This free GCIH Memory & Malware Investigation practice test covers memory and malware investigation — Volatility, memory acquisition, process tree analysis, malware triage, YARA rules, and static vs dynamic analysis. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.
Which Volatility plugin would you use to identify running processes in a Windows memory dump?
Correct answer: B
Explanation: The pslist plugin displays a list of running processes by following the doubly-linked list pointed to by PsActiveProcessHead. While psscan and psxview provide additional verification capabilities, pslist is the primary plugin for viewing running processes.
During a memory forensics investigation, you are tasked with identifying a suspicious process that may be a part of malware activity. Using Volatility, you execute the command `volatility -f memory.dmp pslist`. The output shows a process with a PID of 1337 named 'svchost.exe', which is running from an unusual directory 'C:\Temp\'. What should be your next step to confirm the process is malicious?
Correct answer: A
Explanation: Dumping the process allows for further analysis of the binary, which can reveal if it contains malicious code or behaves suspiciously. Terminating the process (option B) should not be done without confirming it is malicious, as it could result in loss of evidence. Checking network connections (option C) is useful, but it doesn’t confirm the process is malicious. Listing DLLs (option D) can provide additional context but is not definitive on its own.
You are investigating a potential malware infection on a workstation. The user reported suspicious activity, and you suspect a malicious executable might be running. Using memory forensics, you want to identify any injected code within running processes. Which Volatility command should you use to detect code injection?
Correct answer: A
Explanation: The 'malfind' plugin in Volatility is specifically designed to identify injected code in process memory, which is a common technique used by malware. The 'psxview' plugin (option B) is used for detecting hidden processes. 'Hivelist' (option C) is used for registry hive enumeration, and 'connscan' (option D) is used for scanning for network connections, neither of which directly detects code injection.
During an incident response, you suspect that a system is infected with malware. What is the first step you should take to confirm the presence of malware in the system's memory?
Correct answer: B
Explanation: The correct answer is B: Capture a memory dump for analysis. In the context of memory and malware investigation, capturing a memory dump is crucial for analyzing the state of the system at the time of the incident. It allows you to examine running processes, network connections, and other artifacts that may indicate malware presence. While running an antivirus scan (option A) and checking system logs (option C) are valid actions, they are not the first step in a memory-specific investigation. Disconnecting the system from the network (option D) might be necessary in some cases to prevent further spread of malware, but it does not directly confirm the presence of malware in memory.
During an incident response, a security analyst suspects a malware infection on a Windows server. What is the best first step to confirm the presence of malicious processes running in memory?
Correct answer: C
Explanation: Capturing a memory dump and analyzing it with a tool like Volatility is the best first step to confirm the presence of malicious processes running in memory. This method allows the analyst to directly examine what is currently in memory, including hidden or suspicious processes that may not be visible in standard system monitoring tools. While running an antivirus scan or examining network traffic can provide additional context, they may not immediately confirm the presence of malware in memory. Checking event logs is useful but may not reveal processes actively running in memory.
An incident handler needs to quickly determine if a suspicious process on a Linux server is part of a malware infection. Which tool should be used first to gather the most immediate and useful information about the process?
Correct answer: C
Explanation: Using 'ps' and 'lsof' provides immediate and useful information about the process, such as its command-line arguments, associated files, and network connections. This information can quickly help determine if the process is legitimate or suspicious. Nmap and Wireshark could be used later for deeper analysis of network activity, while Exiftool is more suited for analyzing file metadata rather than active processes.
Start the free GCIH Memory & Malware Investigation practice test now | 10-question quick start | All GCIH domains