CompTIA Security+ (SY0-601) — Question 344

A digital forensics team at a large company is investigat ng a case in which malicious code was down oaded over an HTTPS connection and was running in memory, but was never committed to disk. Which of the following techniques should the team use to obtain a sample of the malware binary?

Answer options

• A. pcap reassembly
• B. SSD snapshot
• C. Image volatile memory
• D. Extract from checksums

Correct answer: C

Explanation

The correct answer is C, as imaging volatile memory allows the team to capture the malware that is currently running in memory. Options A and B are not suitable since they pertain to network traffic analysis and disk imaging, respectively, while D involves checksums, which wouldn't provide the actual malware binary.