Free ECCouncil 312-49v11 Practice Exam with Questions & Answers | Set: 4

The best answer is C because defining what must be collected, where relevant electronically stored information exists, and how it should be preserved for litigation is fundamentally a legal-scoping responsibility. CHFI v11 places strong emphasis on eDiscovery process flow, the Electronic Discovery Reference Model cycle, legal issues, evidence admissibility, and the relationship between forensic handling and judicial use. That means the person who frames collection scope and preservation requirements must understand legal relevance, regulatory exposure, privilege, and defensibility. IT support personnel may help identify systems and retrieve data, but they do not normally decide legal collection boundaries. Team leads may coordinate execution, and project managers may track schedules and resources, yet neither is the primary authority on admissibility and legal sufficiency. The legal expert or eDiscovery attorney is the role best positioned to define the collection scenario in a way that aligns business systems with litigation duties. In CHFI-style reasoning, whenever the task centers on determining what evidence should be collected for legal proceedings and how to preserve it to satisfy compliance requirements, the legal expert or eDiscovery attorney is the most appropriate answer.

This scenario aligns with CHFI v11 objectives under Network and Web Attacks and Social Media Forensics , where investigators are required to collect and analyze digital evidence from online platforms while preserving evidentiary integrity. When sensitive data is leaked through public or semi-public online channels, social media and online network artifacts such as posts, multimedia content, comments, likes, and user relationships become critical sources of evidence.

Social Network Harvester is specifically designed for social media and online platform investigations. It allows forensic investigators to systematically collect data such as posts, images, videos, timestamps, usernames, and interaction metadata from multiple social networks. CHFI v11 emphasizes the importance of using purpose-built tools that support structured collection, proper documentation, and evidence preservation to maintain chain of custody and admissibility.

LiME is a volatile memory acquisition tool, Elastic Stack is primarily used for log aggregation and analysis, and Guymager is a forensic disk imaging tool. None of these are suitable for harvesting social media content. Therefore, Social Network Harvester is the most appropriate CHFI-aligned tool for efficiently gathering, organizing, and analyzing social network evidence in data leakage investigations.

The correct answer is B because once investigators have already identified the active port with netstat, the next step is to determine what that port is commonly associated with and whether its use is expected in the environment. Referring to online port databases or trusted service-port references helps analysts map a port number to known applications, registered services, or suspicious historical usage patterns. CHFI v11 includes malware behavior analysis at the system and network level, including monitoring ports and network activities, so candidates are expected to move from observation to interpretation. Option D only repeats the step that has already been performed. Option A is too vague because simply calling a port suspicious does not explain why. Option C is unsafe and unnecessary because the file has already been executed and the relevant network artifact has been observed. In a forensic workflow, after identifying an unknown active port, investigators should validate its meaning through recognized service-port references and then correlate that knowledge with process, destination, and timing evidence. That makes online port databases the best answer.

Option A is the best answer because the scenario is centered on identifying relevant electronically stored information (ESI) and locating the correct sources before collection. CHFI v11 explicitly includes the eDiscovery Process Flow , the Electronic Discovery Reference Model (EDRM) Cycle , eDiscovery collections/methodologies , and eDiscovery best practices to mitigate costs and risk . It also notes legal and IT team considerations for eDiscovery , which fits a situation where the legal team is planning how to collect only what is necessary.

Mapping the data to identify custodians and determine where the data resides is a core best practice because it supports targeted collection, reduces unnecessary volume, lowers cost, and helps avoid collecting irrelevant material. That is exactly what the question describes. The other options conflict with sound eDiscovery practice. Self-collection without guidance increases risk, collecting all available data ignores proportionality and relevance, and collecting from only one source is too narrow and may miss critical evidence.

Therefore, under CHFI’s eDiscovery objectives, the team is following the best practice of mapping data sources and custodians before collection .

Option A. Wireshark is the best answer because the task is to analyze unusual network behavior and specifically monitor DNS requests . Wireshark is designed for packet capture and protocol-level inspection, allowing the investigator to examine DNS queries, responses, timing, source systems, suspicious domains, and other traffic details in depth.

This makes it more appropriate than the other options. Nmap is primarily a network scanning tool, useful for discovery and service enumeration, not deep DNS traffic inspection. Snort is an intrusion detection and alerting tool, and while it may detect suspicious activity, it is not the best primary choice for directly inspecting DNS packet contents in a forensic investigation. Nessus is a vulnerability scanner, not a live packet-analysis utility.

