Exam CISSP topic 1 question 231 discussion

For a quick analysis when a rootkit is suspected, the technique that enables immediate insight into the system’s current state, including active processes and memory content, is crucial. Live response techniques allow investigators to capture volatile data that would be lost if the system were shut down. Live response involves capturing live system data such as memory, running processes, and network connections, which can be crucial in detecting rootkits, as they often hide their presence from static analysis tools by running in memory. This approach helps in quickly understanding the current state of the system and the rootkit’s activities. Therefore, the correct technique would be: B. Live response. This aligns with the principles of incident response and evidence collection for rootkits, as detailed in CISSP domains related to security operations and incident management.

One very critical point, live response can't ensure data integrity. No matter how fast it is, it may not good for analysis

When speed is the most important than C. B is more comprehensive so takes more time.

Sure, Live response is good, but it is not an evidence collecting technique, such as media analysis, in-memory analysis, network analysis, software analysis, hardware/embedded device analysis.

Live response is faster and used that plenty of times in EDR. Also used that to dump memory, etc.

It is asking for a quick analysis, Memory dump is for later analysis, Live response will be for quick analysis

Answer C) Memory Collection This is the fastest to implement compared Live Response.

bbbbbbb

It's a challenging problem. When I asked ChatGPT, I received the following response: "Live Response: Live response involves collecting data from the running system. This includes information from memory and running processes. It is useful in situations where a quick response is needed or when stopping the system is not allowed. Memory Collection: Memory collection retrieves information from the system's memory. It is effective in detecting the behavior and presence of rootkits, as they often affect memory. However, it may take more time than live response when an immediate response is required." With this information, I've decided to go with option B.

"..quick analysis is needed" Live Response offers the best options for quick analysis. Memory Collection offers the best options for longer, in-depth analysis https://ceur-ws.org/Vol-3094/paper_12.pdf

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide "Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats." Live response is a critical technique in incident response, as it helps identify and contain the threat before it causes further damage. It involves collecting volatile data from a live system in real-time, which can include running processes, network connections, and open files. Live response is often used when time is of the essence and a quick analysis is needed to determine if a system has been compromised.

The answer is B. Live response. Live response is a technique used to collect evidence from a live system. This is useful when it is believed that an attacker is employing a rootkit, as rootkits can often hide from forensic disk imaging and memory collection. Live response tools can be used to collect volatile data from memory, as well as to run commands on the system to gather additional information

C. Memory collection is the technique that would be utilized when it is believed an attacker is employing a rootkit and a quick analysis is needed. A rootkit is a type of malware that hides the presence of malicious files and processes on a computer by modifying the operating system's kernel, system call table, or other critical areas. Memory collection, also known as volatile data collection, involves capturing and preserving the data stored in a computer's memory (RAM) in its current state. This can provide valuable information about the system's state and any malicious processes that are running in memory. This technique is often used in conjunction with live response, which allows an investigator to collect data from a system without shutting it down.

C is the correct answer. Reference: https://www.veracode.com/security/rootkit

Memory dumps contain static snapshots of the computer’s volatile memory (RAM). It is possible to create a memory dump for a single process, system kernel or the entire system. By analyzing memory dumps, examiners can ensure clean working environment and no active resistance from the rootkit. Techniques used in memory dump analysis can be also deployed on a live system, with restrictions. https://www.forensicfocus.com/articles/understanding-rootkits/