A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was extracted. Which of the following incident response procedures is best suited to restore the server?
A. Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup. B. Keep the data partition, restore the OS from the most current backup and run a full system antivirus scan. C. Format the storage and reinstall both the OS and the data from the most current backup. D. Erase the storage, reinstall the OS from most current backup and only restore the data that was not compromised.
Explanation: Rootkits are software programs that have the ability to hide certain things from the operating system. With a rootkit, there may be a number of processes running on a system that do not show up in Task Manager or connections established or available that do not appear in a netstat display—the rootkit masks the presence of these items. The rootkit is able to do this by manipulating function calls to the operating system and filtering out information that would normally appear. Theoretically, rootkits could hide anywhere that there is enough memory to reside: video cards, PCI cards, and the like. The best way to handle this situation is to wipe the server and reinstall the operating system with the original installation disks and then restore the extracted data from your last known good backup. This way you can eradicate the rootkit and restore the data.
A new application is installed which adds three new services to a customers PC. The customer asks for help, because the new application will not start. A technician investigates and finds that one of the services has failed to start. They attempt to manually start the service but it fails. Where should the technician look NEXT for more information? (Select TWO).
A. Task Manager B. System registry C. Log files for the new application D. Event Viewer E. %SystemDir%System32Drivers
The user is having trouble using the mouse. The technician believes a program stopped responding that caused the issue and asks the customer to hold down “Ctrl + Shift + Esc” to verify. Which of the following did the technician launch?
A. Task Manager B. Control Panel C. Services D. MSCONFIG