GCIH · Question #702
Which of the following Volatility commands will display the date and time an image was collected?
The correct answer is B. python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo. The Volatility 'imageinfo' plugin reads memory image metadata and reports the date and time the image was acquired along with suggested OS profiles.
Question
Which of the following Volatility commands will display the date and time an image was collected?
Options
- Apython vol.py -f Win2k12x64.vmsn --profile=Win2012R2x64 --kdbg=0xf800f17dd9b0 timeliner --
- Bpython vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo
- Cpython vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 printkey -K
- Dpython vol.py -f win7.vmem --profile=Win7SP0x86 userassist
How the community answered
(36 responses)- A8% (3)
- B89% (32)
- C3% (1)
Why each option
The Volatility 'imageinfo' plugin reads memory image metadata and reports the date and time the image was acquired along with suggested OS profiles.
The 'timeliner' plugin builds a chronological timeline of artifacts found within a memory image, not a report of when the image itself was captured.
Running 'python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo' invokes the imageinfo plugin, which scans the memory image header and kernel structures to report the image acquisition timestamp, recommended profiles, KDBG address, and DTB values - making it the correct command for determining when the image was collected.
The 'printkey' plugin with the '-K' flag extracts Windows registry key contents from memory, which is unrelated to image acquisition timestamps.
The 'userassist' plugin parses the Windows UserAssist registry entries to show application execution history, not memory image collection metadata.
Concept tested: Volatility imageinfo plugin for memory acquisition metadata
Source: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#imageinfo
Topics
Community Discussion
No community discussion yet for this question.