Question

In: Other

An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes....

An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS.
Which of the following technical approaches would be the MOST feasible way to accomplish this capture?
A. Run the memdump utility with the -k flag.
B. Use a loadable kernel module capture utility, such as LiME.
C. Run dd on/dev/mem.
D. Employ a stand-alone utility, such as FTK Imager

Solutions

Expert Solution

The correct answer is option (d)

D. Employ a stand-alone utility, such as FTK Imager

REASON:

A will dump all of the Kernel memory, but no physical memory

FTK is also used by the professionals in court.

C will dump all the physical memory, but no kernel memory

Amanda K answered 2 years ago
Next > < Previous

Related Solutions

You are running a bank and a customer wants to borrow $2m from the bank starting...
You are running a bank and a customer wants to borrow $2m from the bank starting in 207 days and ending in 321 days. You charge interest on an ACT/360 basis and will set the rate at 0.61% above fair. Interest rates are: Days Cont. Comp. Rates 207 3.28 321 3.93 What rate do you charge? Give your rate to 2 decimal places and enter 3.05% as 3.05.
A baseball player wants to know his average time running from home to first base. He...
A baseball player wants to know his average time running from home to first base. He records the following five times in seconds: 5.1 4.9 5.1 5.2 5.0 Construct a 95% confidence interval for the mean number of seconds it takes for this baseball player to run from home to first. Interpret this interval within the context of the problem.
ADVERTISEMENT
Subjects
ADVERTISEMENT
Latest Questions
ADVERTISEMENT