nerdexam
GIAC

GCIH · Question #702

Which of the following Volatility commands will display the date and time an image was collected?

The correct answer is B. python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo. The Volatility 'imageinfo' plugin reads memory image metadata and reports the date and time the image was acquired along with suggested OS profiles.

Incident Response & Cyber Kill Chain

Question

Which of the following Volatility commands will display the date and time an image was collected?

Options

  • Apython vol.py -f Win2k12x64.vmsn --profile=Win2012R2x64 --kdbg=0xf800f17dd9b0 timeliner --
  • Bpython vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo
  • Cpython vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 printkey -K
  • Dpython vol.py -f win7.vmem --profile=Win7SP0x86 userassist

How the community answered

(36 responses)
  • A
    8% (3)
  • B
    89% (32)
  • C
    3% (1)

Why each option

The Volatility 'imageinfo' plugin reads memory image metadata and reports the date and time the image was acquired along with suggested OS profiles.

Apython vol.py -f Win2k12x64.vmsn --profile=Win2012R2x64 --kdbg=0xf800f17dd9b0 timeliner --

The 'timeliner' plugin builds a chronological timeline of artifacts found within a memory image, not a report of when the image itself was captured.

Bpython vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfoCorrect

Running 'python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo' invokes the imageinfo plugin, which scans the memory image header and kernel structures to report the image acquisition timestamp, recommended profiles, KDBG address, and DTB values - making it the correct command for determining when the image was collected.

Cpython vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 printkey -K

The 'printkey' plugin with the '-K' flag extracts Windows registry key contents from memory, which is unrelated to image acquisition timestamps.

Dpython vol.py -f win7.vmem --profile=Win7SP0x86 userassist

The 'userassist' plugin parses the Windows UserAssist registry entries to show application execution history, not memory image collection metadata.

Concept tested: Volatility imageinfo plugin for memory acquisition metadata

Source: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#imageinfo

Topics

#Volatility#memory forensics#imageinfo#digital forensics

Community Discussion

No community discussion yet for this question.

Full GCIH Practice