nerdexam
ExamsGCIHQuestions#334
GIAC

GCIH · Question #334

GCIH Question #334: Real Exam Question with Answer & Explanation

The correct answer is D: Packet captures from a sensor at the network border. Since the host was infected over the network, packet captures are the most likely location to find the original binary. Alert logs and filesystem journals will retain metadata and not the actual

Question

A host has been compromised with a rootkit through Internet activity. The analyst wishes to reconstruct the binary file used to infect the host. Which of the following sources of evidence is MOST likely to produce the binary?

Options

  • AFilesystem journal entries from the compromised host
  • BAlert logs from an Intrusion detection device
  • CA memory image from a proxy server on the network
  • DPacket captures from a sensor at the network border

Explanation

Since the host was infected over the network, packet captures are the most likely location to find the original binary. Alert logs and filesystem journals will retain metadata and not the actual

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice
A host has been compromised with a rootkit through Internet... | GCIH Q#334 Answer | NerdExam