An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS.
Which of the following technical approaches would be the MOST feasible way to accomplish this capture?
A. Run the memdump utility with the -k flag.
B. Use a loadable kernel module capture utility, such as LiME.
C. Run dd on/dev/mem.
D. Employ a stand-alone utility, such as FTK Imager.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
I would also roll with B after Googling LiME for a bit…
I am trying to post my comment, but antispam system won’t allow me.
The correct answer is B (Source: https://github.com/504ensicsLabs/LiME)
A: wrong, as -k option would dump kernel memory /dev/kmem rather than physical memory
I tried to post other explanations but it is impossible… antispam is always blocking me.
D: as far as I could investigate, the last official FTK Imager CLI for Linux dates from 2012 (Source: https://accessdata.com/product-download – Command Line Versions of FTK Imager).
C: wrong, you used to be able to simply dd /dev/mem back in the day, but no longer for security reasons – since kernel 2.6.
https://askubuntu.com/questions/147978/how-can-i-dump-all-physical-memory-to-a-file
A: wrong, as -k option would dump kernel memory (/dev/kmem) rather than physical memory
C: wrong, you used to be able to simply dd /dev/mem back in the day, but no longer for security reasons – since kernel 2.6.
I’ll stick with D…
Question says comprehensive
memdump -k flag is kernel memory.
LiMEM – most everything I see points toward Android.
dd might do it, I’m not the linux guy. I’m just not seeing enough evidence to contradict the given answer. From what I’ve read, FTK imager is very comprehensive in its capabilities.
A, Memdump seems the most feasible, already available inside OS
B