Computer Hacking Forensic Investigator (CHFI v10) — Question 413

In a recent cyber-attack, a malicious driver was installed on a Windows system. The investigator in charge is now tasked with analyzing the system behavior to identify and verify the authenticity of the suspicious device driver. Which of the following approaches should the investigator use to complete this task efficiently?

Answer options

• A. Use Tripwire Enterprise to monitor servers, desktops, directory servers, hypervisors, databases, middleware applications, and network devices
• B. Use DriverView utility to list all device drivers currently loaded on the system and check their details such as load address, description, version, product name, and the company that created the driver
• C. Use the FCIV utility to generate and verify hash values of files using MD5 or SHA-1 algorithms
• D. Utilize PA File Sight to track who is deleting, moving, or reading files: detect users copying files: and optionally block access

Correct answer: B

Explanation

The correct answer is B because DriverView allows the investigator to obtain detailed information about each loaded driver, which is crucial for assessing the authenticity of the suspicious driver. Options A, C, and D do not focus specifically on analyzing device driver details, making them less effective for this particular investigation.