Free ECCouncil 312-49v11 Practice Exam with Questions & Answers | Set: 12

According to the CHFI v11 syllabus under Malware Forensics and System Behavior Analysis , the Windows Registry is one of the most critical sources of forensic evidence when investigating malware activity. Malware frequently interacts with registry keys to achieve persistence , configure execution parameters, disable security controls, or maintain state information across reboots. By analyzing registry key modifications , forensic investigators can identify how malware embeds itself into the operating system and understand its long-term behavior.

Common persistence mechanisms include modifications to registry locations such as Run, RunOnce, Services, Winlogon, and scheduled task-related keys. Changes in these keys can reveal how and when malware is executed, whether it runs at system startup, and which privileges it attempts to obtain. CHFI v11 emphasizes monitoring registry artifacts using tools like Process Monitor, Registry Editor, and registry diff utilities to detect unauthorized additions, deletions, or value changes.

The other options are incorrect in this context. Monitoring network traffic patterns (Option A) is useful for command-and-control analysis but does not directly reveal registry-based persistence. Browser history logs (Option B) are related to user activity, not system-level malware behavior. Tracking system file executions (Option C) focuses on executable activity but does not expose configuration or persistence logic stored in the registry.

The CHFI Exam Blueprint v4 explicitly highlights registry-based malware persistence mechanisms as a key investigative focus, making analyzing registry key modifications the correct and exam-aligned answer

The correct answer is C because Belkasoft Live RAM Capturer is specifically designed to acquire volatile memory from Windows systems. Belkasoft describes it as a forensic tool that extracts the contents of a computer’s volatile memory with a minimal footprint, which makes it a direct fit for a live Windows RAM capture scenario. In CHFI v11, the data acquisition objectives emphasize live acquisition, order of volatility, and the need to preserve in-memory evidence such as running processes, cryptographic material, and transient system state before shutdown or reboot. LiME and fmem are associated with Linux memory acquisition, while dd is a general copying utility and is not the standard specialized choice for capturing live Windows RAM in this context. Because the workstation remains powered on and the goal is specifically to preserve volatile data, the examiner should use a tool purpose-built for Windows memory capture. This aligns with CHFI’s focus on collecting volatile evidence first and selecting the correct acquisition tool for the operating environment. Belkasoft Live RAM Capturer is therefore the strongest and most defensible answer.

Option A. strace is the best answer because the question asks for a tool that can intercept and record system calls in real time on a Linux system. That is exactly what strace is designed to do. CHFI v11 includes Linux forensics , Linux memory forensics , and also references system behavior analysis and system calls monitoring when examining malware behavior on systems.

Monitoring system calls is important because it shows how a suspicious process interacts with the operating system kernel, including file access, network activity, process creation, permissions use, and other low-level behavior. That makes strace especially useful when investigating malware on Linux.

The other options do not fit the requirement. Wireshark and tcpdump are network traffic analysis tools, so they observe packets rather than kernel system calls. Process Explorer is associated with Windows process investigation, not Linux syscall tracing. Since the question is specifically about real-time observation of process-to-kernel interactions on Linux, strace is the most accurate and CHFI-aligned tool choice.

Option D is the strongest answer because the workstation has been running continuously for weeks and may contain critical evidence in RAM . CHFI emphasizes the importance of live acquisition when a running system may hold volatile artifacts such as memory-resident malware, open sessions, unsaved work, active processes, encryption keys, or network connections. In this scenario, shutting the system down would likely destroy some of the most valuable evidence.

A live acquisition allows the examiner to preserve memory and other transient data before moving on to broader collection steps. This is particularly important in a case involving malicious code injection, where evidence may exist only in RAM, temporary locations, or active process space. Because the workstation is heavily used and active, live acquisition maximizes the amount of evidence that can be preserved at the time of collection.

Option A sacrifices volatile evidence. B is incomplete and not forensically comprehensive. C may be useful in some environments but is less appropriate than a direct live acquisition from the running system. Therefore, the best CHFI-aligned strategy is live acquisition from the running workstation .

According to the CHFI v11 objectives under File Type Analysis and Malware Forensics , understanding the internal structure of a PDF file is critical when investigating malicious documents. A standard PDF file consists of four main components: Header, Body, Cross-reference table (xref), and Trailer (Footer) . Among these, the cross-reference table (xref table) plays a pivotal forensic role.

The xref table contains byte offsets for every object stored in the PDF file , allowing the PDF reader—and forensic investigators—to locate objects directly without reading the entire file sequentially. This enables random access to objects such as text streams, images, embedded files, JavaScript, and form objects. Additionally, the xref table supports incremental updates , a mechanism frequently abused by attackers to append malicious content to a legitimate PDF without altering the original data. By analyzing multiple xref sections, investigators can identify document revisions, hidden objects, and malicious insertions .

