Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

GIAC Exam GCED Topic 7 Question 39 Discussion

Actual exam question for GIAC's GCED exam
Question #: 39
Topic #: 7
[All GCED Questions]

Why would an incident handler acquire memory on a system being investigated?

Show Suggested Answer Hide Answer
Suggested Answer: C

In a case study of a redirect tunnel set up on a router, some anomalies were noticed while watching network traffic with the TCPdump packet sniffer.

Packets going to port 25 (Simple Mail Transfer Protocol [SMTP] used by mail servers and other Mail Transfer Agents [MTAs] to send and receive e-mail) were apparently taking a different network path. The TLs were consistently three less than other destination ports, indicating another three network hops were taken.

Other IP header values listed, such as fragment offset. The acknowledgement number is a TCP, not IP, header field.


by Tegan at May 09, 2024, 05:10 PM

Limited Time Offer

25%

Off

Get Premium GCED Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Francine
1 months ago
I bet the answer is A. Who cares about user accounts when you've got a potential malware infection to deal with? Memory is where the real action is!
upvoted 0 times
...
Aileen
1 months ago
Option D is interesting, but I doubt that's the main reason an incident handler would acquire memory. Privilege escalation is important, but memory analysis is typically more focused on malware detection.
upvoted 0 times
Cyril
9 days ago
C) To list which services are installed on the system
upvoted 0 times
...
Karl
11 days ago
B) To identify whether a program is set to auto-run through a registry hook
upvoted 0 times
...
Chaya
15 days ago
A) To determine whether a malicious DLL has been injected into an application
upvoted 0 times
...
...
Argelia
1 months ago
Ha! Option C? Really? That's just basic system information, not what an incident handler would need in this case.
upvoted 0 times
Julio
9 days ago
Mica: Definitely, we need to focus on potential threats first.
upvoted 0 times
...
Mica
11 days ago
User 2: I agree, that could indicate a security breach.
upvoted 0 times
...
Cristy
13 days ago
User 1: I think option A is more relevant, checking for injected malicious DLLs is crucial.
upvoted 0 times
...
...
Jerrod
2 months ago
I'm not sure about that. Wouldn't option B be a better choice? Checking the registry for autorun entries could also be useful in an incident investigation.
upvoted 0 times
Tyra
1 months ago
D) To verify which user accounts have root or admin privileges on the system
upvoted 0 times
...
Adria
1 months ago
B) Checking the registry for autorun entries could be useful in an incident investigation.
upvoted 0 times
...
Catrice
1 months ago
B) To identify whether a program is set to auto-run through a registry hook
upvoted 0 times
...
Chery
2 months ago
A) To determine whether a malicious DLL has been injected into an application
upvoted 0 times
...
...
Lindsey
2 months ago
Option A seems like the most relevant choice here. Acquiring memory can help identify any malicious DLLs that may have been injected into running processes.
upvoted 0 times
...
Blythe
2 months ago
I believe acquiring memory can also help verify user privileges on the system.
upvoted 0 times
...
Youlanda
2 months ago
I agree with Gwenn, it's important to identify any injected applications.
upvoted 0 times
...
Gwenn
3 months ago
I think an incident handler would acquire memory to check for malicious DLLs.
upvoted 0 times
...

Save Cancel