CompTIA CASP+ (CAS-004) — Question 634

A forensics investigator is analyzing an executable file extracted from storage media that was submitted for evidence. The investigator must use a tool that can identify whether the executable has indicators, which may point to the creator of the file. Which of the following should the investigator use while preserving evidence integrity?

Answer options

• A. ldd
• B. bcrypt
• C. SHA-3
• D. ssdeep
• E. dcfldd

Correct answer: D

Explanation

The correct answer is D, ssdeep, which is designed to identify files with similar content and can uncover indicators of the file's origin. Options A, B, and C do not focus on identifying file similarities or creator indicators, while E, dcfldd, is primarily used for creating forensic images and does not address the specific need for identifying file creators.