CHFI - Computer Hacking Forensic Investigator Malware Forensics Questions and Answers

Question 1

A malware analyst is performing static analysis on a suspicious executable. The analyst notes that the file has a very small import address table (IAT) but a section with unusually high entropy. What is the most likely reason for these characteristics?

Accepted Answer

The malware is packed or encrypted to obfuscate its true code.

Answer

Packers compress or encrypt a malware's original code. The resulting binary has a small unpacking 'stub' with few imports, which is responsible for decompressing/decrypting the real malicious code in memory. The packed section itself appears random, leading to high entropy, which is a classic indicator of this obfuscation technique.

Question 2

A CHFI is conducting dynamic analysis of a suspected ransomware sample in an isolated, sandboxed environment. Which of the following actions would be the primary focus of the analyst's monitoring to confirm the malware's classification and behavior?

Accepted Answer

Observing rapid and widespread file read/write/rename operations, especially with a new file extension being added.

Answer

Dynamic analysis focuses on observing the malware's behavior at runtime. The defining characteristic of ransomware is its encryption of user files. Therefore, monitoring for high-volume file system I/O, particularly operations that involve reading original files and writing newly encrypted versions (often with a specific extension), is the most direct way to observe and confirm its malicious intent.

Question 3

An investigator is analyzing a compromised Windows machine and needs to determine how a piece of malware achieves persistence across reboots. Which of the following is one of the most common registry keys an analyst should examine for malicious entries?

Accepted Answer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Answer

The `HKLM\SYSTEM\CurrentControlSet\Services` registry key is a fundamental location where Windows services are defined. Malware frequently creates a new service pointing to its executable to ensure it is launched automatically by the operating system at startup, often with high privileges. While other locations can be used for persistence, this is a primary and critical location to investigate.

Question 4

During a memory forensics analysis using a tool like Volatility, an investigator lists all running processes from a memory dump. The output shows a suspicious process named `svc-host.exe`, which is a common misspelling of the legitimate `svchost.exe`. This finding is an example of which malware analysis technique?

Accepted Answer

Masquerading

Answer

Masquerading is a technique where malware disguises itself by using a name that is very similar to a legitimate system file or process. The goal is to deceive system administrators or investigators who are performing a quick review, causing them to overlook the malicious process.

Question 5

A forensic analyst suspects a system is infected with a sophisticated kernel-mode rootkit. The analyst runs `tasklist` on the live system and sees no malicious processes. However, after acquiring a memory dump and analyzing it with Volatility, a hidden process is discovered. This discrepancy is most likely caused by the rootkit performing what action?

Accepted Answer

Using Direct Kernel Object Manipulation (DKOM) to unlink its process from the active process list.

Answer

Kernel-mode rootkits can directly manipulate the kernel's data structures. By using DKOM, a rootkit can remove the `EPROCESS` block of its process from the doubly-linked list of active processes that the kernel maintains. User-mode tools that rely on standard APIs to list processes will not see the malware, but memory forensics tools that parse these raw kernel structures directly can still find the unlinked process.

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Malware Forensics Questions and Answers