ACE ACE Network & Memory Forensics

Question 1

What critical data does RAM (volatile memory) analysis reveal that traditional disk forensics cannot?

Accepted Answer

Running processes, active network connections, encryption keys, and decrypted data in memory

Answer

RAM analysis captures the live system state, including running processes, decrypted content, active connections, and data never written to disk.

Question 2

According to the order of volatility, which data source must be collected FIRST at a live scene?

Accepted Answer

RAM/memory contents

Answer

RAM is the most volatile data source and must be captured before any other action, as it is destroyed immediately when the system loses power.

Question 3

Which FTK Imager feature is used to acquire a live memory dump from a running Windows system?

Accepted Answer

Capture Memory

Answer

FTK Imager's 'Capture Memory' option acquires the contents of RAM from a running system and writes it to a .mem or .dmp file for offline analysis.

Question 4

What is a forensic memory dump file used for?

Accepted Answer

Capturing the contents of RAM at a specific point in time for offline forensic analysis

Answer

A memory dump is a snapshot of RAM contents at the moment of acquisition, enabling offline analysis of volatile artifacts that would otherwise be lost.

Question 5

Which Windows registry location stores previously connected wireless (Wi-Fi) network profiles?

Accepted Answer

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles and WLAN event logs

Answer

Windows stores Wi-Fi network history in the NetworkList registry key and WLAN AutoConfig event logs, which can reveal location history based on network associations.

(ACE) AccessData Certified Examiner Practice Test

(ACE) AccessData Certified Examiner Practice Test

ACE ACE Network & Memory Forensics