- (Exam Topic 1)
Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

1. A. Use VMware to be able to capture the data in memory and examine it
2. B. Give the Operating System a minimal amount of memory, forcing it to use a swap file
3. C. Create a Separate partition of several hundred megabytes and place the swap file there
4. D. Use intrusion forensic techniques to study memory resident infections

Correct Answer: C

- (Exam Topic 2)
When carrying out a forensics investigation, why should you never delete a partition on a dynamic disk?

1. A. All virtual memory will be deleted
2. B. The wrong partition may be set to active
3. C. This action can corrupt the disk
4. D. The computer will be set in a constant reboot state

Correct Answer: C

- (Exam Topic 2)
What type of flash memory card comes in either Type I or Type II and consumes only five percent of the power required by small hard drives?

1. A. SD memory
2. B. CF memory
3. C. MMC memory
4. D. SM memory

Correct Answer: B

- (Exam Topic 4)
An EC2 instance storing critical data of a company got infected with malware. The forensics team took the EBS volume snapshot of the affected Instance to perform further analysis and collected other data of evidentiary value. What should be their next step?

1. A. They should pause the running instance
2. B. They should keep the instance running as it stores critical data
3. C. They should terminate all instances connected via the same VPC
4. D. They should terminate the instance after taking necessary backup

Correct Answer: D

- (Exam Topic 3)
Which of these rootkit detection techniques function by comparing a snapshot of the file system, boot records, or memory with a known and trusted baseline?

1. A. Signature-Based Detection
2. B. Integrity-Based Detection
3. C. Cross View-Based Detection
4. D. Heuristic/Behavior-Based Detection

Correct Answer: B