CompTIA CASP+ (CAS-003) — Question 22

A forensics analyst suspects that a breach has occurred. Security logs show the company's OS patch system may be compromised, and it is serving patches that contain a zero-day exploit and backdoor. The analyst extracts an executable file from a packet capture of communication between a client computer and the patch server. Which of the following should the analyst use to confirm this suspicion?

Answer options

• A. File size
• B. Digital signature
• C. Checksums
• D. Anti-malware software
• E. Sandboxing

Correct answer: B

Explanation

The correct answer is B, as verifying the digital signature of the executable file can confirm whether it has been tampered with or is authentic. File size (A) and checksums (C) can provide some information but are not definitive proof of authenticity. Anti-malware software (D) and sandboxing (E) can help analyze the file, but they do not directly confirm the integrity of the file's origin like a digital signature does.