Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam CISSP topic 1 question 231 discussion

Actual exam question from ISC's CISSP
Question #: 231
Topic #: 1
[All CISSP Questions]

Which evidence collecting technique would be utilized when it is believed an attacker is employing a rootkit and a quick analysis is needed?

  • A. Forensic disk imaging
  • B. Live response
  • C. Memory collection
  • D. Malware analysis
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
50e940e
6 days, 21 hours ago
Selected Answer: C
One very critical point, live response can't ensure data integrity. No matter how fast it is, it may not good for analysis
upvoted 1 times
...
MP26
2 months, 2 weeks ago
When speed is the most important than C. B is more comprehensive so takes more time.
upvoted 1 times
...
Vasyamba1
3 months, 2 weeks ago
Selected Answer: C
Sure, Live response is good, but it is not an evidence collecting technique, such as media analysis, in-memory analysis, network analysis, software analysis, hardware/embedded device analysis.
upvoted 1 times
...
homeysl
3 months, 3 weeks ago
Selected Answer: B
Live response is faster and used that plenty of times in EDR. Also used that to dump memory, etc.
upvoted 1 times
...
gjimenezf
5 months, 2 weeks ago
Selected Answer: B
It is asking for a quick analysis, Memory dump is for later analysis, Live response will be for quick analysis
upvoted 3 times
...
YesPlease
6 months, 3 weeks ago
Selected Answer: C
Answer C) Memory Collection This is the fastest to implement compared Live Response.
upvoted 1 times
...
CoolCat22
6 months, 3 weeks ago
Selected Answer: B
bbbbbbb
upvoted 1 times
...
[Removed]
7 months, 1 week ago
Selected Answer: B
It's a challenging problem. When I asked ChatGPT, I received the following response: "Live Response: Live response involves collecting data from the running system. This includes information from memory and running processes. It is useful in situations where a quick response is needed or when stopping the system is not allowed. Memory Collection: Memory collection retrieves information from the system's memory. It is effective in detecting the behavior and presence of rootkits, as they often affect memory. However, it may take more time than live response when an immediate response is required." With this information, I've decided to go with option B.
upvoted 2 times
...
HappyDay030303
8 months ago
Selected Answer: B
"..quick analysis is needed" Live Response offers the best options for quick analysis. Memory Collection offers the best options for longer, in-depth analysis https://ceur-ws.org/Vol-3094/paper_12.pdf
upvoted 1 times
...
74gjd_37
9 months, 2 weeks ago
Selected Answer: B
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide "Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats." Live response is a critical technique in incident response, as it helps identify and contain the threat before it causes further damage. It involves collecting volatile data from a live system in real-time, which can include running processes, network connections, and open files. Live response is often used when time is of the essence and a quick analysis is needed to determine if a system has been compromised.
upvoted 2 times
...
Demo25
11 months, 2 weeks ago
Selected Answer: B
The answer is B. Live response. Live response is a technique used to collect evidence from a live system. This is useful when it is believed that an attacker is employing a rootkit, as rootkits can often hide from forensic disk imaging and memory collection. Live response tools can be used to collect volatile data from memory, as well as to run commands on the system to gather additional information
upvoted 3 times
Mike4649
11 months ago
Agree with B
upvoted 1 times
...
...
DJOEK
1 year, 5 months ago
Selected Answer: C
C. Memory collection is the technique that would be utilized when it is believed an attacker is employing a rootkit and a quick analysis is needed. A rootkit is a type of malware that hides the presence of malicious files and processes on a computer by modifying the operating system's kernel, system call table, or other critical areas. Memory collection, also known as volatile data collection, involves capturing and preserving the data stored in a computer's memory (RAM) in its current state. This can provide valuable information about the system's state and any malicious processes that are running in memory. This technique is often used in conjunction with live response, which allows an investigator to collect data from a system without shutting it down.
upvoted 4 times
jackdryan
1 year, 1 month ago
C is correct
upvoted 2 times
...
...
rajkamal0
1 year, 6 months ago
Selected Answer: C
C is the correct answer. Reference: https://www.veracode.com/security/rootkit
upvoted 2 times
...
rdy4u
1 year, 8 months ago
Selected Answer: C
Memory dumps contain static snapshots of the computer’s volatile memory (RAM). It is possible to create a memory dump for a single process, system kernel or the entire system. By analyzing memory dumps, examiners can ensure clean working environment and no active resistance from the rootkit. Techniques used in memory dump analysis can be also deployed on a live system, with restrictions. https://www.forensicfocus.com/articles/understanding-rootkits/
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
ex Want to SAVE BIG on Certification Exam Prep?
close
ex Unlock All Exams with ExamTopics Pro 75% Off
  • arrow Choose From 1000+ Exams
  • arrow Access to 10 Exams per Month
  • arrow PDF Format Available
  • arrow Inline Discussions
  • arrow No Captcha/Robot Checks
Limited Time Offer
Ends in