CHFI - Computer Hacking Forensic Investigator Malware Forensics Questions and Answers

Question 1

A malware analyst is performing static analysis on a suspicious executable.
The analyst notes that the file has a very small import address table (IAT) but a section with unusually high entropy.
What is the most likely reason for these characteristics?

Accepted Answer

The malware is packed or encrypted to obfuscate its true code.

Answer

The file is a benign utility with minimal dependencies.

Answer

The executable is corrupted and missing its header information.

Answer

The file is a script-based malware, such as a PowerShell script.

Question 2

A CHFI is conducting dynamic analysis of a suspected ransomware sample in an isolated, sandboxed environment. Which of the following actions would be the primary focus of the analyst's monitoring to confirm the malware's classification and behavior?

Accepted Answer

Observing rapid and widespread file read/write/rename operations, especially with a new file extension being added.

Answer

Analyzing the PE header of the file to determine the compile time and linked libraries.

Answer

Extracting all embedded strings from the binary to look for keywords like 'encrypt'.

Answer

Checking for an increase in CPU usage and memory consumption by the suspicious process.

Question 3

An investigator is analyzing a compromised Windows machine and needs to determine how a piece of malware achieves persistence across reboots. Which of the following is one of the most common registry keys an analyst should examine for malicious entries?

Accepted Answer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Answer

HKEY_CLASSES_ROOT\.dll

Answer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

Answer

HKEY_USERS\.DEFAULT\Keyboard Layout

Question 4

During a memory forensics analysis using a tool like Volatility, an investigator lists all running processes from a memory dump. The output shows a suspicious process named `svc-host.exe`, which is a common misspelling of the legitimate `svchost.exe`. This finding is an example of which malware analysis technique?

Accepted Answer

Masquerading

Answer

Code signing verification

Answer

File carving

Answer

Steganography

Question 5

A forensic analyst suspects a system is infected with a sophisticated kernel-mode rootkit. The analyst runs `tasklist` on the live system and sees no malicious processes. However, after acquiring a memory dump and analyzing it with Volatility, a hidden process is discovered. This discrepancy is most likely caused by the rootkit performing what action?

Accepted Answer

Using Direct Kernel Object Manipulation (DKOM) to unlink its process from the active process list.

Answer

Encrypting its own process memory.

Answer

Deleting the process executable from the disk after loading.

Answer

Injecting its code into a legitimate process like `explorer.exe`.

Question 6

Which of the following best describes the primary goal of performing reverse engineering on a malware sample during a forensic investigation?

Accepted Answer

To understand the malware's precise functionality, algorithms, and capabilities by analyzing its disassembled code.

Answer

To create a valid cryptographic hash of the malicious file for an IOC database.

Answer

To safely execute the malware in a sandbox to observe its network traffic.

Answer

To determine the date and time the malware was compiled by the author.