GIAC Certified Incident Handler (GCIH) — Question 11

Which of the following Volatility commands will display the date and time an image was collected?

Answer options

• A. python vol.py -f Win2k12x64.vmsn --profile=Win2012R2x64 --kdbg=0xf800f17dd9b0 timeliner --type=_CMHIVE
• B. python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo
• C. python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 printkey -K "Microsoft\Security Center\Svc"
• D. python vol.py -f win7.vmem --profile=Win7SP0x86 userassist

Correct answer: A

Explanation

The correct answer, A, uses the 'timeliner' command to retrieve the date and time an image was collected based on the specified profile and KDBG. The other options focus on different functionalities like retrieving image information, printing registry keys, or user assist data, which do not provide the collection timestamp.