MalDoc and Python

_________________ specifies the number of pages committed in the region described by the VAD node. Question options: MemCommit CommitCharge VadFlag NoChange

CommitCharge

Question 11 / 1 point Which of the following is a characteristics of the CR2 register? Question options: Contains the linear address that causes a page fault Contain flags that control he operating mode of the processor Is used to enable architectural extensions Contains the physical address of the initial structure used for address translation.

Contain flags that control he operating mode of the processor

It is important to run live response tools to gather evidence before acquiring physical memory, so that your memory capture contains the extra data generated by the live IR tools.

False

Memory acquisition is an atomic operation

False

Volatility can run on Windows but not on Linux or Mac

False

Volatility is a graphic user interface tool and a Python library that you can import from your own applications, but it does not include a front-end.

False

Which of the following memory acquisition tool claims to leave the smallest footprint possible? Question options: GMG Systems, Inc., KnTTools F-Response Mandiant Memoryze HBGary FastDump

HBGary FastDump

Which of the following VAD protection permits the memory to be read or written, but not executed? Question options: PAGE_READONLY PAGE_READWRITE PAGE_NOACCESS PAGE_WRITECOPY

PAGE_READWRITE

Which of the following statements correctly state the difference between the pool track tables and the big page track tables? (Choose all that apply) Question options: The Big page track tables is used to store statistics of the number allocation and they include the addresses of the allocations. The Big page track tables do not store statistics, but they include the addresses of the allocations. The pool track tables serve as map to locating any large allocations in kernel memory. The pool track tables for small memory blocks store statistics regarding the number of allocations and byte usage and they include the addresses of the allocations.

The Big page track tables is used to store statistics of the number allocation and they include the addresses of the allocations. The Big page track tables do not store statistics, but they include the addresses of the allocations.

Which of the can be found on Volatility imageinfo plugin? (Choose all that apply) Question options: The date and time when the memory sample was collected The directory table base (DTB) value used for address translation Characteristics of the Address Space, such as whether PAE is enabled The number of CPUs The redirecting output of plugin

The date and time when the memory sample was collected The directory table base (DTB) value used for address translation Characteristics of the Address Space, such as whether PAE is enabled The number of CPUs

The processor is commonly referred to as ____________ Question options: memory unit control unit central processing unit software unit

central processing unit

The communication channel by which components of a PC system communicate is known as ___________. Question options: computer buses software system central processing unit operating system

computer buses

On a x86/x64-based computers, the region marked by the OS as reserved for use by the firmware is referred to as _______________. Question options: atomicity region Windows crash dump region device-memory region memory dumps region

device-memory region

Each processor core contains ______________ general purpose registers for performing logical and arithmetic operations. Question options: four 32-bit eight 32-bit sixty-four 32-bit thirty-two 32-bit

eight 32-bit

Which of the following system processes is responsible for handling a variety of user interactions such as GUI-based folder navigation and presenting the start menu? Question options: winlogon.exe svchost. services explorer.exe

explorer.exe

The process of copying the contents of volatile memory to non-volatile storage is referred to as _________________. Question options: data analysis volatility process acquisition memory acquisition

memory acquisition

The part of the CPU that manages communication with the main memory is known as ____________. Question options: memory controller cache controller DMA controller Ethernet controller

memory controller

The part of the CPU which help locate where data is stored on the cache is ____________ Question options: central processing unit (CPU) translation lookaside buffer (TLB) memory management unit (MMU) physical address extension (PAE)

memory management unit (MMU)

A Volatility _________ is an instance of a structure that exists at a specific address within an address space (AS). Question options: pointer object class overlay

object

If a suspect computer is not powered on, you can attempt to recover memory in which of the following ways? (Choose all that apply) Question options: page files on disk old crash dumps hibernation files introspection

page files on disk old crash dumps

A ______________ is the permission to perform a specific task, such as debugging a process, shutting down the computer, changing the time zone, or loading a kernel driver. Question options: data structure process session process token privilege

privilege

A ____________ is an instance of a program executing in memory Question options: thread register system call process

process

The _____________ contains detailed information about a process' allocated memory segments, including the original access permissions (read, write, execute) and whether a file is mapped into the region. Question options: VadRoot privilegeCount process Environment Block (PEB). pstree

process Environment Block (PEB).

