Free ECCouncil 312-49v11 Practice Exam with Questions & Answers | Set: 10

According to the CHFI v11 curriculum and Exam Blueprint v4, the eDiscovery process involves multiple specialized roles, each with clearly defined responsibilities to ensure evidence is collected, preserved, processed, and reviewed in a forensically sound manner. The role described in this scenario aligns specifically with that of an eDiscovery software expert .

An eDiscovery software expert is responsible for the deployment, configuration, validation, and maintenance of forensic and eDiscovery tools used during evidence collection and analysis. This includes ensuring that tools used for acquiring emails, files, logs, and system artifacts are properly configured for the target environment, function correctly throughout the investigation, and comply with forensic best practices. CHFI v11 emphasizes the importance of tool reliability, validation, and proper configuration to maintain evidence integrity and legal admissibility .

Other roles listed are not appropriate in this contex t. An eDiscovery attorney (Option A) focuses on legal oversight, scope definition, and compliance. Processing personnel (Option B) handle data normalization, indexing, and preparation after collection. Review personnel (Option C) analyze processed data for relevance and privilege. None of these roles are responsible for tool deployment or maintenance.

Therefore, based on CHFI v11 eDiscovery role definitions and responsibilities, the correct and exam-aligned answer is An eDiscovery software expert

The correct answer is C because it is the only option that directly states the attribution limitation. Even when investigators have extensive logs from servers, WAFs, SIEM platforms, and other sources, identifying the true perpetrator behind an attacking IP is often difficult because attackers may use proxies, VPNs, compromised hosts, or anonymizing networks. CHFI v11 includes web application forensics, event correlation, and the challenges investigators face in tracing attacks across infrastructure. The key phrase in the question is that the methodology step must explicitly acknowledge this limitation. Option A is a collection step, option B is an analysis step, and option D concerns evidence integrity. None of those explicitly addresses the challenge of reliable attribution. In forensic practice, distinguishing between observed network origin and actual human attribution is essential, especially in web attacks where intermediary infrastructure can obscure the attacker’s identity. Since option C directly says that tracing the attacking IP to identify the perpetrator is generally very difficult due to anonymization, it is the step that most clearly states the investigative constraint described.

Option A is the correct answer because the task is specifically to create a new Windows service , and the add command is the one that performs service creation. CHFI v11 covers system behavior analysis , including services , startup programs , and how malicious or legitimate executables can be configured to run automatically within Windows.

In this context, the investigator or administrator needs the command that defines the service name, display name, startup characteristics, and related options for deployment. That is exactly what the srvman.exe add syntax is intended to do. By contrast, delete removes a service, stop halts a running service, and run executes or launches an existing service-related action rather than creating a new service entry.

Because the question asks which command should be used to create the service on the system, the only matching choice is the add command. Therefore, the strongest CHFI-aligned answer is A , since it reflects the correct service-creation operation.

Option D is the best answer because the question states that the malware executed as soon as the user visited the site , with no further interaction required . That behavior is most characteristic of a drive-by download , in which malicious code is delivered or executed automatically through a compromised or malicious website. CHFI v11 includes common techniques attackers use to distribute malware across web and explains how attacks can work through websites as part of the malware infection chain.

The defining clue is the absence of any extra action by the user after visiting the site. Spear-phishing sites and malvertising can be part of delivery paths, but the actual technique described here is the automatic installation or execution behavior associated with drive-by downloads . Black hat SEO is a method of luring victims to malicious sites by manipulating search rankings, not the execution technique itself.

From a CHFI standpoint, investigators must distinguish between how victims are brought to malicious content and how the malware is actually delivered. In this case, the delivery mechanism is clearly drive-by download , making option D the most accurate answer.

This scenario directly aligns with CHFI v11 objectives under Anti-Forensics Techniques , specifically techniques used to alter or destroy forensic artifacts to obstruct investigations. Log files on macOS systems—such as system logs, application logs, and security logs—are critical sources of evidence that help investigators reconstruct user activity, detect intrusions, and build event timelines.

When an attacker alters, deletes, or modifies log entries , the anti-forensic technique employed is classified as data manipulation . CHFI v11 defines data manipulation as the intentional modification, deletion, or corruption of data or metadata to mislead investigators or erase traces of malicious activity. Log tampering is a classic example, as attackers often remove evidence of unauthorized access, privilege escalation, or persistence mechanisms.

Data encryption would make logs unreadable but not selectively altered or deleted. Data hiding involves concealing information in alternate locations (e.g., steganography or hidden files), while data obfuscation focuses on making data confusing but still present. In contrast, the complete deletion or alteration of log messages is a deliberate attempt to falsify or erase evidence. Therefore, consistent with CHFI v11 anti-forensics classifications, data manipulation is the correct and most accurate answer.

