What should be done after isolating a server where a root kit was used to capture data?

Taking an image copy of the media is a critical step following the isolation of a server that has been compromised by a rootkit. This action involves creating a bit-for-bit copy of the storage media, which ensures that all data, including hidden files and potential evidence of compromise, is preserved without alteration. This is essential for forensic analysis as it allows investigators to scrutinize the data while preserving the original state of the compromised system.

The integrity of the evidence can be maintained by working on the image rather than the original server, which might be tampered with or further damaged. Additionally, server isolation helps prevent further access or contamination, but capturing an image ensures that investigators have the best possible chance of discovering how the rootkit operated, the data it may have accessed, and the potential vulnerabilities that were exploited.

This step is vital not just for understanding the incident but also for any legal proceedings that may arise, as having an accurate and complete copy of the data will support any investigations and potential prosecutions. The other options, while related to incident response, do not take precedence over the immediate need to secure and preserve evidence.