A ______________ is a reference to an open instance of a kernel object, such as a file, registry key, mutex, process, or thread. Question options: process privilege process kernel process token process handle

process handle

A ___________ is a collection of the VTypes, overlays, and object classes for a specific operating system version and hardware architecture (x86, x64, ARM). Question options: void pointer profile dependency volatility object

profile

Which of the following provides the opportunity to acquire the current state of volatile memory but requires administrator-level privileges? Question options: Sleep mode system inactive system running system hibernating system

running system

The illustration shown above is an example of a _____________________. Question options: triple-level handle table multi-level handle table None of the above single-level handle table

single-level handle table

Which of the following critical system processes is the first real user-mode process that starts during the boot sequence? Question options: lsass.exe services. svchost. smss.exe

smss.exe

The _________ value tells you the number of levels in the handle table and points to the address of the top-level table. Question options: tablecode handletablelist quotaprocess handlecount

tablecode

Which of the following Volatility VAD plugins extracts the range of process memory each VAD node describes to a separate file on disk? Question options: vadflag vadinfo vadtree vaddump

vaddump

A ______________ is a pointer to data whose type is unknown or arbitrary at the time of the allocation. Question options: overlay pointer void pointer dependency Vtype pointer

void pointer

Using Volatility Foundation Volatility Framework 2.4, which of the following is the correct syntax for setting the timezone for displaying timestamps? Question options: --tz=TZ --d, - - debug --dtb=DTB --tz=TS

--tz=TZ

A high-level diagram of the typical contents of process memory Refer to the diagram shown above: On a 64-bit system, the value of the highest address (the highlighted portion) is _____________________ . Question options: 0x7FFFFFEFFFF 0xBFFFFFEFFFF 0xBFFEFFFF 0x7FFEFFFF

0x7FFFFFEFFFF

Which of the following represent the upper bound of the range (MmHighestUserAddress) on 32-bit systems with the /3GB boot switch in a typical content of process memory? Question options: 0x7FFFFFEFFFF 0xBFFFFFEFFFF 0x7FFEFFFF 0xBFFEFFFF

0xBFFEFFFF

Intel 64 architecture can support a linear address space up to _________. Question options: 216 bytes 24 bytes 232 bytes 264 bytes

264 bytes

A 32-bit system allows for up to ______________ handles on a typical single-level handle table. Question options: 512 256 64 32

512

Which of the following statement(s) are false? Question options: IA-32 architecture is also known as x86 Physical Address Extension (PAE) allows up to 64GB of physical memory 64-bit CPUs only actually use 52 bits of the available address space All of the above

64-bit CPUs only actually use 52 bits of the available address space

Which of the following is a feature supported by the 2.0 version of the MoonSols Windows Memory Toolkit? (Choose all that apply) Question options :It can convert full memory dumps to Microsoft crash dumps, which you can then analyze using one of the Microsoft debuggers. DumpIt.exe combines win32dd.exe and win64dd.exe to provide memory dumps in a single-click. Acquisition to removable media; includes pre-configured but customizable autorun.inf scripts for automation Conversion of the binary memory image to Microsoft crash dump forma

:It can convert full memory dumps to Microsoft crash dumps, which you can then analyze using one of the Microsoft debuggers. DumpIt.exe combines win32dd.exe and win64dd.exe to provide memory dumps in a single-click.

The _EPROCESS structure contains a _LIST_ENTRY structure called __________________. Question options: ActiveProcessLinks PsActiveProcessHead EPROCESSLinks UniqueProcessId

ActiveProcessLinks

A range of valid addresses used to identify the data stored within a finite location of memory is known as _______________. Question options: random access memory HUB controller Address space memory bus

Address space

Which of the following statement(s) are true? Question options: Paging allows processes to "see" more RAM than is physically present All of the above Paging complicates memory forensics because not all data is memory resident at the time of acquisition The page fault handler code must never be paged

All of the above

Which of the following CANNOT be found on the virtual address descriptors of a process memory? Question options: Process initial protection (read, write, execute) Total number of pages in the region Names of memory-mapped files Array of _MMPFN structures (_KDEBUGGER_DATA64.MmPfnDatabase)

Array of _MMPFN structures (_KDEBUGGER_DATA64.MmPfnDatabase)

A(an) ______________ is one that appears (to the rest of the system) to complete instantaneously, without interruption from concurrent processes. Question options: Atomic operation Memory dumps Window crash dumps Acquisition operation

Atomic operation

The operating system's capability to distribute CPU execution time among multiple threads is referred to as _______________. Question options: Threads system calls multiprogramming CPU scheduling

CPU scheduling

Which of the following IA-32 architecture register is reserved and should not be accessed? Question options: CR2 CR1 CR0 CR3

