Exam CS0-002 topic 1 question 80 discussion

My Answer is A They are asking "provide information about when and how", How does Volatile Memory Analysis Will help here, Cause it only gives us information about how malware works it can't say when or how. On the other hand, TIMELINE RECONSTRUCTION gives us How was access to the system obtained? What tools have been installed? What changes to system files or applications have been made? What data has been retrieved? Is there evidence data was exfiltrated over the network or via attached storage?

A. A timeline will show the sequence of file system events within a source image and give you the ability to create a graphical representation of the events.

Timeline Generation and Analysis When you have secured a copy of a forensic image, validated from the source by a cryptographic hash, you can start to analyze the information you have captured. The visual representation of events happening in chronological order is called a timeline, and it can be a powerful tool in your forensics toolkit. Being able to analyze a timeline will give you a holistic perspective of the incident that wouldn't otherwise be possible. For example, you can list files you find in a computer's web browser cache by their file name, date/time created, date/time last accessed, and date/time last modified. Comptia Cysa+ Course Material

herefore, option A is the correct answer. System timeline reconstruction is the process of analyzing system logs, file system metadata, and other sources of information to create a timeline of events that occurred on the compromised machine. By reconstructing the timeline of events, the security analyst can identify the point of compromise, the actions taken by the attacker, and the extent of the compromise. This process can also help identify the location of any malware that may be present on the machine.

I am consufing with A and D. Volatile memory analysis is not about with hard drive.... I am going with A.

By the time a clone of the hard drive would be completed, volatile memory would have already been lost. To provide information about when and how the machine was compromised and where the malware is located using the CLONED HARD DRIVE, you would have to perform a system timeline reconstruction. You cannot do that with volatile memory that was never captured. Answer is A.

Information security professionals conduct memory forensics to investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data So D Correct

I don’t even find what system timeline reconstruction is…so I go with D.

⦿ Timeline Generation- Timeline- a tool that shows the sequence of file system events within a source image in a graphical format. Timelines can help the analyst understanding how access to the system was obtained, what tools were installed, what changes to files were made, what data was exfiltrated (if it was exfiltrated) and more. Many forecsic tools generate a timeline.

C: As far as I remember, securing evidence it done from most fleeting media (memory) to the more stable ones. As a disk clone was created, a memory dump was saved before that. So the next step is to use data carving (memory dump & clone data).

After some search on timeline reconstruction, the answer seems A. Also, I agree with Ryukendo's claim.

From my understanding, volatile memory analysis is to gain knowledge about any malicious processes currently running and what it’s doing. From the question it seems the company already understands that the server was used for data mining. and I don’t believe volatile memory analysis is done on clones of the drive but the drive itself once confiscated. Could be wrong, but I think A is the right answer here

Because the question says "a clone of the hard drive was created" is excludes B and D. I would go with A because it gives date and time details

Definitely data carving

pulled from chegg Option D is correct Information security professionals conduct memory forensics to investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.

I would have to say D. I looked through 3 different CySa books and only memory analysis makes sense. https://www.varonis.com/blog/memory-forensics

Not sure, but I think B is correct