A digital forensics team at a large company is investigating a case in which malicious code was downloaded over an HTTPS connection and was running in memory, but was never committed to disk. Which of the following techniques should the team use to obtain a sample of the malware binary?
Correct Answer: C. Image volatile memory
Since the malicious code is running in memory and was never committed to disk, imaging volatile memory (RAM) is the best technique to capture the malware binary. Memory forensics allows the team to extract active processes, including code executed directly in memory, for analysis. This method ensures that the malware sample can be obtained even if it has no disk presence.
Explanation for Incorrect Options:
pcap reassembly
Packet capture (pcap) reassembly involves analyzing network traffic to reconstruct files or data transmitted over the network. While it might reveal how the malware was downloaded, it won't provide the in-memory binary directly.
SSD snapshot
An SSD snapshot captures the contents of a storage drive, which is not useful in this case since the malware was never written to disk.
Extract from checksums
Checksums are used to verify data integrity and do not provide a means to capture or analyze a malware binary, especially one running in memory.
No Payment Cards Needed
Normally $69
$45/month
Discover a range of courses designed to provide you with the knowledge and skills needed to excel in your chosen field.
You don’t need one month to study and pass your test.
With Prepsaret, it takes you a few days to grasp all the concepts needed to pass your exams