Free ECCouncil 312-49v11 Practice Exam with Questions & Answers | Set: 4

According to the CHFI v11 objectives and theElectronic Discovery Reference Model (EDRM)framework, the activity described in this scenario corresponds to theInformation Governancestage. Information governance is the foundational phase of the EDRM cycle and focuses on establishingpolicies, procedures, controls, and standardsto manage electronic information throughout its lifecycle. This includes defining data retention schedules, access control policies, compliance requirements, preservation rules, and audit readiness.

In CHFI v11, information governance is emphasized as aproactive and strategic functionthat ensures an organization is prepared for future investigations, audits, litigation, or regulatory inquiries. By implementing governance controls after an investigation, organizations strengthen forensic readiness, reduce legal risk, and ensure that electronic data remains reliable, authentic, and admissible as evidence.

The other options do not accurately match the described activity. Disposal (Option A) refers to defensible deletion after legal hold requirements expire. Collection (Option C) involves acquiring data for analysis, while Identification (Option D) focuses on locating potentially relevant data sources. None of these address long-term policy creation or enterprise-wide data control.

The CHFI v11 Exam Blueprint explicitly includesInformation Governancewithin the eDiscovery process, highlighting its role in compliance, risk mitigation, and evidence integrity management, making Option B the correct and exam-aligned answer

According to the CHFI v11 curriculum underNetwork Forensics, investigators must be proficient in using packet sniffing tools to capture and analyze live network traffic.tcpdumpis a widely usedcommand-line packet analyzerthat runs natively on Unix, Linux, and BSD-based systems. It allows investigators to capture packets in real time, apply powerful filters, and save traffic inPCAP formatfor further offline analysis using tools such as Wireshark.

In forensic investigations, tcpdump is especially valuable because it provides low-level visibility into network communications, including source and destination IP addresses, ports, protocols, TCP flags, and payload data. This enables investigators to detect suspicious behaviors such as unauthorized connections, port scans, malware command-and-control traffic, data exfiltration attempts, and denial-of-service activities. CHFI v11 specifically highlightstcpdumpas a core tool fornetwork traffic investigation and evidence gatheringin Unix-based environments.

The other options are incorrect. Metashield Analyzer is used for file-based threat analysis, Timestomp is an anti-forensics tool used to manipulate file timestamps, and Billboard is not a recognized network forensic or packet sniffing tool.

The CHFI Exam Blueprint v4 emphasizes the importance ofreal-time packet capture toolsfor network investigations, makingtcpdumpthe correct, forensically sound, and exam-aligned answer

This question aligns with CHFI v11 objectives underNetwork and Web AttacksandNetwork Log Analysis. In digital forensics, network infrastructure logs are critical sources of evidence for detecting, analyzing, and reconstructing network-based attacks. CHFI v11 specifically emphasizes the forensic value of logs generated by network devices such asCisco switches, VPN gateways, and DNS servers.

Cisco switch logs provide information about device connections, port activity, MAC address mappings, VLAN assignments, and potential unauthorized access within the internal network. VPN logs reveal details about remote connections, including authentication attempts, user identities, IP addresses, session durations, and encrypted tunnel activity—crucial for identifying compromised credentials or unauthorized remote access. DNS server logs record domain name queries and responses, which help investigators detect command-and-control communication, data exfiltration attempts, malware beaconing, and access to malicious domains.

Together, these logs allow investigators to correlate events across the network, trace attacker movement, identify affected systems, and establish timelines of security incidents. The other options are incorrect because browser history is host-based evidence, and these logs are highly relevant to forensic investigations. Therefore, consistent with CHFI v11 network forensics principles, these logs provide insights into network traffic, device connections, and security incidents.

According to theCHFI v11 objectives related to Network Forensics, Incident Detection, and SOC Operations, the primary technology used by a Security Operations Center (SOC) tomonitor, correlate, and analyze security events in real timeis aSecurity Information and Event Management (SIEM) system.

