HKEY_CLASSES_ROOT (HKCR) is the Windows Registry location that stores file-association and COM registration data , including mappings for file extensions (e.g., .docx ) to ProgIDs , and COM object identifiers such as CLSID and interface-related identifiers like IID . In forensic examinations, HKCR is frequently consulted to determine which application is registered to open a specific file type, to identify COM objects that may enable persistence or abuse (e.g., through COM hijacking), and to correlate suspicious registry-based execution mechanisms with installed software.

HKCR is often described as volatile in nature because it is not a single standalone hive file stored independently in the same way as SAM or SYSTEM; instead, it is a merged, runtime view created by the OS primarily from HKLM\Software\Classes (machine-wide registrations) and HKCU\Software\Classes (per-user overrides). This means what you see under HKCR can vary depending on the current user context and system state, and the effective associations/registrations may change when software is installed, updated, or when per-user settings override machine defaults.

The other options represent different scopes: HKLM is system configuration, HKCU is user profile configuration, and HKCC reflects the current hardware profile—not the primary COM/file association repository.

Jennifer’s actions match the responsibilities of an incident responder , whose job spans immediate containment, preservation, and stabilization activities during an active or recently active security incident. In standard digital forensics and incident response (DFIR) procedures, responders first take steps to preserve evidence (e.g., documenting the scene, capturing volatile data when appropriate, and collecting relevant system artifacts) and then execute containment measures to prevent further harm. Disconnecting a compromised host from the network is a classic containment control used to stop malware propagation, block command-and-control communications, and prevent lateral movement to other systems.

An incident analyzer typically focuses on deeper technical analysis—timeline reconstruction, root cause determination, and correlating artifacts across hosts and logs—rather than performing immediate containment. An evidence manager is primarily responsible for maintaining evidence integrity, chain of custody, storage, labeling, and access control, not operational containment. An expert witness provides formal testimony and interpretation in legal or disciplinary proceedings and is not usually involved in live containment actions. Since Jennifer both gathered evidence and then isolated the system to stop spread , the role most consistent with documented DFIR responsibilities is Incident responder (A) .

In static malware analysis , one of the quickest ways to infer capability is to extract and review strings embedded in a binary. Strings frequently reveal command-and-control domains/IPs, mutex names, file paths, registry keys, user-agent values, suspicious commands (PowerShell/cmd), API names, error messages, encryption markers, and configuration fragments. Investigators often use automated utilities to extract these readable artifacts and export them to a text file for later triage, keyword searching, and correlation with other evidence (network logs, endpoint telemetry, and threat intel).

Among the provided options, ResourcesExtract best matches this workflow. It is designed to extract embedded content from executable files—particularly Windows PE resources—and can export extracted textual items (including resource strings/strings tables and related embedded text) into external files for analysis. This aligns with “performed a string search and saved all the identified strings in a text file.”

The other choices do not fit: R-Drive Image is a disk imaging/backup tool; Ezvid is for screen recording; and Snagit is for screenshots/screen capture. They do not perform automated extraction of strings from malware binaries as a static-analysis step. Therefore, the correct answer is ResourcesExtract (B) .

The requirement is to list devices connected to a local Windows machine , specifically to identify external storage devices that may be attached and potentially used for data theft or malware introduction. In Windows forensic practice, investigators often start by enumerating currently mounted volumes and recently connected removable media so they can correlate device presence with suspicious activity timelines and user actions. DriveLetterView is a utility designed to display the complete mapping of drive letters to storage devices/volumes , including removable drives (USB flash drives, external HDDs), optical media, network-mapped drives, and local partitions. It helps quickly identify what storage devices are present and accessible on the system at the time of inspection, which fits the scenario where James captures a list of connected devices and removes suspicious ones.

The other tools do not match this purpose. ESEDatabaseView is used to inspect Extensible Storage Engine databases, not enumerate attached storage. ProcDump is used for creating process memory dumps for debugging/forensic analysis of processes, not for listing connected drives. PromiscDetect relates to detecting network interfaces in promiscuous mode (packet sniffing), not external storage enumeration. Therefore, the correct tool for identifying connected storage devices is DriveLetterView (C) .

The question specifies an automated tool to analyze the system’s memory and detect malicious activity associated with a malware backdoor . In malware forensics and incident response practice, memory analysis is used to identify artifacts that may not be reliably visible on disk, such as injected code, hidden processes, suspicious DLLs/modules, live network connections, persistence objects loaded in memory, and indicators of compromise tied to backdoors. Redline (commonly referenced in DFIR training) is purpose-built for host investigation and memory analysis . It can collect and analyze volatile data, including running processes, loaded modules, handles, drivers, network sessions, and other runtime indicators that help investigators spot malicious behavior and attribute it to specific executables or injected components.

The other options do not align with memory forensics. Medusa is primarily a credential brute-force/login auditing tool, not a memory analysis utility. Shodan is an Internet-wide device search engine used for external reconnaissance, not for local host RAM inspection. Wireshark is a packet capture and protocol analysis tool focused on network traffic, not automated memory artifact collection and analysis. Therefore, the tool Clark used to analyze memory and detect malicious activity is Redline (B) .

