Computer Hacking Forensic Investigator (CHFI v10) — Question 447

Which of these rootkit detection techniques function by comparing a snapshot of the file system, boot records, or memory with a known and trusted baseline?

Answer options

• A. Signature-Based Detection
• B. Integrity-Based Detection
• C. Cross View-Based Detection
• D. Heuristic/Behavior-Based Detection

Correct answer: B

Explanation

Integrity-Based Detection is correct because it specifically involves comparing current system states to a trusted baseline to identify unauthorized changes. Signature-Based Detection relies on known malware signatures, Cross View-Based Detection uses different views of the system to find discrepancies, and Heuristic/Behavior-Based Detection focuses on identifying suspicious behavior rather than direct comparisons.