The Header (Option A) only specifies the PDF version, the Body (Option C) contains the actual objects, and the Footer/Trailer (Option D) points to the xref table but does not provide object indexing itself.

CHFI v11 explicitly emphasizes xref table analysis when examining suspicious PDF documents, as it is essential for detecting embedded malware, tracing document modifications, and reconstructing attack timelines. Therefore, the cross-reference table (xref table) is the correct and exam-aligned answer

The correct answer is D because IMSI is the identifier tied to the subscriber identity in the mobile network. GSMA explains that the IMSI uniquely identifies the subscription associated with a SIM and is used by the mobile network to recognize the subscriber. That makes it the best field when investigators want to correlate tower activity and account-level records to the subscriber rather than to the handset hardware. By contrast, IMEI identifies the physical device, MSISDN is the dialable phone number, and Cell ID identifies the serving cell tower sector rather than the user account. CHFI v11 includes cellular network components, subscriber identity modules, and cell site analysis, so candidates are expected to distinguish subscriber identity from device identity and location identifiers. In a forensic context, if the goal is to associate movements across towers with the actual subscription record held by the carrier, the most relevant field is IMSI. That is the core subscriber identifier used by the provider’s network systems. (gsma.com)

The correct answer is A because the step described is log and event reduction before correlation, which focuses on decreasing noise by filtering, compressing, or removing duplicate information. In the CHFI v11 blueprint, event correlation and event deconfliction are specifically listed under image and evidence examination, and that includes preparing data so analysts can identify meaningful patterns without being distracted by repetitive or irrelevant entries. Option B refers more to centralization or aggregation of logs, which can be useful, but it does not directly describe the action of reducing repeated entries. Option C concerns secure transmission and integrity protections during collection, which is unrelated to the analytical problem described. Option D points to normalization, where logs from different systems are transformed into a common structure, but the question is focused on reducing alert duplication and noise. From a forensic operations perspective, this preprocessing step improves the quality of later correlation by trimming the data to what matters most. That is why the best answer is the choice describing filtering, compression, and deletion of repeated entries.

Option B is the best answer because the investigator’s immediate goal is to document what is currently displayed or active on a powered-on system while causing the least possible disturbance . CHFI v11 emphasizes best practices for handling digital evidence , preserving evidence , collecting volatile information , and understanding the consequences of actions taken on a live system.

A slight movement of the mouse to wake the screen is the least disruptive way among the listed options to reveal the active display and allow proper photographic documentation. Rebooting or unplugging the machine would destroy volatile evidence and significantly alter the system state. Disconnecting the network cable may sometimes be considered in other operational contexts, but it does not solve the immediate issue of documenting the active on-screen evidence hidden by the screensaver.

From a CHFI standpoint, documentation at the scene should preserve the evidence as found as much as possible while minimizing changes. Therefore, the correct response is to gently wake the screen and photograph/document the visible programs without taking destructive actions that would compromise volatile evidence.

The correct answer is B because pagefile.sys is one of the most useful cross-browser residual evidence sources when private browsing is used. Research on private browsing repeatedly shows that, even when standard browser artifacts are minimized, remnants of queries, visited content, and browsing fragments can still persist in operating system artifacts such as paging data and memory-related storage. Studies of private mode forensics found that evidence may remain in RAM and disk artifacts even when browser traces are reduced, and this is especially valuable because pagefile.sys is not tied to one specific browser implementation. CHFI v11 includes browser artifact recovery and private browsing analysis under operating system and file artifact examination, so candidates are expected to think beyond obvious browser stores. Cookies and temporary databases are more browser-dependent and may be cleared or limited by private mode. DNS cache can reveal domain resolution history, but it usually does not preserve the richer search-query and browsing-fragment evidence described in the scenario. Therefore, pagefile.sys is the strongest and most reliable source among the listed options.

The correct answer is A because the attacker is extracting sensitive information by observing indirect signals from shared hardware resources rather than by directly reading the victim’s data. In this case, the clues are co-residency on the same physical host, shared CPU cache behavior, timing analysis, and key extraction. Those are the classic characteristics of a side-channel attack in cloud environments. CHFI v11 includes cloud computing threats and attacks, so candidates are expected to recognize when multitenant resource sharing becomes the attack surface. This is not service hijacking through network sniffing or social engineering, and it is not a wrapping attack involving modified XML or SOAP-style message structures. The forensic significance lies in the fact that the attacker exploited shared infrastructure effects to infer protected data from another tenant’s workload. In cloud security analysis, when a malicious virtual machine is intentionally placed on the same host and hardware side effects are used to recover secrets, the correct classification is a side-channel attack. That is the best fit for the behavior described in the scenario.