During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect. Which of the following is the BEST place to acquire evidence to perform data carving?
A) The system memory
B) The hard drive
C) Network packets
D) The Windows Registry

Question

Quizplus · Accepted Answer

The system memory is the best place to acquire evidence for data carving because it contains the most recent and active data, including malware that may not be written to the hard drive yet. Memory forensics can reveal hidden or running processes and other artifacts that are not detectable by traditional antivirus solutions.

During an Investigation, a Security Analyst Identified Machines That Are