CompTIA CASP+ (CAS-003) — Question 117

An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS.
Which of the following technical approaches would be the MOST feasible way to accomplish this capture?

Answer options

• A. Run the memdump utility with the -k flag.
• B. Use a loadable kernel module capture utility, such as LiME.
• C. Run dd on/dev/mem.
• D. Employ a stand-alone utility, such as FTK Imager.

Correct answer: D

Explanation

The correct answer is D because FTK Imager is designed to capture memory from various operating systems, including the latest Linux versions, while maintaining data integrity. The other options either do not support recent Linux kernels effectively or may not capture memory comprehensively, making them less reliable for forensic purposes.