In which of the following locations would a forensic analyst look to find a hooked process?

adminFebruary 6, 2014

A.
BIOS

B.
Slack space

C.
RAM

D.
Rootkit

3 Comments on “In which of the following locations would a forensic analyst look to find a hooked process?”

Tracy says:

May 14, 2013 at 3:29 pm

I have found 2 possible answers for this. Which one is correct and why? Is this the same as “hooking” with a DLL injection?
Answer:
The correct answer is in ram. When your computer is up and running, processes are executable code running in RAM. Bad stuff will hook into say..explorer.exe to maybe hide things from you that are on your desktop.
OR
Answers: A
_ BIOS from http://class10e.com/CompTIA/in-which-of-the-following-locations-would-a-forensic-analyst-look-to-find-a-hooked-process/

0

0

Log in to Reply
1. Ric says:
  
  May 14, 2013 at 4:06 pm
  
  Answer: C
  
  BIOS wouldn’t be running any processes to get hooked.
  
  0
  
  0
  
  Log in to Reply
Bob Downs says:

January 14, 2014 at 4:49 pm

I am pretty sure it is BIOS actually. If you were to set up techniques to augment OS behavior it wouldn’t make much sense to have it in RAM because it would only be done one time seeing as how the memory is wiped at shutdown. And not to mention this is the only place that says RAM is the answer.

Great site! I appreciate whoever set this up!

0

0

Log in to Reply