GIAC
GCIH · Question #385
GCIH Question #385: Real Exam Question with Answer & Explanation
The correct answer is A: Analyzing volatile evidence. The shown command starts the Rekall interpreter and invokes a memory image for analysis.
Incident Response & Cyber Kill Chain
Question
Observe the following command; what is the analyst doing? $ rekal '"f /cases/20160726_39/RAM/memimage.dd
Options
- AAnalyzing volatile evidence
- BCapturing a memory image
- CVerifying the integrity of an image
- DCreating a hash of original evidence
Explanation
The shown command starts the Rekall interpreter and invokes a memory image for analysis.
Topics
#memory forensics#Rekall#volatile evidence#memory analysis
Community Discussion
No community discussion yet for this question.