A SIEM system centrally collects logs and events from multiple sources such as firewalls, IDS/IPS, servers, endpoints, applications, authentication systems, and network devices. It then performsreal-time correlation, normalization, alerting, and analysisto identify suspicious patterns such as brute-force attacks, lateral movement, malware activity, data exfiltration attempts, and insider threats. CHFI v11 emphasizes SIEM solutions as a core component forincident detection, investigation, and evidence correlationwithin SOC environments.

The other options do not meet this requirement.Password Management Softwarefocuses on credential storage and rotation, not threat monitoring.Vulnerability Assessment Toolsare used for periodic scanning to identify weaknesses, not real-time event analysis.Data Loss Prevention (DLP)solutions are designed to prevent unauthorized data leakage but do not provide comprehensive, centralized security event correlation across the enterprise.

CHFI v11 explicitly highlights the use ofSIEM solutions for centralized logging, real-time monitoring, and forensic investigation support, making them essential for SOC teams dealing with active threats. Therefore, the correct and CHFI-verified answer isSecurity Information and Event Management (SIEM) System (Option B).

According to theCHFI v11 Operating System and Malware Forensics objectives,Windows Event ID 5156is generated by theWindows Filtering Platform (WFP)and indicates that a network connection has beenpermitted. This event is highly valuable in malware investigations because it records detailed information aboutprocess-level network activity, which is a common indicator of compromise.

Event ID 5156 logs typically include:

Process name and Process ID (PID)that initiated the network connection

Source and destination IP addresses

Source and destination ports

Protocol used (TCP/UDP)

Direction of the connection (inbound or outbound)

CHFI v11 explicitly highlights the importance ofWindows Security Event Logsin tracing malware behavior, especially for identifyingcommand-and-control (C2) communications, data exfiltration attempts, and lateral movement. By analyzing Event ID 5156, investigators can directly correlate aspecific executable or malicious processwithexternal IP addresses, helping establish attacker infrastructure and timelines.

The other options are incorrect because Event ID 5156 does not record credentials, file deletion paths, or registry modification details. Those artifacts are found in other event IDs or forensic sources such as registry hives, file system metadata, or Sysmon logs.

Therefore, the key forensic value ofEvent ID 5156lies in revealingthe process responsible for the network communication and the IP address it connected to, makingOption Dthe correct and CHFI v11–verified answer.

This scenario aligns closely with CHFI v11 objectives underProcedures and Methodology, specificallypostmortem analysis and log-based forensic investigation. Postmortem analysis refers to the examination of collected system, application, and network logsafter an incident has occurred, with the goal of reconstructing events and determining the root cause of a security breach.

In this case, the investigator is reviewinghistorical network logs collected during the incident window, not monitoring live traffic. CHFI v11 emphasizes that postmortem analysis is essential for answering the core forensic questions:what happened, how it happened, when it happened, and who was responsible. By correlating timestamps, IP addresses, protocols, and event sequences across logs, investigators can identify attack vectors, trace the origin of the attack, and understand attacker behavior.

Option C is incorrect because real-time analysis applies to live monitoring during an active incident. Option A describes an illegal activity unrelated to forensics, and option D refers to an attack technique rather than an investigative method. Therefore, consistent with CHFI v11 forensic methodologies, the investigator is performing apostmortem analysis of system records, making optionBthe correct answer.

According to the CHFI v11 objectives underMalware ForensicsandLinux Memory and System Behavior Analysis, monitoringsystem callsis a core technique for understanding how malware interacts with the operating system at a low level. On Linux systems,straceis the primary and most effective tool for this purpose.

strace intercepts and recordssystem callsmade by a process, along with the signals received and return values. Since all interactions between user-space programs and the Linux kernel occur via system calls, tracing them provides deep visibility into malware behavior. Using strace, investigators can observe actions such as file creation or modification (open, write), privilege escalation attempts (setuid), network communications (connect, sendto), process creation (fork, execve), and access to protected system resources. This makes strace indispensable fordynamic malware analysis on Linux, as emphasized in CHFI v11.

