312-49 Question #288: Real Exam Question with Answer & Explanation

Question

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do not write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

Options

• AUse Vmware to be able to capture the data in memory and examine it
• BGive the Operating System a minimal amount of memory, forcing it to use a swap file
• CCreate a Separate partition of several hundred megabytes and place the swap file there
• DUse intrusion forensic techniques to study memory resident infections

Explanation

Both options address the problem of preserving memory-resident data in a controlled lab setting. Option A (VMware/virtualization): Running the suspect system as a virtual machine allows an analyst to take a full memory snapshot or suspend the VM, capturing the entire RAM state to disk without powering off. This directly preserves volatile memory including any memory-resident malware. Option C (Separate swap partition): By giving the OS minimal RAM, the system is forced to use virtual memory (a swap/page file). Memory-resident code and data are then paged out to disk in the dedicated swap partition, leaving a recoverable artifact even if the system is later shut down. Together, these two methods provide the most practical lab-based approaches to capturing volatile content that would otherwise disappear on power loss.

No community discussion yet for this question.