CompTIA CASP+ (CAS-003) — Question 198

As part of incident response, a technician is taking an image of a compromised system and copying the image to a remote image server (192.168.45.82). The system drive is very large but does not contain the sensitive data. The technician has limited time to complete this task. Which of the following is the BEST command for the technician to run?

Answer options

• A. tar cvf - / | ssh 192.168.45.82 ג€cat - > /images/image.tarג€
• B. dd if=/dev/mem | scp - 192.168.45.82:/images/image.dd
• C. memdump /dev/sda1 | nc 192.168.45.82 3000
• D. dd if=/dev/sda | nc 192.168.45.82 3000

Correct answer: D

Explanation

The correct answer is D because using 'dd if=/dev/sda | nc 192.168.45.82 3000' effectively creates an image of the entire drive without the need for additional processing or filtering, which is ideal given the time constraints. Options A and B are not suitable because they either involve unnecessary complexity or target the wrong data source. Option C is incorrect as it targets a specific partition, which may not include all relevant data from the compromised system.