CR1

Which of the following features is supported by the basic Edition of KnTTools? Question options: Evidence acquisition over an SSL/TLS tunnel Cryptographic integrity checks (MD5, SHA1, SHA256, SHA512) and robust audit logging Evidence acquisition to an anonymous FTP server Evidence acquisition to a WebDAV-enabled web server

Cryptographic integrity checks (MD5, SHA1, SHA256, SHA512) and robust audit logging

The capability of an I/O devices to directly transfer data stored in system without the intervention of the process is called______________ Question options: TLB DMA MMU RAM

DMA

An executive object that represents the displayable screen surface and contains user objects such as windows, menus, and buttons is known as _________________ Question options: Desktop Thread Token Process

Desktop

Which of the following is a question to consider when dealing with software-based acquisition? (Choose all that apply) Question options: Do you prefer command-line or graphical user interface (GUI) tools? Do you have budgetary restrictions on the acquisition software you can buy? Do you require the system to be in running or sleep mode Do you have physical access to the target system(s)?

Do you prefer command-line or graphical user interface (GUI) tools? Do you have budgetary restrictions on the acquisition software you can buy? Do you have physical access to the target system(s)?

Which of the following executive objects represents the image of a loaded kernel-mode driver and contains addresses of the driver's input/output control handler functions? Question options: Type Mutant Driver Key

Driver

Which of the following registers contains the linear address of the next instruction to be executed? Question options: PAE CR3 EIP CR2

EIP

Which of the following range of memory stores the process' executable paths, temporary directories and home folders? Question options: Process Environment Block Environmental Variables Dynamic Linked Libraries Process heaps

Environmental Variables

The pooltracker plugin works with all versions of Windows operating systems.

F

Which of the following memory acquisition tools have the ability to interrogate live systems from a remote location over a read-only iSCSI connection? Question options: AccessData FTK Imager MoonSols Windows Memory Toolkit GMG Systems, Inc., KnTTools F-Response

F-Response

When a process opens a handle to an object by calling an API such as ReadFile and WriteFile, which of the following shows the correct sequence of the order of operations followed by the API? Question options: Retrieve the _FILE_OBJECT pointer → Find the base address of the calling process' handle table → Seek to index 0x40 → Carry out the requested operation. Seek to index 0x40 → Retrieve the _FILE_OBJECT pointer → Find the base address of the calling process' handle table → Carry out the requested operation. Seek to index 0x40 → Find the base address of the calling process' handle table → Retrieve the _FILE_OBJECT pointer → Carry out the requested operation. Find the base address of the calling process' handle table → Seek to index 0x40 → Retrieve the _FILE_OBJECT pointer → Carry out the requested operation.

Find the base address of the calling process' handle table → Seek to index 0x40 → Retrieve the _FILE_OBJECT pointer → Carry out the requested operation.

When acquiring memory, which of the following is NOT recommended? Question options: If possible, avoid collecting memory evidence during periods of dramatic change such as during system startup, shutdown, or while system maintenance tasks are running You should limit your interaction with the machine until the acquisition has completed. If you are gathering evidence from a victim's computer, you should dump memory to the target system's local drives, such as the C: partition If you are gathering evidence from a victim's computer, you might want to time your acquisition when the suspect is not active to avoid tipping off the suspect.

If you are gathering evidence from a victim's computer, you should dump memory to the target system's local drives, such as the C: partition

Which of the following statements about handle table is INCORRECT? Question options: The handle table is a single page 4096 bytes long. All processes start out with a single-level table. Indexes in the handle table contains _HANDLE_TABLE_ENTRY structures when they are not in use. The handle table entries contain an Object member that points to the _OBJECT_HEADER of the corresponding object.

Indexes in the handle table contains _HANDLE_TABLE_ENTRY structures when they are not in use.

Which of the following value tells you which of the optional headers are present (if any). Question options: InfoMask TotalHandleCount TypeIndex SecurityDescriptor

InfoMask

_______________ is an integer that specifies the PID of the parent process Question options: SesionProcessLink InheritedFromUniqueProcessId ThreadListHead UniqueProcessId

InheritedFromUniqueProcessId

Which of the following is NOT a valid advantage for using Volatility? Question options: It is open source GPLv2 It runs on multiple platforms (OS) It is bug free It uses fast and efficient algorithms

It is bug free

A four-byte tag that is used to uniquely mark memory allocations that contain objects of a particular type is referred to as the _________________ Question options: Key InfoMask Name TypeIndex

Key

Which of the following is not a weakness of the pool tag scanning approach? (Choose all that apply) Question options: Large allocations (> 4096 bytes) cannot be found with pool tag scanning Not all kernel allocations are tagged in the first place (i.e. ExAllocatePool) Pool tags can be manipulated because they're not essential to the OS It's possible to find false positives (decoys, fake objects, etc.)