The other options are incorrect.Process ExplorerandAutorunsare Windows-based tools and do not operate on Linux systems.Regshotis also Windows-specific and is used to compare registry snapshots, which are irrelevant in Linux environments.

The CHFI Exam Blueprint v4 explicitly includesLinux malware behavior analysis and monitoring system-level activity, makingstracethe correct, forensically sound, and exam-aligned tool for tracking malware system calls

According to theCHFI v11 Data Acquisition Concepts and Rules,sanitizing the target mediais a critical preparatory step performed before acquiring forensic data, especially when reusing storage media or handling sensitive information. Sanitization refers to the process ofsecurely erasing dataso that it cannot be recovered using forensic techniques. This is typically achieved byoverwriting the storage media with predefined patterns, such as sequential zeros and ones, or by using approved data wiping algorithms.

CHFI v11 clearly distinguishes sanitization from other acquisition steps.Validating data acquisitionensures the integrity and completeness of collected evidence through hash verification and comparison, not data destruction.Acquiring volatile datafocuses on capturing live information such as RAM contents, running processes, and network connections before shutdown.Planning for contingencyinvolves preparing backups, alternate tools, and procedures in case the acquisition process fails.

The scenario explicitly describes overwriting the drive to prevent any residual data recovery, which directly aligns with the CHFI v11 guideline“Sanitize the Target Media”listed under evidence handling and acquisition best practices. This step ensures privacy, prevents data leakage, and maintains legal and ethical compliance during forensic operations.

Therefore, based strictly on CHFI v11 objectives and terminology, the investigator is performingsanitization of the target media, makingOption Dthe correct and verified answer.

This scenario aligns with CHFI v11 objectives underComputer Forensics FundamentalsandInsider Threat and Identity Theft Forensics. One of the defining characteristics of an insider threat is that the attacker already possessesauthorized or legitimate accessto internal systems, applications, or sensitive data. CHFI v11 emphasizes that insider attacks often bypass perimeter defenses because the malicious activity originates from trusted accounts, internal IP ranges, or authenticated sessions.

If sensitive data is altered from within the organization’s network using valid credentials, it strongly suggests insider involvement. Insiders may include disgruntled employees, contractors, or partners who misuse their access privileges intentionally or unintentionally. This type of breach is often detected through anomalies in user behavior, access logs, privilege misuse, or violations of least-privilege principles.

The other options point to external attack indicators. Social engineering typically targets users from outside the network, known external IP addresses suggest external threat actors, and DDoS attacks are characteristic of external disruption rather than internal data manipulation. CHFI v11 highlights that distinguishing insiders from external attackers is critical for attribution, legal action, and remediation. Therefore, legitimate internal access to systems and data is the strongest indicator that the breach was carried out by an insider.

This question directly relates to CHFI v11 objectives underData Acquisition and Duplicationand the concept oforder of volatility, which is formally defined inRFC 3227 (Guidelines for Evidence Collection and Archiving). CHFI v11 stresses that forensic investigators must collect the most volatile data first, as it is the most likely to be lost or altered during system shutdowns or continued operation.

According to RFC 3227, the order of volatility starts with data that changes most rapidly, such as system state and network-related information. This includes thephysical configuration of the system, network topology, routing tables, ARP cache, active network connections, and running processes. These elements can disappear immediately if the system is powered off or network connectivity changes, making them the highest priority during live response.

Disk data and temporary file systems are far less volatile, as their contents persist after shutdown. Archival media is the least volatile and can be collected last. CHFI v11 explicitly teaches that investigators must document and capture volatile network and system configuration details before moving to persistent storage. Therefore, prioritizing the physical configuration and network topology of the system is the correct and standards-compliant choice.