Question

During an incident response process involving a laptop, a host was identified as the entry point for malware. The management team would like to have the laptop restored and given back to the user. The cybersecurity analyst would like to continue investigating the intrusion on the host. Which of the following would allow the analyst to continue the investigation and also return the laptop to the user as soon as possible?

1) dd
2) memdump
3) tcpdump
4) head

Answer 1

The cybersecurity analyst can use the memdump tool to create a memory dump of the laptop before restoring it and returning it to the user.

Step-by-step explanation:

The cybersecurity analyst can use the memdump tool to create a memory dump of the laptop before restoring it and returning it to the user. A memory dump captures the state of the computer's memory at a specific point in time and can be analyzed offline. This allows the analyst to continue investigating the intrusion without interfering with the user's access to their laptop.