CS0-003 Question #323: Real Exam Question with Answer & Explanation

Question

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on its infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause? (Choose two.)

Options

• ACreation time of dropper
• BRegistry artifacts
• CEDR data
• DPrefetch files
• EFile system metadata
• FSysmon event log

Explanation

Explanation

Registry artifacts (B) and file system metadata (E) are correct because they persist even after the malware's cleanup routines. The Windows Registry retains evidence of program execution, autorun keys, and installation activity that malware rarely fully purges, while file system metadata (such as MFT entries, timestamps, and journal logs like $UsnJrnl) can reveal file creation, modification, and deletion activity even after files themselves are removed.

Why the distractors are wrong:

• (A) Creation time of dropper – The dropper itself was deleted by the malware, making its creation time inaccessible directly.
• (C) EDR data – The malware explicitly disables host security services, which would likely neutralize or prevent EDR from capturing complete evidence.
• (D) Prefetch files – The question explicitly states the malware removes prefetch files as part of its cleanup routine.
• (F) Sysmon event log – The malware deletes event log entries, and since Sysmon logs to the Windows Event Log, this data would also be wiped.

Memory Tip

Think "Registry and File System = Resilient" - these two sources are notoriously difficult for malware to fully clean up, unlike logs and files that can be targeted directly. When logs and files are wiped, always look to the Registry and MFT/journal for surviving artifacts.

No community discussion yet for this question.