As part of incident response, a technician is taking an image of a compromised system and copying the image to a remote image server (192.168.45.82). The system drive is very large but does not contain the sensitive data. The technician has limited time to complete this task. Which of the following is the BEST command for the technician to run?
A. tar cvf – / | ssh 192.168.45.82 "cat – > /images/image.tar"
B. dd if=/dev/mem | scp – 192.168.45.82:/images/image.dd
C. memdump /dev/sda1 | nc 192.168.45.82 3000
D. dd if=/dev/sda | nc 192.168.45.82 3000
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
D.
Source: https://www.linuxjournal.com/content/tech-tip-remote-mirroring-using-nc-and-dd
Also notice that this method does not transmit data encryped. No problem, because question says that “system drive is very large but does not contain the sensitive data”.
Corona: the tech is not making an image of the system drive, the tech is making an image of the memory. I guess the statement about the system drive is a red herring.
i believe its A. When you archive it, makes it smaller amount of data to copy
How much benefit would we get with compressing? Who knows, maybe a bunch. Archiving it would reduce the size, but the question also states it does not contain sensitive data. I think that hints at not using a secure protocol such as SSH or SCP to avoid overhead and increase throughput. C would not be a good answer bc a memdump does not copy the system image. I think D, using the dd command with nc makes the most sense.
D