The correct answer is C because macOS stores Messages artifacts under the user’s Library Messages location, which is the primary area investigators examine for chat-related evidence. Forensic references commonly identify chat databases such as chat.db and related attachments in the user’s Messages directory. That makes this path the most relevant starting point when the goal is to recover conversation content, establish message timing, and attribute user activity. The other options are not appropriate for this purpose. Safari contains browser artifacts, Preferences stores application settings, and SystemVersion.plist contains operating system version information rather than user messaging content. CHFI v11 includes macOS forensic data, user activity analysis, and operating system artifact examination, so this question fits directly into the objective of knowing where communication artifacts reside on Apple systems. In a harassment investigation, Messages artifacts can help confirm who communicated, when the messages were sent, whether attachments were involved, and how those events align with logins or device usage. That is why the first place to check is the user’s Library Messages folder.

Option A. NetAnalysis is the best answer because the question is specifically about extracting and analyzing browser history, cookies, and cache across multiple web browsers . CHFI v11 explicitly includes Tools to Examine the Cache, Cookie, and History Recorded in Web Browsers and Private Browsing and Browser Artifact Recovery under its tool-based operating-system and artifact analysis objectives.

A dedicated browser-artifact tool is the most appropriate choice when the focus is on cross-browser internet activity reconstruction. NetAnalysis is designed for that kind of work and is far more targeted than the other options for analyzing Chrome, Firefox, Safari, and similar browser traces in one workflow.

Sleuth Kit is excellent for file system analysis, but it is not the most direct answer for comprehensive browser-artifact examination. EnCase is a broad forensic suite, but the question asks for the tool best suited specifically for browser history, cookies, and cache. DiskExplorer is not the strongest fit for this requirement. Therefore, based on CHFI’s browser-artifact tool objectives, NetAnalysis is the most precise and appropriate answer.

The correct answer is A because the scenario describes active control of evidence items at the scene and immediate collection of volatile or time-sensitive artifacts before laboratory processing begins. That is the stage where responders take custody of exhibits and collect time-bound data. CHFI v11 includes first response, documenting the electronic crime scene, evidence preservation, and collecting volatile information before it is lost. Option B refers to an earlier identification step, which happens before investigators begin assuming control and gathering transient evidence. Option C is not the core activity described, and option D belongs to a later phase once evidence has already been seized and moved for laboratory examination. In forensic practice, the moment investigators secure relevant systems and start preserving live, rapidly changing information is a critical scene assessment and evidence-preservation phase. This may include capturing active sessions, running processes, open network connections, or displayed information. Since the question highlights both custody and the urgency of collecting time-sensitive artifacts at the scene, the best answer is taking custody of exhibits and collecting time-bound data.

Option B. Brute Force attack is the most appropriate answer because the scenario describes an attacker making thousands of rapid attempts using many different combinations of payment data from the same IP address. CHFI v11 includes Investigating Brute Force Attack as part of its network and web attack coverage.

The defining characteristic of a brute-force style attack is repeated automated trial-and-error attempts until valid data is found. In this case, the attacker is not relying on stolen session state, changing parameters in a single trusted request, or abusing XML parsing. Instead, the attacker is systematically testing combinations at scale, which is consistent with brute-force or card-testing behavior.

Cookie poisoning would focus on modifying session or cookie values. Parameter tampering involves altering request parameters to manipulate application logic. XXE targets XML parsers. None of those fit the described pattern as directly as repeated automated attempts from one source using numerous combinations. Therefore, under CHFI’s attack-investigation objectives, the strongest answer is Brute Force attack .

The correct answer is D because every action in the scenario centers on the core forensic objective of collecting and preserving digital evidence in a way that remains reliable, reviewable, and legally defensible. CHFI v11 covers understanding computer forensics, evidence preservation, chain of custody, data acquisition, and reporting, all of which support this primary goal. External references on forensically sound practice describe it as acquiring evidence while minimizing alteration, preserving integrity, documenting changes, and maintaining a process that can stand up in court. The other options describe possible outcomes or broader benefits of an investigation, but they are not the direct objective illustrated by the examiner’s actions. The scenario does not focus mainly on estimating impact, preventing future incidents, or identifying perpetrators. Instead, it emphasizes proper evidence handling from acquisition through legal preparation. In CHFI-style reasoning, when the question highlights careful identification, non-destructive collection, integrity protection, and documentation for litigation, the fundamental objective being applied is to gather evidence of cyber crimes in a forensically sound manner.