GIAC Certified Incident Handler (GCIH) — Question 31
An investigator performing an initial analysis of a memory image identified a suspicious URL while using the strings utility. A second investigator attempting to recreate the results cannot find the same URL when executing the command below. What could be the cause?
$ strings CASE-43110.mem > case-43110.strings.txt
Answer options
- A. The memory image is password protected
- B. The memory image is compressed
- C. The URL is in ASCII format
- D. The URL is in little endian format
Correct answer: C
Explanation
The correct answer is C because the strings utility is designed to extract readable strings from binary files, and if the URL is encoded in ASCII, it will be found. The other options do not apply as a password-protected or compressed image may not prevent the URL extraction entirely, and little endian format refers to byte order rather than string encoding.