Computer Hacking Forensic Investigator (CHFI v10) — Question 412

An investigator is studying a suspicious Windows service discovered on a corporate system that seems to be associated with malware. The service has a name similar to a genuine Windows service, runs as a SYSTEM account, and exhibits potentially harmful behavior. Which tool and method should the investigator use to study the service's behavior without allowing it to inflict more damage?

Answer options

• A. Deploy Autoruns for Windows to check if the suspicious service is configured to run at system bootup
• B. Inspect the startup folder for the presence of the suspicious service using command prompt commands
• C. Use SrvMan to stop the suspicious service and analyze its impact on the system
• D. Utilize the Windows Service Manager to create an identical service and study its behavior

Correct answer: A

Explanation

The correct answer is A because Autoruns for Windows provides a comprehensive view of all services and their startup configurations, allowing the investigator to identify if the suspicious service is set to run at boot without executing it. Options B, C, and D are less effective; B does not provide a full picture of all potential startup methods, C may allow the service to cause damage before it is stopped, and D risks creating additional issues by duplicating the service.