New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

GIAC GCED Exam - Topic 7 Question 39 Discussion

Actual exam question for GIAC's GCED exam
Question #: 39
Topic #: 7
[All GCED Questions]

Why would an incident handler acquire memory on a system being investigated?

Show Suggested Answer Hide Answer
Suggested Answer: C

In a case study of a redirect tunnel set up on a router, some anomalies were noticed while watching network traffic with the TCPdump packet sniffer.

Packets going to port 25 (Simple Mail Transfer Protocol [SMTP] used by mail servers and other Mail Transfer Agents [MTAs] to send and receive e-mail) were apparently taking a different network path. The TLs were consistently three less than other destination ports, indicating another three network hops were taken.

Other IP header values listed, such as fragment offset. The acknowledgement number is a TCP, not IP, header field.


by Tegan at May 09, 2024, 05:10 PM

Limited Time Offer

25%

Off

Get Premium GCED Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Mabel
3 months ago
Wait, can you really find injected DLLs just by looking at memory? Sounds tricky!
upvoted 0 times
...
Vanna
3 months ago
D seems off, memory isn't the best way to check user privileges.
upvoted 0 times
...
Mariann
3 months ago
C is useful, but not the main reason for memory acquisition.
upvoted 0 times
...
Yolande
4 months ago
I think B is more relevant for auto-run checks.
upvoted 0 times
...
Lashandra
4 months ago
Definitely A! Malicious DLLs can hide in memory.
upvoted 0 times
...
Arminda
4 months ago
I thought we covered that memory acquisition is crucial for understanding running processes, so option C might be a possibility, but I’m leaning towards A.
upvoted 0 times
...
Marget
4 months ago
I feel like option A makes sense since memory analysis can reveal injected code, but I also wonder if there are other reasons for acquiring memory that we discussed.
upvoted 0 times
...
Ira
4 months ago
I remember a practice question about memory acquisition and registry hooks. It seems like option B could be relevant too, but I don't recall the specifics.
upvoted 0 times
...
Karol
5 months ago
I think acquiring memory can help identify if a malicious DLL has been injected, but I'm not entirely sure if that's the main reason.
upvoted 0 times
...
Pete
5 months ago
I'm a bit confused by this question. Is it asking about the general reasons for memory acquisition, or is there a specific scenario or context we're supposed to be considering? I want to make sure I understand the question properly before answering.
upvoted 0 times
...
Virgina
5 months ago
Okay, I think I've got this. Acquiring memory would allow the incident handler to analyze the running processes and look for any signs of malware or unauthorized activity that might not be visible from just looking at the file system or registry. That could be really helpful in understanding what's going on with the system.
upvoted 0 times
...
Alica
5 months ago
This seems like a straightforward question about incident response. I'm pretty confident that acquiring memory would be useful to look for signs of malware or other suspicious activity.
upvoted 0 times
...
Maia
5 months ago
Hmm, I'm not entirely sure about this one. I know memory acquisition is important for incident response, but I'm not sure of the specific reasons why an incident handler would do that. I'll have to think this through carefully.
upvoted 0 times
...
Dick
5 months ago
Last week we practiced a similar question about consolidated income statements. I feel like the answer could be 6,000 based on the dividend and profit adjustment.
upvoted 0 times
...
Kiley
5 months ago
Hmm, I'm a bit confused by the different ways the attribute can be declared. I'll need to double-check the DTD rules to make sure I understand the proper format.
upvoted 0 times
...
Callie
5 months ago
This seems like a straightforward question about the factors that influence data management. I'm pretty confident I can answer this based on what we've covered in class.
upvoted 0 times
...
Goldie
5 months ago
I'm leaning towards the high latency being the culprit here. 250ms is quite high for an HA connection, and that could definitely lead to the observed failover instability.
upvoted 0 times
...
Francine
9 months ago
I bet the answer is A. Who cares about user accounts when you've got a potential malware infection to deal with? Memory is where the real action is!
upvoted 0 times
...
Aileen
9 months ago
Option D is interesting, but I doubt that's the main reason an incident handler would acquire memory. Privilege escalation is important, but memory analysis is typically more focused on malware detection.
upvoted 0 times
Cyril
8 months ago
C) To list which services are installed on the system
upvoted 0 times
...
Karl
9 months ago
B) To identify whether a program is set to auto-run through a registry hook
upvoted 0 times
...
Chaya
9 months ago
A) To determine whether a malicious DLL has been injected into an application
upvoted 0 times
...
...
Argelia
10 months ago
Ha! Option C? Really? That's just basic system information, not what an incident handler would need in this case.
upvoted 0 times
Julio
8 months ago
Mica: Definitely, we need to focus on potential threats first.
upvoted 0 times
...
Mica
9 months ago
User 2: I agree, that could indicate a security breach.
upvoted 0 times
...
Cristy
9 months ago
User 1: I think option A is more relevant, checking for injected malicious DLLs is crucial.
upvoted 0 times
...
...
Jerrod
10 months ago
I'm not sure about that. Wouldn't option B be a better choice? Checking the registry for autorun entries could also be useful in an incident investigation.
upvoted 0 times
Tyra
9 months ago
D) To verify which user accounts have root or admin privileges on the system
upvoted 0 times
...
Adria
9 months ago
B) Checking the registry for autorun entries could be useful in an incident investigation.
upvoted 0 times
...
Catrice
10 months ago
B) To identify whether a program is set to auto-run through a registry hook
upvoted 0 times
...
Chery
10 months ago
A) To determine whether a malicious DLL has been injected into an application
upvoted 0 times
...
...
Lindsey
10 months ago
Option A seems like the most relevant choice here. Acquiring memory can help identify any malicious DLLs that may have been injected into running processes.
upvoted 0 times
...
Blythe
10 months ago
I believe acquiring memory can also help verify user privileges on the system.
upvoted 0 times
...
Youlanda
11 months ago
I agree with Gwenn, it's important to identify any injected applications.
upvoted 0 times
...
Gwenn
11 months ago
I think an incident handler would acquire memory to check for malicious DLLs.
upvoted 0 times
...

Save Cancel