Option C. Static Analysis is the best initial step. CHFI v11 covers malware forensics , including methods for examining suspicious files to understand their characteristics, indicators, and probable functions. When investigators encounter a novel malware sample with no prior intelligence available, the safest and most logical first step is usually static analysis . This allows the examiner to inspect the file without executing it , reducing the risk of further infection or unintended damage while still revealing useful information such as file type, strings, embedded resources, headers, imports, suspicious metadata, packing indicators, and other structural clues.
Behavioral analysis is also valuable, but it normally comes after an initial static examination because it requires executing or monitoring the sample in a controlled environment. Code analysis can be deeper and more specialized, but it is not always the first practical step, especially before basic triage. Signature analysis is less useful when the malware is believed to be new and may not yet match known indicators.
Therefore, under CHFI malware investigation principles, the most viable initial step to understand a previously unknown malicious file is static analysis before moving to more advanced dynamic techniques.
