Which memory artifact is most likely to indicate covert processes running in the system when investigating potential botnet activity?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

Which memory artifact is most likely to indicate covert processes running in the system when investigating potential botnet activity?

Explanation:
Covert botnet activity often hides its components inside memory, so looking for processes that exist in memory but aren’t visible through normal process listings is the clearest signal of something running in the system. Hidden running processes are those that the OS or security tools fail to enumerate in standard views, yet they still execute and consume resources. In memory analysis, you’d compare what the system reports with what RAM actually contains, hunting for process structures, modules, or injections that don’t correspond to on-disk executables or legitimate services. This direct memory artifact reveals real-time activity that can be actively concealed from ordinary monitoring. Startup entries show persistence across reboots and can hint at a foothold, but they don’t prove that covert processes are actively running right now. Pagefile contents can hold bits of memory, including strings or data from running programs, but they’re not a definitive indicator of hidden processes and require extensive interpretation. The recent documents list reflects user activity, not in-memory execution or concealment.

Covert botnet activity often hides its components inside memory, so looking for processes that exist in memory but aren’t visible through normal process listings is the clearest signal of something running in the system. Hidden running processes are those that the OS or security tools fail to enumerate in standard views, yet they still execute and consume resources. In memory analysis, you’d compare what the system reports with what RAM actually contains, hunting for process structures, modules, or injections that don’t correspond to on-disk executables or legitimate services. This direct memory artifact reveals real-time activity that can be actively concealed from ordinary monitoring.

Startup entries show persistence across reboots and can hint at a foothold, but they don’t prove that covert processes are actively running right now. Pagefile contents can hold bits of memory, including strings or data from running programs, but they’re not a definitive indicator of hidden processes and require extensive interpretation. The recent documents list reflects user activity, not in-memory execution or concealment.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy