Computer Hacking Forensic Investigator (CHFI v10) — Question 432

During a computer hacking forensic investigation, an investigator is tasked with acquiring volatile data from a live Linux system with limited physical access. Which methodology would be the most suitable for this scenario?

Answer options

• A. Using Belkasoft Live RAM Capturer to extract the entire contents of the computer’s volatile memory
• B. Performing remote acquisition of volatile data from a Linux machine using dd and netcat
• C. Using the fmem module and dd command locally to access the RAM and acquire its content directly
• D. Performing local acquisition of RAM using the LiME tool

Correct answer: B

Explanation

Option B is correct because it allows for remote acquisition of volatile data, which is essential given the limited physical access to the machine. Option A is incorrect since Belkasoft Live RAM Capturer is not designed for remote acquisition. Option C is not suitable because it involves local access, which contradicts the limitation of physical access. Option D also requires local access and is therefore not applicable in this scenario.