A forensics analyst suspects that a breach has occurred.
Security logs show the company's OS patch system may be compromised, and it is serving patches that contain a zero-day exploit and backdoor.
The analyst extracts an executable file from a packet capture of communication between a client computer and the patch server.
Which of the following should the analyst use to confirm this suspicion?
Click on the arrows to vote for the correct answer
A. B. C. D. E.B.
The forensics analyst suspects that a breach has occurred and security logs indicate that the company's patching system may be compromised, which is serving patches that contain a zero-day exploit and backdoor. The analyst extracts an executable file from a packet capture of communication between a client computer and the patch server and needs to confirm the suspicion.
To confirm the suspicion, the analyst should use the following methods:
A. File size: This method is not reliable in this scenario since attackers can easily manipulate the file size of an executable file to avoid detection.
B. Digital signature: This method is also not useful in this scenario since the attacker can easily create a fake digital signature, making it appear as if the file is legitimate.
C. Checksums: This method is more reliable than the previous methods because it involves calculating a unique checksum for a file and comparing it to the expected checksum. If the checksums do not match, it indicates that the file has been tampered with. However, attackers can still bypass this by creating a new checksum for the modified file.
D. Anti-malware software: This method is useful in detecting known malware, but it may not detect new or zero-day exploits, making it less reliable in this scenario.
E. Sandboxing: This method is the most reliable in this scenario since it involves running the executable file in a controlled environment or sandbox, where any malicious behavior or activity can be detected and analyzed without affecting the host system. This method is useful for detecting zero-day exploits and backdoors, as well as identifying the scope of the breach and the extent of the damage.
In conclusion, the most reliable method for confirming the suspicion is to use sandboxing to run the executable file in a controlled environment and detect any malicious activity. However, it is still important to use other methods, such as checksums and anti-malware software, in conjunction with sandboxing to increase the chances of detecting any malicious activity.