A Computer Hacking Forensic Investigator is acquiring volatile data from a Linux-based suspect machine that they cannot physically access. They need to obtain a dump of the system's RAM remotely. Which of the following sequences of commands and tools should be utilized for a forensically sound extraction?
To acquire volatile data from a Linux machine remotely, the process should involve loading the LiME kernel module on the suspect machine to create a RAM dump and using Netcat to transfer the data over the network. The correct sequence is to use LiME on the suspect machine (`insmod lime-.ko
D < | https://github.com/504ensicsLabs/LiME https://ioflood.com/blog/nc-linux-command/
I meant to answer B
To acquire RAM remotely over a network, the investigator must start a listening session on a suspect machine using tcp:port Command: insmod lime-<kernel_module>.ko “path=tcp:<port> format=lime” On the forensics workstation, the investigator should establish connection with the suspect machine using netcat and dump RAM data over the network Command: nc <IP Address of the Suspect Machine>:<port> > filename.mem
"To acquire RAM remotely over a network, the investigator must start a listening session on a forensic workstation using netcat. Command: nc -l <port> > filename.dd ▪ On the suspect machine, the investigator should use dd command and pipe the output using Netcat. Command: dd if=/dev/fmem bs=1024 | nc <IP Address of the Suspect Machine> <port> " Page 338
B and C Both options are for remote acquisition.. Step 4.2.1: Acquire Volatile Data from a Linux Machine Using dd and Netcat (Remote Acquisition) Step 4.2.2: Acquire Volatile Data from a Linux Machine Using LiME and Netcat (Remote Acquisition)