Computer Hacking Forensic Investigator (CHFI v10) — Question 404

In a situation where an investigator needs to acquire volatile data from a live Linux system, the physical access to the suspect machine is either restricted or unavailable. Which of the following steps will be the most suitable approach to perform this task?

Answer options

• A. The investigator should use the Belkasoft Live RAM Capturer on the forensic workstation, then remotely execute the tool on the suspect machine to acquire the RAM image
• B. The investigator should initiate a listening session on the forensic workstation using 'netcat', then execute a 'dd' command on the suspect machine and pipe the output using 'netcat'
• C. The investigator should leverage OSXPMem to remotely parse the physical memory in the Linux machine and create AFF4 format images for analysis
• D. The investigator should employ the LiME tool and 'netcat', starting a listening session using tcp:port on the suspect machine and then establishing a connection from the forensic workstation using 'netcat'

Correct answer: D

Explanation

The correct answer is D because LiME is specifically designed for acquiring memory from Linux systems and can work in conjunction with 'netcat' to transfer the data over the network. Option A is incorrect as Belkasoft Live RAM Capturer requires local execution. Option B is not suitable because while 'netcat' can be used, 'dd' does not capture volatile memory directly. Option C is incorrect since OSXPMem is not designed for Linux systems.