An investigator is analyzing a memory dump from a compromised Linux server that hosted multiple Docker containers. The attacker allegedly used a fileless malware variant that executed entirely in memory. The investigator suspects the malware manipulated system calls using a kernel module. Which Volatility 3 plugin would be most effective for initially identifying anomalous kernel modules and their hooks?
A financial institution's internal audit team is investigating a case of suspected insider trading facilitated through corporate email. The investigation is subject to strict eDiscovery protocols under the EDRM framework. The legal team has issued a hold on all relevant mailboxes. At which stage of the EDRM cycle would the forensic team use keyword searching, date filtering, and de-duplication on the collected mailbox data?
During a forensic investigation of a compromised web server, an analyst discovers that the attacker manipulated the timestamps of several critical log files using the `touch` command to cover their tracks. This action is a form of trail obfuscation. Which of the following artifacts is most likely to reveal the discrepancy between the modified timestamps and the actual time of file system changes?
A forensic investigator in the European Union is conducting an investigation into corporate fraud that involves employee data from Germany and France. The investigator must ensure compliance with the General Data Protection Regulation (GDPR). Which GDPR principle is most critical when deciding how much data to collect and ensuring that only data strictly relevant to the fraud case is acquired?
A forensic analyst is examining an Android device and needs to recover deleted SQLite database entries from a third-party messaging application. The database file itself is intact, but records have been removed. Which artifact within the SQLite file structure should the analyst focus on to potentially recover the deleted content? (Select TWO).
A CHFI is tasked with creating a forensic image of a 2TB NVMe SSD from a suspect's laptop. To ensure the integrity of the evidence, the investigator must use a hardware write blocker. The primary reason for using a hardware write blocker over a software-based one in this scenario is that hardware blockers:
True or False: In a RAID 5 configuration consisting of four 1TB drives, a forensic investigator can reconstruct the full data set even if two of the drives have failed simultaneously.
An investigator is analyzing network traffic from a suspected ransomware attack. They observe a large volume of DNS queries for domains ending in `.onion`. This activity is a strong indicator that the malware is attempting to communicate with a Command and Control (C2) server hosted on:
A forensic investigator is using Python to automate the extraction of EXIF data from a large set of image files. The investigator writes a script to parse GPS coordinates, camera model, and timestamps. Which Python library is most commonly used and specifically suited for this task?
A hospital's IT security team is responding to a breach where a medical IoT device (an infusion pump) was compromised. The forensic investigator needs to acquire data from the device, which has limited storage and a proprietary embedded operating system. The device is still running. According to the order of volatility, which of the following pieces of evidence should be collected FIRST?