Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Sure, Live response is good, but it is not an evidence collecting technique, such as media analysis, in-memory analysis, network analysis, software analysis, hardware/embedded device analysis.
It's a challenging problem. When I asked ChatGPT, I received the following response:
"Live Response: Live response involves collecting data from the running system. This includes information from memory and running processes. It is useful in situations where a quick response is needed or when stopping the system is not allowed.
Memory Collection: Memory collection retrieves information from the system's memory. It is effective in detecting the behavior and presence of rootkits, as they often affect memory. However, it may take more time than live response when an immediate response is required."
With this information, I've decided to go with option B.
"..quick analysis is needed"
Live Response offers the best options for quick analysis.
Memory Collection offers the best options for longer, in-depth analysis
https://ceur-ws.org/Vol-3094/paper_12.pdf
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide
"Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.
Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats."
Live response is a critical technique in incident response, as it helps identify and contain the threat before it causes further damage. It involves collecting volatile data from a live system in real-time, which can include running processes, network connections, and open files. Live response is often used when time is of the essence and a quick analysis is needed to determine if a system has been compromised.
The answer is B. Live response.
Live response is a technique used to collect evidence from a live system. This is useful when it is believed that an attacker is employing a rootkit, as rootkits can often hide from forensic disk imaging and memory collection. Live response tools can be used to collect volatile data from memory, as well as to run commands on the system to gather additional information
C. Memory collection is the technique that would be utilized when it is believed an attacker is employing a rootkit and a quick analysis is needed. A rootkit is a type of malware that hides the presence of malicious files and processes on a computer by modifying the operating system's kernel, system call table, or other critical areas. Memory collection, also known as volatile data collection, involves capturing and preserving the data stored in a computer's memory (RAM) in its current state. This can provide valuable information about the system's state and any malicious processes that are running in memory. This technique is often used in conjunction with live response, which allows an investigator to collect data from a system without shutting it down.
Memory dumps contain static snapshots of the computer’s volatile memory (RAM). It is possible to create a memory dump for a single process, system kernel or the entire system. By analyzing memory dumps, examiners can ensure clean working environment and no active resistance from the rootkit. Techniques used in memory dump analysis can be also deployed on a live system, with restrictions.
https://www.forensicfocus.com/articles/understanding-rootkits/
upvoted 4 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
50e940e
6 days, 21 hours agoMP26
2 months, 2 weeks agoVasyamba1
3 months, 2 weeks agohomeysl
3 months, 3 weeks agogjimenezf
5 months, 2 weeks agoYesPlease
6 months, 3 weeks agoCoolCat22
6 months, 3 weeks ago[Removed]
7 months, 1 week agoHappyDay030303
8 months ago74gjd_37
9 months, 2 weeks agoDemo25
11 months, 2 weeks agoMike4649
11 months agoDJOEK
1 year, 5 months agojackdryan
1 year, 1 month agorajkamal0
1 year, 6 months agordy4u
1 year, 8 months ago