Why is it important for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system during the Recovery phase?

Why is it important for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system during the Recovery phase?
A . To create custom IPS signatures
B . To test the effectiveness of the current assigned policy settings in the Symantec Endpoint Protection Manager (SEPM)
C . To have a copy of the file for policy enforcement
D . To document and preserve any pieces of evidence associated with the incident

View Answer

Answer: D

Explanation:

During the Recovery phase of an incident response, it is critical for an Incident Responder to copy malicious files to the SEDR file store or create an image of the infected system. This action preserves evidence associated with the incident, allowing for thorough investigation and analysis. By securing a copy of the malicious files or system state, responders maintain a record of the incident that can be analyzed for root cause assessment, used for potential legal proceedings, or retained for post-incident review. Documenting and preserving evidence ensures that key information is available for future reference or audits.