nerdexam
(ISC)2

CISSP · Question #400

Which of the following is the BEST approach for a forensic examiner to obtain the greatest amount of relevant information form malicious software?

The correct answer is A. Analyze the behavior of the program.. Behavioral analysis of malicious software provides the most comprehensive insight into its capabilities, intent, and impact by observing what it actually does when executed in a controlled environment.

Submitted by rania.sa· Mar 5, 2026Security Operations

Question

Which of the following is the BEST approach for a forensic examiner to obtain the greatest amount of relevant information form malicious software?

Options

  • AAnalyze the behavior of the program.
  • BExamine the file properties and permissions.
  • CReview the code to identify its origin.
  • DAnalyze the logs generated by the software.

How the community answered

(29 responses)
  • A
    79% (23)
  • B
    7% (2)
  • C
    3% (1)
  • D
    10% (3)

Why each option

Behavioral analysis of malicious software provides the most comprehensive insight into its capabilities, intent, and impact by observing what it actually does when executed in a controlled environment.

AAnalyze the behavior of the program.Correct

Behavioral analysis (dynamic analysis) involves executing the malware in a sandboxed or controlled environment to observe real-time actions such as network connections, file system changes, registry modifications, and process creation. This approach reveals the malware's full functionality and intent regardless of obfuscation or packing techniques that might hide static indicators. It yields the greatest breadth of forensically relevant information, including indicators of compromise (IOCs) and attacker objectives.

BExamine the file properties and permissions.

Examining file properties and permissions provides limited metadata such as timestamps and ownership, but reveals almost nothing about the malware's actual functionality, payload, or behavior.

CReview the code to identify its origin.

Reviewing code to identify origin (static analysis) can be hindered by obfuscation, packing, or encryption, and attributing origin is a narrow objective that does not yield the full scope of what the malware does.

DAnalyze the logs generated by the software.

Analyzing logs generated by the software is useful but secondary, as logs may be incomplete, tampered with, or not generated at all by sophisticated malware designed to evade detection.

Concept tested: Dynamic behavioral analysis of malware in forensics

Source: https://www.cisa.gov/sites/default/files/publications/Malware_Analysis_Explained.pdf

Topics

#Forensic analysis#Malware analysis#Behavioral analysis#Incident response

Community Discussion

No community discussion yet for this question.

Full CISSP Practice