Ann, a user, reports to the security team that her browser began redirecting her to random sites while using her Windows laptop. Ann further reports that the OS shows the C: drive is out of space despite having plenty of space recently. Ann claims she not downloaded anything.
The security team obtains the laptop and begins to investigate, noting the following:
– File access auditing is turned off.
– When clearing up disk space to make the laptop functional, files that appear to be cached web pages are immediately created in a temporary directory, filling up the available drive space.
– All processes running appear to be legitimate processes for this user and machine.
– Network traffic spikes when the space is cleared on the laptop.
– No browser is open.
Which of the following initial actions and tools would provide the BEST approach to determining what is happening?
A . Delete the temporary files, run an Nmap scan, and utilize Burp Suite.
B . Disable the network connection, check Sysinternals Process Explorer, and review netstat output.
C . Perform a hard power down of the laptop, take a dd image, and analyze with FT
E . Review logins to the laptop, search Windows Event Viewer, and review Wireshark captures.
Answer: B
Leave a Reply