Question

A forensics analyst suspects that a breach has occurred. Security logs show the company's OS patch system may be compromised, and it is serving patches that contain a zero-day exploit and backdoor. The analyst extracts an executable file from a packet capture of communication between a client computer and the patch server.

Which of the following should the analyst use to confirm this suspicion?

A. File size
B. Digital signature
C. Checksums
D. Anti-malware software
E. Sandboxing

Answer 1

The forensics analyst should use checksums to confirm the suspicion of a compromised patch system. Digital signatures and anti-malware software can also be used as additional methods of confirmation.

Step-by-step explanation:

The forensics analyst should use checksums to confirm the suspicion that the company's OS patch system is compromised. Checksums are values calculated from the contents of a file to ensure data integrity. By comparing the checksum of the extracted executable file with the known good checksum of the legitimate patch, the analyst can determine if any changes have been made to the file, indicating the presence of a zero-day exploit and backdoor.

In addition to checksums, the analyst can also use digital signatures to verify the authenticity and integrity of the executable file. Digital signatures are cryptographic mechanisms that provide a way to verify the source and integrity of a file. If the executable file has a valid digital signature matching the expected patch server's signature, it is likely legitimate. Anti-malware software can also be used to scan the executable file for any known malicious code or behavior. If the software detects the presence of a zero-day exploit or backdoor, it would confirm the suspicion of a compromised patch system.