nerdexam
ExamsGCIHQuestions#776
GIAC

GCIH · Question #776

GCIH Question #776: Real Exam Question with Answer & Explanation

The correct answer is A: netscan. The Volatility netscan plugin scans memory for network socket and connection artifacts, including sockets in listening and closed states.

Question

Which volatility plugin shows information about listening and closed sockets?

Options

  • Anetscan
  • Bdlllist
  • Cpslist
  • Dpsscan

Explanation

The Volatility netscan plugin scans memory for network socket and connection artifacts, including sockets in listening and closed states.

Common mistakes.

  • B. dlllist enumerates the loaded DLL modules for each process and has no network or socket analysis capability.
  • C. pslist walks the doubly-linked EPROCESS list to enumerate active processes and does not expose network socket data.
  • D. psscan scans memory for EPROCESS pool tags to detect hidden or terminated processes, not network connections or sockets.

Concept tested. Volatility memory forensics network socket analysis

Reference. https://volatility3.readthedocs.io/en/stable/volatility3.plugins.windows.netscan.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice