[&] What is a core advantage of dead box forensics?
- Isolating active network connections without interruption
- Real-time monitoring of an active system
- Enabling Slack space analysis without the risk of alteration -- Correct
- Capturing of volatile artifacts like running processes

[&] Which of the following is a trade-off of using the dead box strategy?
- In-memory artifacts are lost -- Correct
- Evidence is susceptible to alteration
- Continuous system operation is required
- It allows for quicker containment actions

[&] What is the primary focus of live response evidence collection?
- Ensuring minimal disruption to business operations
- Acquiring forensic images for static analysis
- Capturing volatile data while the system is still running -- Correct
- Taking the system offline to prevent data loss

[&] When should live response be used over dead box imaging?
- When the system can be safely powered down
- When examining deleted files is necessary
- When there is ongoing attacker communication -- Correct
- When compliance demands pristine data imaging

[&] In what situation is dead box analysis preferred over live response?
- When volatile data needs to be captured
- When the computer system is providing critical services
- When legal or regulatory requirements mandate unchanged snapshots -- Correct
- When immediate containment of threats is necessary