Exam CS0-003 topic 1 question 217 discussion

For analyzing a recovered binary file to understand its behavior and potential malicious actions, the following techniques are most appropriate: B. Static analysis - This involves examining the binary file without executing it. Analysts can disassemble the code to study its structure and identify any malicious patterns or functions. C. Sandboxing - This involves executing the binary in a controlled and isolated environment to observe its behavior without risking damage to actual systems. This can help in understanding what actions the binary performs, such as connecting to external servers, modifying files, or other potentially harmful activities. Because the word "controlled environment" wasn't used I'd go with "Static Analysis" ComPTIA needs to do a better job in writing quality questions, looks like the questions are written by some 5th grades kids.

Both answers are valid, CompTIA trying to fail us to make us retake for no reason other than profit as usual. In a real world scenario, sandboxing would surely be done first as it's less time consuming and we don't even know if the file is malicious, we could spend much time statically analyzing the code for no reason. Normally we would need to know WHAT the binary does before knowing HOW it does it. HOWEVER, CompTIA is all about safety, and static analysis has less risk. Advanced malware could escape the sandbox, or it could be a timb bomb and we wouldn't know anything until it gets triggered. I hate to admit it but I would pick B for this question, even though it's not what I would do in reality. The question asked for a "technique", sandboxing is more of a "technology" compared to static analysis. This question makes me want to bang my head against a wall.

Static analysis is for source code, per the CySA+ study guide by Mike Chapple: "Since static analysis uses the source code for an application, it can be seen as a type of white-­box testing with full visibility to the testers." Disassembled or decompiled code is NOT source code (a common misconception). Sandboxing malware is a technique that enables you to do further analysis, so the answer is C.

Yeah this is getting kind of ridiculous...

Static Analysis for uncompiled code, Reverse Engineering for binaries therefore Sandboxing is the best option in this scenario

Though the question is vague, C seems to be a better option. Sandboxing provides a dynamic analysis of the binary by executing it in a safe and controlled environment, allowing the analyst to observe its real-time behavior. This is often the preferred first step because it gives quick, practical insights into how the malware behaves, such as which files it creates, which network connections it attempts to make, and other malicious actions. It’s particularly useful when analyzing unknown or potentially dangerous binaries. Static analysis, while valuable, is more time-consuming and requires specialized tools to decompile and analyze the code without running it. It provides deeper insights into the code structure but may miss certain behaviors that only manifest when the binary is executed.

Though the question is vague, C seems to be a better option. Sandboxing provides a dynamic analysis of the binary by executing it in a safe and controlled environment, allowing the analyst to observe its real-time behavior. This is often the preferred first step because it gives quick, practical insights into how the malware behaves, such as which files it creates, which network connections it attempts to make, and other malicious actions. It’s particularly useful when analyzing unknown or potentially dangerous binaries. Static analysis, while valuable, is more time-consuming and requires specialized tools to decompile and analyze the code without running it. It provides deeper insights into the code structure but may miss certain behaviors that only manifest when the binary is executed.

i would go with B. Always look for keywords... BINARY which is code & they are looking for ANALYSIS.

i rather chose sandboxing because this is binary type of files

We cant analyse a binary file without first reverse engineering it to understand its functions, right ? If thats the case, the only valid option here is to run it using a sandbox and stuying it behaviour. This is how I see it.

an observation about question 46. In that scenario "a security analyst is performing an investigation involving multiple targeted Windows malware BINARIES. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve that objective?" ANSWER: Upload the binary to ...sandbox... This is true, clearly so that information is not disclosed to attackers. For this question - I go with Static analysis

a typical comptia question to make you fail the exam because both B C are correct answers

B. Static analysis Static analysis involves examining the binary file without executing it. This technique includes reviewing the file's metadata, headers, strings, and disassembled code to understand its characteristics, potential vulnerabilities, and indicators of malicious behavior. Static analysis can provide valuable insights into the file's structure, behavior, and potential risks without running the risk of triggering any malicious activities.

it also could be C !!

Static analysis is a technique that involves examining the code or binary file without executing it. In the context of the scenario described, where a binary file potentially caused exploitation on a user machine, static analysis would be a suitable technique for further analysis.

Both B and C could be good answers.