Computer Hacking Forensic Investigator (CHFI v10) — Question 389

In an ongoing investigation, a computer forensics investigator encounters a suspicious file believed to be packed using a password-protected program packer. The investigator possesses both the knowledge of the packing tool used and the necessary unpacking tool. What critical step should the investigator consider before analyzing the packed file?

Answer options

• A. Conduct static analysis on the packed file immediately
• B. Reverse engineer the packed file to understand the hidden attack tools
• C. Attempt to decrypt the password prior to unpacking the file
• D. Run the packed file in a controlled environment for dynamic analysis

Correct answer: C

Explanation

The correct step is to decrypt the password prior to unpacking the file because without the password, the packed contents cannot be accessed or analyzed. Conducting static analysis or dynamic analysis without unpacking may lead to incomplete or misleading results, and reverse engineering without first decrypting could result in wasted effort on inaccessible data.