In a recent cyber-attack, a malicious driver was installed on a Windows system. The investigator in charge is now tasked with analyzing the system behavior to identify and verify the authenticity of the suspicious device driver. Which of the following approaches should the investigator use to complete this task efficiently?
To analyze the system behavior and identify the authenticity of a suspicious device driver, the investigator should use a utility that provides detailed information about the device drivers currently loaded on the system. The DriverView utility is specifically designed for this purpose. It lists all device drivers and shows essential details like load address, description, version, product name, and the company that created the driver. This information is crucial for determining whether the driver is legitimate or malicious.
DriverView utility displays a list of all device drivers currently loaded on the system. For each driver in the list, additional information, such as the load address of the driver, description, version, product name, and the company that created the driver, is displayed.