Question 300 of 1,000
Mobile and Malware ForensicsmediumMultiple SelectObjective-mapped

Quick Answer

The correct answer is Ghidra and IDA Pro, as both are industry-standard static analysis tools for malware that allow forensic examiners to reverse engineer malicious binaries without executing them. IDA Pro disassembles machine code into assembly language, providing cross-references, function graphs, and decompilation to reveal embedded strings and control flow, while Ghidra offers similar capabilities with a free, open-source alternative. On the Computer Hacking Forensic Investigator CHFI exam, this question tests your understanding of static versus dynamic analysis—static tools examine code at rest, whereas dynamic tools like debuggers run the sample in a sandbox. A common trap is confusing IDA Pro with a dynamic analysis tool because it includes a debugger, but its primary use in malware analysis is static disassembly. Memory tip: think “Ghidra and IDA” as the “static duo” for reading code like a book, never executing it.

CHFI Mobile and Malware Forensics Practice Question

This CHFI practice question tests your understanding of mobile and malware forensics. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which TWO tools are commonly used for static analysis of malware binaries?

Question 1mediummulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

IDA Pro

IDA Pro is a leading interactive disassembler and debugger used for static analysis of malware binaries. It allows analysts to examine executable code without executing it, by disassembling machine code into assembly language and providing cross-references, function graphs, and decompilation capabilities. This makes it essential for reverse engineering malicious software to understand its logic, embedded strings, and control flow.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Cuckoo Sandbox

    Why it's wrong here

    Cuckoo Sandbox is a dynamic analysis sandbox.

  • Wireshark

    Why it's wrong here

    Wireshark is a network analysis tool.

  • IDA Pro

    Why this is correct

    IDA Pro is a disassembler and debugger for static analysis.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Ghidra

    Why this is correct

    Ghidra is an open-source reverse engineering tool for static analysis.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Process Monitor

    Why it's wrong here

    Process Monitor is a dynamic analysis tool.

Common exam traps

Common exam trap: answer the scenario, not the keyword

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates confuse tools that monitor live behavior (like Cuckoo Sandbox or Process Monitor) with those that analyze code without execution, leading them to select dynamic analysis tools for a static analysis question.

Detailed technical explanation

How to think about this question

Static analysis tools like IDA Pro and Ghidra parse the Portable Executable (PE) or ELF file format to extract headers, sections, import/export tables, and embedded resources without executing the binary. They use signature-based recognition (e.g., FLIRT in IDA) to identify known library functions, and advanced features like decompilation (e.g., Hex-Rays in IDA) produce pseudocode for easier analysis. In real-world malware investigations, static analysis is the first step to quickly identify packers, obfuscation, or hardcoded indicators of compromise (IOCs) like IP addresses or encryption keys.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A practitioner preparing for the CHFI exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CHFI practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CHFI practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CHFI question test?

Mobile and Malware Forensics — This question tests Mobile and Malware Forensics — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: IDA Pro — IDA Pro is a leading interactive disassembler and debugger used for static analysis of malware binaries. It allows analysts to examine executable code without executing it, by disassembling machine code into assembly language and providing cross-references, function graphs, and decompilation capabilities. This makes it essential for reverse engineering malicious software to understand its logic, embedded strings, and control flow.

What should I do if I get this CHFI question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on CHFI

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A forensic analyst is performing static analysis of a Windows PE file. Which TWO of the following tools are specifically designed for static analysis of malware?

easy
  • A.Wireshark
  • B.Cuckoo Sandbox
  • C.IDA Pro
  • D.Ghidra
  • E.Process Monitor

Why C: IDA Pro is a disassembler and debugger that allows analysts to reverse-engineer binary executables by converting machine code into assembly language. For static analysis of malware, IDA Pro enables examination of the PE file's structure, strings, imports, and code flow without executing the sample, making it a core tool for malware forensics.

Variation 2. Which of the following tools is BEST suited for performing static analysis of a malware binary to identify strings, headers, and imported functions without executing the file?

easy
  • A.Cuckoo Sandbox
  • B.Any.run
  • C.Process Monitor
  • D.IDA Pro

Why D: IDA Pro is the correct choice because it is a disassembler and debugger specifically designed for static analysis of binary executables. It allows an analyst to examine strings, PE/ELF headers, and imported functions without executing the file, making it ideal for malware reverse engineering. In contrast, the other options require execution or focus on runtime behavior.

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CHFI practice question is part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CHFI exam.