ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-49v10 All Questions

View all questions & answers for the 312-49v10 exam
Go to Exam

Exam 312-49v10 topic 1 question 731 discussion

Actual exam question from ECCouncil's 312-49v10
Question #: 731
Topic #: 1
[All 312-49v10 Questions]

A forensic investigator encounters a suspicious executable on a compromised system, believed to be packed using a known program packer, and is password-protected. The investigator has knowledge of the tool used for packing and has the corresponding unpacking tool. What should be the next best course of action to examine the executable?

  • A. Use the unpacking tool to decompress the executable, without dealing with the password
  • B. Run a dynamic analysis on the packed executable in a controlled environment
  • C. Decrypt the password to unpack the executable before analyzing
  • D. Use reverse engineering to understand the attack tool hidden inside
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Elb at May 28, 2024, 9:01 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
044f354
3 months, 1 week ago
Selected Answer: C
If the file is packed but not password-protected → Mount compound files first. If the file is password-protected → First decrypt the password to access/unpack the file. - ECCouncil Official CHFI https://bookshelf.vitalsource.com/reader/books/9781635676969/ Module 05 Page 519 “During forensic investigations, the investigator’s first approach should be to mount compound files. Program packers that are password-protected can pose a challenge during investigation as investigators need to first decrypt the password to unpack the file.” - If you agree: UPVOTE this post to add your vote to the community tally. If you disagree: discuss with citations Both actions crowdsource best answers.
upvoted 1 times
...
aqeel1506
11 months, 2 weeks ago
Option A: Use the unpacking tool to decompress the executable, without dealing with the password Efficiency: Using the unpacking tool designed for the specific packer is the most direct and efficient method. If the tool can bypass the password protection, it will save considerable time and effort. Best Practice: According to the CHFI v10 textbook, using the known and appropriate tools for unpacking executables is recommended as the first step. This aligns with best practices for handling packed files in forensic investigations.
upvoted 1 times
...
ala76nl
12 months ago
Selected Answer: C
Same question as earlier
upvoted 2 times
...
Elb
1 year ago
best course of action to examine the executable is dynamic analysis.
upvoted 1 times
...
Elb
1 year, 1 month ago
Selected Answer: B
In case of executable files, these programs carry unpackers built into them as well, which unpack the file when user tries to run it and installs the executable on the host system. Some of the widely used packers are UPX, PECompact, BurnEye, Exe Stealth Packer, Smart Packer Pro, etc. Investigators can dynamically analyze these packed executables by running them in a controlled environment and observing their behavior
upvoted 1 times
...
Elb
1 year, 1 month ago
C > The packers compress the files using various algorithms. Hence, unless the investigators know the tool that has been used to pack the file and have a tool to unpack it, they will not be able to access it. Program packers that are password-protected can pose a challenge during investigation as investigators need to first decrypt the password to unpack the file.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel