⚠️ Retired / Legacy Exam: This exam has been retired or replaced. These practice questions are kept for reference only. Please check the official vendor website for current exam versions before studying.
An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the Linux OS.
Which of the following technical approaches would be the MOST feasible way to accomplish this capture?
A. Run the memdump utility with the -k flag.
B. Use a loadable kernel module capture utility, such as LiME.
C. Run dd on/dev/mem.
D. Employ a stand-alone utility, such as FTK Imager.
Correct Answer: D