From a CHFI network-forensics viewpoint, packet capture and protocol analysis are central to understanding malware-related traffic patterns such as DNS tunneling, beaconing, command-and-control lookups, or suspicious domain resolution behavior. Since Lisa needs detailed visibility into abnormal DNS requests, Wireshark is the most suitable and effective tool for this investigation.

The correct answer is B because com.apple.recentitems.plist is the user-level preference artifact associated with recently used items and application-related recent activity in macOS. Community and forensic references identify this plist in the user’s Preferences directory as storing recent-items information that can support timeline reconstruction of user activity. This makes it the best fit when the investigator wants a user-specific plist that reflects application usage around a suspicious time window. Application Support is a directory rather than the specific plist artifact being asked for. com.apple.desktop.plist and com.apple.dock.plist may contain useful configuration or interface state, but they are not the most directly relevant source for recent-item style application usage. CHFI v11 includes macOS forensic data, log files, and directories, so candidates are expected to know where user-activity artifacts reside inside the home profile. Since the question explicitly points to ~/Library/Preferences and asks for the plist that records usage relevant to recent activity, com.apple.recentitems.plist is the most appropriate answer.

Option D is correct because the scenario describes the stage where electronically stored information is being filtered, reduced, transformed, and prepared into a form that is easier to review. In the EDRM model, that is the processing phase. CHFI v11 includes eDiscovery , electronically stored information , and handling large volumes of digital evidence in a legally defensible way. Within that framework, processing is the stage that reduces irrelevant or redundant material and converts data into a manageable form for later examination.

This is different from review , where the investigator or legal team examines the processed data for relevance, responsiveness, privilege, or evidentiary value. It is also different from production , which involves delivering the selected materials in the required legal or procedural format. Analysis is a broader interpretive activity focused on meaning, context, and conclusions.

Because the question specifically states that the investigator is narrowing the data volume , eliminating unnecessary data , and converting it into a manageable format for the next phase , the task clearly matches the processing stage of the EDRM workflow. That makes option D the most accurate and CHFI-aligned answer.

Option D is the correct answer because CHFI v11 places major emphasis on rules of evidence , seeking consent , obtaining a warrant for search and seizure , legal issues, privacy issues and legal compliance , and the role of local/international agencies during cybercrime investigation . In a case involving multiple jurisdictions , cross-border systems , and lack of client consent, the investigator’s first duty is to ensure the evidence-gathering process is legally valid in every relevant jurisdiction.

Working closely with legal counsel is essential because improper access can compromise admissibility, violate privacy laws, and expose the firm to legal liability. CHFI also highlights best practices for handling digital evidence , preserving evidence , and the importance of lawful authority before conducting intrusive forensic activity.

Option A is too limited and may ignore critical evidence. B would violate legal procedures. C is clearly improper because ownership claims do not override consent, privacy, or jurisdictional requirements. Therefore, the most defensible and CHFI-aligned initial approach is to coordinate with the legal team, understand each legal regime, and obtain the necessary warrants or permissions before proceeding.

Answer B fits best because the investigators are correlating evidence from different security domains, in this case endpoint protection data and network intrusion-detection telemetry. Cross-domain event correlation is used when analysts combine events from separate domains or control layers to uncover a wider incident pattern that is not obvious when each alert stream is reviewed alone. The CHFI v11 blueprint specifically includes event correlation approaches, prerequisites of event correlation, and reconstruction of incident timelines. That is exactly what is happening here: antivirus alerts show suspicious activity on hosts, while IDS alerts reveal related outbound DNS behavior on the network. Together, these data sources can expose malware staging, command-and-control attempts, or data exfiltration paths. Route correlation and topology-based correlation do not fit as well because the question does not emphasize pathing through infrastructure topology. Multivariate correlation usually refers more broadly to statistical relationships across variables, not the explicit joining of alerts from separate investigative domains. Therefore, the strongest CHFI-aligned interpretation is cross-domain event correlation.

The correct answer is B because the middleware layer in IoT architecture sits between devices and applications and is responsible for functions such as data aggregation, filtering, transformation, access handling, and information discovery. References describing IoT middleware note that it manages heterogeneous IoT components and provides the software layer that connects hardware-side activity to the application layer. That matches the scenario exactly, since investigators are interested in the intermediate processing stage where policy violations could be exposed through aggregation, filtering, access control, and device discovery behavior. CHFI v11 includes IoT architecture, IoT threats, and IoT forensic analysis, so candidates are expected to identify which layer performs coordination and processing between devices and higher-level services. The application layer is where user-facing services reside, while edge and gateway concepts may participate in communication, but the broad interface and processing responsibilities listed in the question align most clearly with middleware. Therefore, the best answer is the middleware layer.