Computer Hacking Forensic Investigator (CHFI v10) — Question 291

A Computer Hacking Forensic Investigator is acquiring volatile data from a Linux-based suspect machine that they cannot physically access. They need to obtain a dump of the system's RAM remotely. Which of the following sequences of commands and tools should be utilized for a forensically sound extraction?

Answer options

• A. On the forensic workstation: insmod lime-.ko "path= format=lime"; on the suspect machine: nc : > filename.mem
• B. On the suspect machine: insmod lime-.ko "path=tcp: format=lime": on the forensics workstation: nc : > filename.mem
• C. On the forensic workstation: nc -l > filename.dd; on the suspect machine: dd if=/dev/fmem bs=l024 | nc
• D. On the suspect machine: dd if=/dev/fmem of= bs=lMB; on the forensic workstation: nc -l > filename.dd

Correct answer: B

Explanation

The correct answer is B because it uses the correct command sequence to load the lime module on the suspect machine and sets up a TCP connection to send the memory dump to the forensic workstation. The other options either have incorrect command sequences or would not establish the necessary connection for a remote acquisition.