Computer Hacking Forensic Investigator (CHFI v10) — Question 400

A forensic investigator encounters a suspicious executable on a compromised system, believed to be packed using a known program packer, and is password-protected. The investigator has knowledge of the tool used for packing and has the corresponding unpacking tool. What should be the next best course of action to examine the executable?

Answer options

• A. Use the unpacking tool to decompress the executable, without dealing with the password
• B. Run a dynamic analysis on the packed executable in a controlled environment
• C. Decrypt the password to unpack the executable before analyzing
• D. Use reverse engineering to understand the attack tool hidden inside

Correct answer: C

Explanation

The correct answer is C because decrypting the password is necessary to access the contents of the packed executable for thorough analysis. Option A is incorrect as ignoring the password will not allow access to the file. Option B is not ideal since running dynamic analysis on a packed executable could lead to misleading results without first unpacking it, and option D involves reverse engineering, which is less effective without first decrypting the executable.