processes involved in the compromise and compare them with known malware signatures or databases. Additionally, an analyst can check the network connections made by the server during the compromise and identify the source and destination IP addresses, ports, and protocols used by the attacker1.