Computer Hacking Forensic Investigator (CHFI v10) — Question 399

An investigator is examining a compromised system and comes across some files that have been compressed with a packer. The investigator knows that these files contain malicious content, but cannot access them due to a password protection mechanism. The investigator does not have the password. Which approach is the most suitable for accessing the contents of the packed files?

Answer options

• A. The investigator should attempt static analysis on the packed file
• B. The investigator should run the packed executable in a controlled environment for dynamic analysis
• C. The investigator should attempt to crack the password using a brute force attack
• D. The investigator should attempt to reverse engineer the packed file in an attempt to bypass password protection

Correct answer: B

Explanation

The correct answer is B because running the packed executable in a controlled environment allows the investigator to observe its behavior and potentially extract the contents without needing the password. Options A and C do not guarantee access to the files, and option D could be complex and time-consuming, making them less suitable compared to dynamic analysis.