CAS-001 · Question #395
CAS-001 Question #395: Real Exam Question with Answer & Explanation
The correct answer is C: Packet analyzer. The research team needs to observe live network activity - specifically the DNS queries and IP addresses the Trojan contacts once its payload is decrypted and it begins executing on real hardware. Option C, a packet analyzer (such as Wireshark or tcpdump), captures all network tr
Question
Options
- AHIDS
- BVulnerability scanner
- CPacket analyzer
- DFirewall logs
- EDisassembler
Explanation
The research team needs to observe live network activity - specifically the DNS queries and IP addresses the Trojan contacts once its payload is decrypted and it begins executing on real hardware. Option C, a packet analyzer (such as Wireshark or tcpdump), captures all network traffic at the wire level, including DNS request/response packets and TCP/UDP connections to C2 (command-and-control) servers. This provides direct, real-time visibility into every domain the Trojan resolves and every IP it communicates with. A HIDS (A) monitors host activity such as file changes and process behavior - it may detect the Trojan but provides limited granular network visibility. A vulnerability scanner (B) is an offensive reconnaissance tool, not a behavioral analysis tool. Firewall logs (D) would show connection attempts but may not capture DNS queries or payloads, and the Trojan might use ports or protocols not filtered by the firewall. A disassembler (E) performs static analysis of the binary and cannot observe live network behavior after decryption.
Community Discussion
No community discussion yet for this question.