Large allocations (> 4096 bytes) cannot be found with pool tag scanning Not all kernel allocations are tagged in the first place (i.e. ExAllocatePool) Pool tags can be manipulated because they're not essential to the OS It's possible to find false positives (decoys, fake objects, etc.)

Which of the following is NOT a function performed by the csrss.exe system process? Question options: Serves as the broker of commands executed via cmd.exe to extract command history from its memory space. Creates and deletes processes and threads. Maintains a private list of the objects that can be used to cross-reference with other data sources. Manages Windows services and maintains a list of such services in its private memory space.

Manages Windows services and maintains a list of such services in its private memory space.

Which of the following tools used for converting memory dumps can convert select Microsoft Hyper-V memory files into crash dumps (depending on the size of the memory and version of Hyper-V server)? Question options: VMware vmss2core Microsoft vm2dmp MoonSols Windows Memory Toolkit (MWMT) Volatility raw2dmp

Microsoft vm2dmp

Which API is not commonly used by acquisition tools? Question options: MmCreateMemoryDump MmProbeAndLockPages ZwMapViewOfMemory MmMapMemoryDumpMdl

MmCreateMemoryDump

Which of the following is NOT a valid function of the page tables? Question options: Page tables can be leveraged to map virtual addresses in process memory to physical offsets in RAM Page tables can be used to analyze the hardware-based permissions applied to the pages. Page table can be used to determine what pages are swapped to disk. Page tables can be used by Windows to track reserved or committed, virtually contiguous collections of pages.

Page tables can be used by Windows to track reserved or committed, virtually contiguous collections of pages.

_________________ is a memory pool monitor distributed with Microsoft's Driver Development Kit (DDK) Question options: PoolTag PoolMon PoolSize PoolType

PoolMon

A four-byte value, typically composed of ASCII characters that should uniquely identify the code path taken to produce the kernel pool allocation is known as _________________ Question options: PoolMon PoolSize PoolType PoolTag

PoolTag

________________refers to committed regions that cannot typically be shared with or inherited by other processes. Question options: Memory protection Private memory Virtual address descriptor Process' page tables

Private memory

Which of the following memory ranges can be marked as private? (Choose all that apply) Question options: Process' mapped files Process' stacks Process' heaps Process' copy-on- write DLLs

Process' stacks Process' heaps

Which of the following describes the collection of recently accessed pages in virtual memory that are present in physical memory (not swapped to disk)? Question options: Process page tables Process' VAD Process' PFN database Process' working set list

Process' working set list

Which of the following process activity command finds and walks the doubly linked list of processes and prints a summary of the data? Question options: Pslist Psscan Psxview Pstree

Pslist

Which of the following Volatility dependencies contains the Python cryptography toolkit? Question options: Distorm3 OpenPyxl PILCrypto PyCrypto

PyCrypto

Which of the following must be installed along with the Windows Python Module Installer version of Volatility? Question options: Python 2.7 interpreter WINXPSP2x86 Volatility Framework 2.4 PythonXX

Python 2.7 interpreter

Which of the following memory dump does not contain any headers, metadata, or magic values for file type identification? Question options: Windows hibernation dump Window crash dump Raw memory dump Fast memory dump

Raw memory dump

Which of the following process privilege grants read access to any file on the file system, regardless of its specified access control list (ACL). Question options: SeShutdownPrivilege SeBackupPrivilege SeChangeNotifyPrivilege SeLoadNotifyPrivilege

SeBackupPrivilege

Which of the following process privileges grants the ability to read from or write to another process' private memory space? Question options: SeChangeNotifyPrivilege SeShutdownPrivilege SeDebugPrivilege SeLoadNotifyPrivilege

SeDebugPrivilege

________________stores information on the security restrictions for the object, such as which users can access it for reading, writing, and deleting. Question options: TypeIndex TotalHandleCount SecurityDescriptor InfoMask

SecurityDescriptor

Which of the following installation format is the quickest and easiest way to use Volatility on a Windows analysis machine? Question options: Source code packages using setup.py Source code packages not using setup.py Windows Python module installer Stand- alone Windows executable

Stand- alone Windows executable

Which of the following versions of Volatility does not require a separate installation of Volatility dependencies? Question options: Source code packages using setup.py Windows Python module installer Source code packages not using setup.py Standalone Windows executable

Standalone Windows executable

Which of the following is NOT included in a volatility profile? Question options: Metadata System map Constant values System yara

System yara

All executive objects are structures, but not all structures are executive objects.

