- When looking at the order of Volatility, which of the following evidence categories should be acquired first?
A) RAM
B) Pagefile or swap file
C) Central processing unit registers
D) Storage drive
- It is good practice to acquire the Pagefile with RAM if you're using FTK Imager.
A) True
B) False
- Remote acquisition of digital evidence cannot be achieved using what?
A) Remote desktop services
B) PsExec
C) USB
D) NetCat
- When recreating the memory from a virtual system, responders should acquire both the VMSS and VMEM files.
A) True
B) False