Chapter 22 — Quiz
14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band are at the bottom. Commit to an answer before you look — a guess you can defend teaches more than a peek.
Multiple choice
Q1. Investigators find a suspect's laptop powered on, logged in, with a BitLocker-encrypted system drive and no escrowed recovery key. What is the single most consequential first action? - A) Photograph the screen, then pull the plug to preserve the disk - B) Acquire physical memory to external media before any power-off - C) Run a full antivirus scan to triage for malware - D) Image the disk with a hardware write-blocker while the machine runs
Q2. Which of these typically exists in usable form only in RAM at the moment of seizure?
- A) Prefetch files showing past program execution
- B) The Master File Table ($MFT)
- C) The Full Volume Encryption Key for a mounted encrypted disk
- D) The $Recycle.Bin` `$I records
Q3. A DKOM rootkit has unlinked its process from the active-process list. Which approach still finds it?
- A) pslist — it walks the official doubly-linked list
- B) psscan — it sweeps memory for the Proc pool tag
- C) dlllist — it enumerates loaded modules
- D) cmdline — it reads process arguments
Q4. The pool tag that marks a Windows process object (_EPROCESS) is Proc. What are its four bytes in hexadecimal?
- A) 70 72 6F 63
- B) 50 72 6F 63
- C) 50 52 4F 43
- D) 63 6F 72 50
Q5. malfind flags a memory region as suspicious primarily because it is private, committed, and carries which protection?
- A) PAGE_READONLY
- B) PAGE_EXECUTE_READ
- C) PAGE_EXECUTE_READWRITE (RWX)
- D) PAGE_NOACCESS
Q6. ldrmodules shows a mapped, executable region with InLoad=False, InInit=False, InMem=False, and no MappedPath. What does this most likely indicate?
- A) A normally-loaded system DLL
- B) A reflectively-injected DLL the loader never recorded
- C) A paged-out region that must be read from the pagefile
- D) A legitimate JIT-compiled code cache
Q7. Volatility 3 differs from Volatility 2 chiefly in how it understands a kernel's structures. What does Volatility 3 use instead of pre-built profiles? - A) Hard-coded offsets compiled into the tool - B) The KDBG block exclusively - C) Symbol tables (ISF) generated from the OS's debug symbols - D) A live connection to the running kernel
Q8. You must acquire memory from a live Linux host but cannot compile a kernel module against its kernel headers in the field. Which tool is designed for exactly this situation? - A) LiME (a loadable kernel module) - B) AVML (a userland static binary) - C) FTK Imager - D) DumpIt
Q9. Which plugin reconstructs the console screen buffer — the commands typed and the output the system printed back?
- A) cmdscan
- B) cmdline
- C) consoles
- D) clipboard
Q10. A svchost.exe is parented to explorer.exe, runs from C:\Users\Public\svchost.exe, was launched with no -k argument, and malfind finds an RWX-private region beginning with MZ inside it. This pattern is the signature of:
- A) A normal service host
- B) Process hollowing / masquerading
- C) A paged-out process
- D) A kernel-mode rootkit
True / False
Q11. A memory image's SHA-256 hash proves that the image is a perfect, atomic snapshot of RAM at the instant of capture. (True / False)
Q12. For a virtual machine, pausing the guest and copying its .vmem file yields a near-atomic memory image that Volatility can read natively, often with no in-guest acquisition tool. (True / False)
Short answer
Q13. Why must you supply the pagefile/swap to Volatility for complete analysis? Answer in one or two sentences referencing address translation.
Q14. Explain the Fifth-Amendment distinction between an encryption key recovered from RAM and a passphrase compelled from a suspect, and why it makes live capture of an unlocked machine so valuable.
---
Answer key
Q1 — B. RAM is the most perishable evidence and is destroyed at power-off; the BitLocker Full Volume Encryption Key lives in memory only while the volume is mounted. Pulling the plug (A) forecloses the only chance to capture it and turns the disk into an unreadable wall of ciphertext. Live disk imaging (D) is not the priority and does not preserve volatile state.
Q2 — C. The FVEK is derived from the passphrase at unlock time and held in RAM; the disk stores only an encrypted key blob, useless without the key. Prefetch, the $MFT, and `$I` records all persist on disk.
Q3 — B. psscan ignores the linked list and sweeps memory for the Proc pool tag, so it finds processes that DKOM unlinked (and terminated ones whose structures linger). pslist walks the very list the rootkit edited, so it misses the hidden process. Diffing the two is the detection.
Q4 — B. P=0x50, r=0x72, o=0x6F, c=0x63 → 50 72 6F 63. (A) wrongly uses 0x70 for an uppercase P; (C) is all-uppercase ASCII; (D) is reversed.
Q5 — C. Injected code must be written and then executed, so the injector marks the region writable and executable — PAGE_EXECUTE_READWRITE. Legitimate code is normally file-backed and executable-but-not-writable (PAGE_EXECUTE_READ).
Q6 — B. Appearing in none of the three PEB module lists with no backing file path is the canonical signature of reflective DLL injection — the module was mapped and run, but the loader's bookkeeping never recorded it. The gap in the bookkeeping is the evidence.
Q7 — C. Volatility 3 uses symbol tables in the Intermediate Symbol Format (ISF), fetched from Microsoft's symbol server for Windows and built with dwarf2json for Linux/macOS. Volatility 2 used profiles.
Q8 — B. AVML is a single static userland binary that needs no kernel module compiled against matching headers — the decisive advantage in the field. LiME is a kernel module; FTK Imager and DumpIt are Windows tools.
Q9 — C. consoles reconstructs the screen buffer, capturing both input and the printed output. cmdscan recovers the input command history only; cmdline shows launch arguments; clipboard shows copied text.
Q10 — B. Wrong parent (explorer.exe, not services.exe), wrong path, missing service argument, and an injected PE (RWX-private region starting with MZ) inside a process masquerading as svchost.exe are the multi-signal signature of process hollowing.
Q11 — False. The hash proves the image has not changed since capture — integrity from that instant forward. It cannot prove the capture was atomic; a running system mutates memory during acquisition (page smear), and there is no stable original to hash against. Overstating this is how acquisitions get impeached.
Q12 — True. A paused/snapshotted guest's .vmem (with its .vmss/.vmsn state) is far closer to atomic than any agent running inside the guest, leaves no footprint in the evidence, and Volatility reads it directly. For a VM, the hypervisor is effectively the write-blocker.
Q13. A virtual page may be marked "not present" in RAM because the memory manager evicted it to the pagefile/swap; without that file, Volatility cannot follow the address translation for those pages and silently misses the data they hold. Supplying the pagefile lets the tool resolve paged-out regions and reconstruct process memory completely.
Q14. A key lifted from RAM is physical evidence the investigators seized, not testimony the suspect was compelled to give, so it sidesteps the Fifth-Amendment self-incrimination problems that arise when the state forces a person to disclose a passphrase. That is precisely why capturing memory from a live, unlocked machine can be decisive — it converts an otherwise-impenetrable encrypted disk into readable evidence without compelling the suspect — but it stands entirely on lawful access to the running system, a matter owned by Chapter 25 — The Legal Framework.
Scoring: 13–14 — courtroom-ready; you can drive Volatility and defend each finding and its limits. 10–12 — solid; revisit the
pslist/psscandiff and themalfind/ldrmodulessignatures. 7–9 — re-read "How memory is organized" and "Detecting code that lives only in memory," then redo Groups C and E in the exercises. Below 7 — re-read the chapter index and rebuild the triage-pass sequence before moving on to Chapter 23.