T

Which of the following statement about pooltracker tables is CORRECT? (Choose all that apply) Question options: The pooltracker tables record usage statistics and the addresses of all allocations of a particular tag. You can integrate data from the pooltag.txt file (using the --tagfile option) so the output is labeled with the description and owning kernel driver (if available). Running the pooltracker plugin without --tags, will display statistics for all pool tags. The pooltracker plugin works only with Vista and later operating systems.

The pooltracker tables record usage statistics and the addresses of all allocations of a particular tag. You can integrate data from the pooltag.txt file (using the --tagfile option) so the output is labeled with the description and owning kernel driver (if available). Running the pooltracker plugin without --tags, will display statistics for all pool tags. The pooltracker plugin works only with Vista and later operating systems.

he figure shown above is an example of a User SID What does the highlighted portion of the User SID indicates? Question options: That the string is a SID A relative identifier that represents any user or group that doesn't exist by default The revision level (version of the SID specification) The identifier authority value

The revision level (version of the SID specification)

On which of the following range of memory can you find function arguments, return addresses, and local variables? Question options: Thread stacks Process Environment Block Dynamic Linked Libraries Process heaps

Thread stacks

Which of the following executive objects stores security context information (such as security identifiers [SIDs] and privileges) for processes and threads? Question options: Thread Desktop Token Process

Token

Question 62 / 2 points Which of the following information can be found on a PoolMon? (Choose all that apply) Question options: Total number of bytes occupied by allocations Number of allocations Average bytes per allocation The memory type (Paged or Nonpaged)

Total number of bytes occupied by allocations Number of allocations Average bytes per allocation The memory type (Paged or Nonpaged)

You can use F-Response to mount RAM over the network and then examine it from your analysis machine.

True

____________ is an _OBJECT_TYPE_INITIALIZER structure that tells you the type of memory used to allocate instances of these objects (for example, paged or nonpaged memory). Question options: InfoMask TotalHandleCount TypeInfo TypeIndex

TypeInfo

Which of the following Volatility framework is used for structure definition and parsing language? Question options: Yara Overlays VTypes Distorm3

VTypes

Which of the following Windows API function allows one process to allocate memory for another process? Question options: HeapAlloc GlobalAllocEx VirtualAllocEx LocalAlloc

VirtualAllocEx

Which statements about Volatility is INCORRECT? Question options: Volatility is written in Python Volatility can analyze raw dumps, crash dumps, hibernation files and various other formats Volatility can be used to acquire memory from the target system Volatility runs on Windows, Linux and Mac

Volatility can be used to acquire memory from the target system

Which of the following is an open-source memory acquisition tool for Windows? Question options: EnCase/WinEn Belkasoft Live RAM Capturer AccessData FTK Imager Winpmem

Winpmem

The VadRoot on a 64-bit Windows 7 machine is _____________________ Question options: _MMADDRESS_LONG _MM_AVL_TABLE _RTL_BALANCED_NODE _MMVAD_SHORT

_MM_AVL_TABLE

The figure shown above is an illustration of _____________________ Question options: shared memory mappings between two processes address translation to a 4KB page using a 32-bit paging multiple virtual address spaces sharing memory and secondary storage format for paging structure addresses used in 32-bit paging

format for paging structure addresses used in 32-bit paging

Which of the following acquisition options does not require credentials for the target system(s)—physical access suffices? Question options: Software base acquisition VM acquisition hardware-assisted acquisition Memory dumps acquisition

hardware-assisted acquisition

Which of the following is a function performed by the winlogon.exe process? (Choose all that apply) Question options: initiates the screen saver when necessary, enforces the security policy by verifying passwords responds to Secure Attention Sequence (SAS) keyboard operations such as CTRL+ALT+DEL creates access tokens. presents the interactive logon prompt,

initiates the screen saver when necessary responds to Secure Attention Sequence (SAS) keyboard operations such as CTRL+ALT+DEL presents the interactive logon prompt,

A _____________is a range of memory that can be divided up into smaller blocks for storing any type of data that a kernel-mode component requests. Question options: kernel pool TypeInfo token _pool_header

kernel pool

The single continuous address space that is exposed to a running program is referred to as a __________________. Question options: linear address space non-linear address space physical address space non-volatile address space

linear address space

Using Volatility Foundation Volatility Framework 2.4, the option -h, --help displays _______________________. Question options: list of all available options and their default values directories where cache files are stored user based configuration file names of profile to load

list of all available options and their default values