Which capability is part of OS forensics?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the EC-Council Certified Security Specialist (ECSS) Test. Enhance your skills with flashcards and multiple-choice questions; each question provides hints and explanations. Prepare confidently for your exam!

Multiple Choice

Which capability is part of OS forensics?

Explanation:
Hash-based file identification is a fundamental technique in OS forensics. The idea is to compute a cryptographic hash (such as SHA-256) for each file found on the system image and compare those hashes to reference databases of known-good files or known malware. When a file’s hash matches a known malicious hash, or when a file’s hash deviates from its baseline, investigators can flag it for further analysis. This approach lets examiners quickly triage large datasets, verify file integrity, and spot tampering or the presence of suspicious installers or payloads embedded in the filesystem. Memory analysis, by contrast, deals with volatile data captured from RAM and is typically categorized under memory forensics. Network traffic sniffing targets live network captures rather than disk-based artifacts. Password cracking is a separate activity focused on recovering credentials, not a core OS-forensic method for identifying files. Hash matching directly aligns with OS forensics workflows by leveraging disk-based evidence to reveal suspicious or potentially malicious files.

Hash-based file identification is a fundamental technique in OS forensics. The idea is to compute a cryptographic hash (such as SHA-256) for each file found on the system image and compare those hashes to reference databases of known-good files or known malware. When a file’s hash matches a known malicious hash, or when a file’s hash deviates from its baseline, investigators can flag it for further analysis. This approach lets examiners quickly triage large datasets, verify file integrity, and spot tampering or the presence of suspicious installers or payloads embedded in the filesystem.

Memory analysis, by contrast, deals with volatile data captured from RAM and is typically categorized under memory forensics. Network traffic sniffing targets live network captures rather than disk-based artifacts. Password cracking is a separate activity focused on recovering credentials, not a core OS-forensic method for identifying files. Hash matching directly aligns with OS forensics workflows by leveraging disk-based evidence to reveal suspicious or potentially malicious files.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy