Eccouncil 112-57 Exam - Topic 12 Question 1 Discussion

File fingerprinting is the forensic technique of generating a cryptographic hash (such as MD5, SHA-1, SHA-256) for a file to create a unique, repeatable identifier for that exact byte sequence. In malware forensics, analysts compute hashes to (1) uniquely identify a suspicious binary across cases and tools, (2) confirm whether two samples are identical or different variants, and (3) verify integrity over time---for example, ensuring the sample did not change during copying, extraction, sandbox handling, or during an analysis workflow that might inadvertently modify the file (e.g., patching, unpacking outputs, or tool-side normalization). Re-hashing at different stages provides a defensible way to demonstrate that the analyzed artifact is the same as the acquired artifact, supporting evidentiary integrity and chain-of-custody principles commonly emphasized in digital forensics documentation.

The other techniques do not primarily serve this purpose. Strings search extracts readable text fragments but does not produce a unique integrity identifier. Local and online malware scanning uses signatures/reputation and may identify families, but it is not an integrity verification mechanism for the exact file bytes. Malware disassembly helps understand logic and instructions, not compute an identity hash. Therefore, the correct answer is File fingerprinting (A).