Computer Hacking Forensic Investigator (CHFI v10) — Question 559

A forensic investigator is performing malware analysis of a newly discovered executable suspected to be originating from a Dark Web marketplace. The investigator documents the key features, system status, and details of the forensic investigation tools, as part of the general rules for malware analysis. After an initial static analysis, the investigator prepares to move to dynamic analysis. In this context, which of the following considerations is crucial before the investigator proceeds with dynamic analysis?

Answer options

• A. Document the behavior of the malware during its installation and execution
• B. Analyze the malware using a disassembler like IDA Pro for dynamic analysis
• C. Execute the malware on the primary system to understand its impact on the system resources
• D. Use sandboxes or virtual machines to contain and analyze the malware

Correct answer: D

Explanation

The correct answer is D because using sandboxes or virtual machines provides a controlled environment that prevents the malware from affecting the main system. Option A is incorrect because documenting behavior is part of the analysis, not a prerequisite for starting dynamic analysis. Option B is also wrong, as disassembling is part of static analysis, not dynamic. Option C is dangerous, as executing malware on the primary system can lead to significant damage and data loss.