nerdexam
ExamsGCIHQuestions#702
GIAC

GCIH · Question #702

GCIH Question #702: Real Exam Question with Answer & Explanation

The correct answer is B: python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo. The Volatility 'imageinfo' plugin reads memory image metadata and reports the date and time the image was acquired along with suggested OS profiles.

Incident Response & Cyber Kill Chain

Question

Which of the following Volatility commands will display the date and time an image was collected?

Options

  • Apython vol.py -f Win2k12x64.vmsn --profile=Win2012R2x64 --kdbg=0xf800f17dd9b0 timeliner --
  • Bpython vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo
  • Cpython vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 printkey -K
  • Dpython vol.py -f win7.vmem --profile=Win7SP0x86 userassist

Explanation

The Volatility 'imageinfo' plugin reads memory image metadata and reports the date and time the image was acquired along with suggested OS profiles.

Common mistakes.

  • A. The 'timeliner' plugin builds a chronological timeline of artifacts found within a memory image, not a report of when the image itself was captured.
  • C. The 'printkey' plugin with the '-K' flag extracts Windows registry key contents from memory, which is unrelated to image acquisition timestamps.
  • D. The 'userassist' plugin parses the Windows UserAssist registry entries to show application execution history, not memory image collection metadata.

Concept tested. Volatility imageinfo plugin for memory acquisition metadata

Reference. https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#imageinfo

Topics

#Volatility#memory forensics#imageinfo#digital forensics

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice