Exam CAS-003 topic 1 question 289 discussion

its lime no question about it

Linux Memory Dump Method 1: Lime kernel module git clone https://github.com/504ensicsLabs/LiME.git cd Lime/src make cd ~ sudo insmod ./LiME/src/lime.ko “path=<output of dump> format=lime [dio=0|1]” path the output file for the memory dump format is the type of dump raw – concatenates all System RAM ranges padded – pads all non-System RAM ranges with 0s lime – each range prepended with fixed-size header containing address space info dio 0 – default, do not attempt Direct IO 1 – attempt to enable Direct IO

Tough question. It cannot be A or C A will dump all of the Kernel memory, but no physical memory C will dump all the physical memory, but no kernel memory It would appear there is no single kernel-native command for a 100% memory dump (why would there be?) B actually looks VERY promising https://tunnelix.com/linux-memory-analysis-with-lime-and-volatility/ D is a maybe, FTK looks HEAVILY oriented toward Windows and everything I can google about it says to create a boot disk with Kali and then boot from that--this would not be effective to capture sketchy volatile memory. Honestly, I think it could be B or D, so flip a coin. Personally, I'd choose B.

I don't think that FTK captures volatile memory. Maybe: C. Run dd on/dev/mem? This will work. For example: dd if=/dev/mem of=/home/mem.dump bs=1024 count=1k skip=3584k Or Maybe: A. Run the memdump utility with the -k flag I think memdump will work, I don't know if you want to use the -k flag. Or Maybe: B. Use a loadable kernel module capture utility, such as LiME But if LiME is not already installed, could installing LiME corrupt what is in memory?