Among indicator classifications, which type is most commonly represented by hashes of files?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Among indicator classifications, which type is most commonly represented by hashes of files?

Explanation:
The idea being tested is how indicators are categorized. A hash of a file is produced by applying a hash function to the file’s bytes, so the value you see is the result of a computation rather than the raw artifact itself. That makes it a computed indicator—the information you obtain by calculating something from the data, not the original artifact alone. Hashes are the most commonly used form of this type because they provide a stable, reproducible fingerprint of a file’s content. The same file content will always yield the same hash, which lets defenders quickly identify known malware, verify integrity across systems, and share detections independent of file names, paths, or other changing metadata. While other indicator types describe behavior, patterns, or raw artifacts, a file hash embodies the outcome of a calculation that uniquely represents the file’s content, hence why it’s categorized as computed.

The idea being tested is how indicators are categorized. A hash of a file is produced by applying a hash function to the file’s bytes, so the value you see is the result of a computation rather than the raw artifact itself. That makes it a computed indicator—the information you obtain by calculating something from the data, not the original artifact alone.

Hashes are the most commonly used form of this type because they provide a stable, reproducible fingerprint of a file’s content. The same file content will always yield the same hash, which lets defenders quickly identify known malware, verify integrity across systems, and share detections independent of file names, paths, or other changing metadata. While other indicator types describe behavior, patterns, or raw artifacts, a file hash embodies the outcome of a calculation that uniquely represents the file’s content, hence why it’s categorized as computed.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy