Exam CISSP topic 1 question 268 discussion

A. Memory forensics for LIVE analysis https://www.varonis.com/blog/memory-forensics

Answer B) Logfile Analysis APT use different methods like malware, social engineering to gain legit credentials, penetration testing, etc...to compromise a system, but it doesn't have to use all of them. Memory forensics is useless if there is no malicious code to discover. However, logging can uncover all of these types of compromise as a "paper" trail should be left behind with each movement. https://blog.scanner.dev/security-logs-and-apts/

Memory forensics is considered one of the most useful techniques when dealing with advanced persistent threat (APT) intrusions on live virtualized environments. It allows for the analysis of a system's memory in order to identify malicious activity that may not be detected by other methods, such as antivirus operations. Logfile analysis and reverse engineering can also be useful in identifying and understanding the nature of an APT intrusion.

Memory forensics is the practice of analyzing a computer system's volatile memory (RAM) to extract evidence of past activity, such as running processes, network connections, and open files. This is especially useful when dealing with Advanced Persistent Threats (APT) intrusions on live virtualized environments because the APT often attempts to hide its presence by manipulating system logs or using rootkits and other malware to cover its tracks. By analyzing the system's volatile memory, a forensic investigator can identify signs of intrusion and other malicious activity that may not be visible in other areas of the system, such as in the file system or on disk.

I vote for C ! From official Guide: However, specialists in the field of reverse engineering may be able to reverse the compilation process with the assistance of tools known as decompilers and disassemblers. Decompilers attempt to take binary executables and convert them back into source code form, whereas disassemblers convert back into machine-readable assembly language (an intermediate step during the compilation process). These tools are particularly useful when you’re performing malware analysis or competitive intelligence and you’re attempting to determine how an executable file works without access to the underlying source code.

Once the intrusion has already happened, then you need antivirus / antimalware software to detect and clean it out.

Answer a " This paper proposes a novel APT Trojan detection method by utilizing memory forensics techniques." https://www.scientific.net/AMM.701-702.927