Virtual Labs

Retrieving Password Hashes and Dumping Cached Files from Memory Dumps

What are Symbol tables?

a: A table with mapping of addresses and human readable names Explanation

Explanation

b: A table with mapping of a JPG image file location address in the disk to memory address Explanation

Explanation

c: A table with mapping of MAC and its corresponding IP address Explanation

Explanation

Is it possible to extract every file present on a file system from a memory dump?

a: yes Explanation

Explanation

b: no Explanation

Explanation

What type of files are typically recovered during memory forensics?

a: All deleted files from the hard disk Explanation

Explanation

b: Files that were actively loaded into memory Explanation

Explanation

c: Only system files Explanation

Explanation

d: Only executable files Explanation

Explanation

Which tool is commonly used to analyze memory dumps?

a: Wireshark Explanation

Explanation

b: Volatility Explanation

Explanation

c: Nmap Explanation

Explanation

d: Netcat Explanation

Explanation

Why might cached files appear in memory dumps?

a: Because they are permanently stored in RAM Explanation

Explanation

b: Because they were recently accessed and kept in memory for performance Explanation

Explanation

c: Because the operating system saves them in memory forever Explanation

Explanation

d: Because the user copied them manually into RAM Explanation

Explanation

Which memory region typically stores process-related data like stack, heap, and code segments?

a: Kernel memory Explanation

Explanation

b: User space memory Explanation

Explanation

c: Virtual address space Explanation

Explanation

d: Disk cache Explanation

Explanation

In memory forensics, what is the purpose of extracting process lists?

a: To analyze active and terminated processes during the memory snapshot Explanation

Explanation

b: To recover deleted files from disk Explanation

Explanation

c: To scan for network packets Explanation

Explanation

d: To analyze GPU performance Explanation

Explanation

Which command in Volatility is commonly used to list running processes?

a: pslist Explanation

Explanation

b: dlllist Explanation

Explanation

c: memdump Explanation

Explanation

d: netscan Explanation

Explanation