A common requirement in macOS-focused forensic labs is the ability to run multiple operating systems on a single Mac for controlled testing, malware detonation in a sandbox, reproduction of user activity, and validation of artifacts across platforms. This is typically achieved through desktop virtualization , where a hypervisor hosts guest operating systems (such as Windows and various Linux distributions) inside virtual machines. Parallels Desktop 16 is a Mac virtualization solution built specifically to run Windows on macOS with strong integration features (such as shared clipboard, folder sharing, and “coherence” modes that allow Windows applications to appear alongside Mac applications). This capability aligns with the question’s description: developing and testing across multiple OSs in VMs on a Mac and enabling use of Microsoft Office for Windows within that Windows guest environment.

The other tools do not fit. Riverbed Modeler and NetSim are primarily network modeling/simulation tools used for network design and training, not desktop virtualization. Camtasia is used for screen recording and video editing , which can support documentation but does not provide a VM environment. Therefore, the only option that directly provides cross-OS virtual machines on macOS and supports running Windows applications like Microsoft Office is Parallels Desktop 16 (B) .

RFC 3227’s “order of volatility” principle guides responders to collect the most perishable evidence first because some data can disappear immediately when power is lost, processes terminate, or the system state changes during response actions. The most volatile items are CPU registers and processor cache (4) because they change continuously at instruction speed and are lost instantly on shutdown or context switching. Next are routing table, process table, kernel statistics, and memory (3) because live RAM contents and active system tables can change within seconds and are lost if the machine is powered off or rebooted.

After volatile memory, temporary system files (7) are collected because they are frequently overwritten or cleaned by the OS, users, or malware. Then comes disk or other storage media (6) which is more persistent but still subject to modification, log rotation, and overwriting through normal activity; hence imaging should occur before extensive interaction.

Less volatile still are remote logging and monitoring data (2) since they may persist off-host, but can be rotated or altered by retention policies. Physical configuration and network topology (5) generally changes less frequently and can often be re-documented later. Finally, archival media (1) is the least volatile because it is typically write-once or preserved storage. Thus the correct sequence is 4→3→7→6→2→5→1 (Option B) .

In an email crime investigation, the workflow should begin with seizing the computer and email accounts (5) to preserve evidence and prevent alteration, deletion, or continued misuse. This includes securing endpoints and ensuring account access is maintained under proper authority. Next, investigators proceed with acquiring the email data (1) using forensic methods (logical export, mailbox acquisition, or forensic imaging of local mail stores) to maintain integrity and chain of custody.

Once the data is preserved, investigators examine email messages (3) to identify relevant communications, context, attachments, and indicators of fraud, harassment, data leakage, or impersonation. After identifying emails of interest, investigators retrieve email headers (6) (full headers, not just what the mail client displays) because headers contain routing metadata required for attribution and timeline reconstruction. They then analyze email headers (2) to interpret fields such as Received lines, Message-ID, originating IP clues (where applicable), sending infrastructure, and authentication results, which helps determine spoofing, relay paths, and sender legitimacy. Finally, they recover deleted email messages (4) from mail stores, server-side retention, or unallocated space to restore missing evidence. This sequence matches option A .

In Windows forensics and incident response, investigators often need to link network activity (remote IPs, ports, connection states) to the responsible process to determine whether traffic is legitimate or associated with malware, unauthorized tools, or data exfiltration. The Windows netstat utility can enumerate current TCP connections and listening ports, but the key flag that enables attribution to a running program is -o . The -o parameter instructs netstat to include the Owning Process ID (PID) with each connection or listening socket. Once the PID is known, examiners can correlate it with process listings (e.g., Task Manager, tasklist , memory forensics output) to identify the executable name, path, user context, and parent process—critical steps in reconstructing attacker behavior and persistence.

The other options do not provide PID mapping: -n shows addresses and ports in numeric form (useful for speed and to avoid DNS lookups), -a displays all connections and listening ports but without PID attribution by itself, and -s shows protocol statistics rather than per-connection ownership. Therefore, the parameter that shows active connections and includes the PID for each is [-o] (Option C) .

The statement in the question matches SWGDE Principle 1, Standards and Criteria 1.7 , which explicitly requires that any action that could alter, damage, or destroy original digital evidence must be performed by qualified personnel in a forensically sound manner . In digital forensics doctrine, this requirement exists because digital evidence is highly fragile: routine interactions (booting a system, opening a file, connecting storage, running commands) can change timestamps, overwrite unallocated space, modify logs, or trigger encryption/key rotation. SWGDE’s emphasis on “qualified persons” and “forensically sound manner” aligns with core evidentiary expectations: minimizing changes to original media, using controlled and repeatable methods (e.g., write-blocking, validated imaging, documented procedures), and ensuring actions are defensible under scrutiny.

Options 1.1, 1.3, and 1.5 relate to broader quality and procedural requirements (quality systems, SOP review, appropriate tools), but they do not contain the specific mandate about potentially altering original evidence. The exact phrasing about alteration/damage/destruction and qualified handling is associated with Standards and Criteria 1.7 , making B the correct choice.