Free ECCouncil 312-49v11 Practice Exam with Questions & Answers | Set: 5

This question maps directly to CHFI v11 objectives underMalware Forensics, specificallymalware persistence mechanisms and behavior analysis. Persistent malware is designed to survive system reboots and removal attempts by embedding itself into startup locations, registry keys, scheduled tasks, services, boot sectors, or firmware. CHFI v11 emphasizes that identifying persistence mechanisms is a critical step in malware analysis and incident response.

From a forensic perspective, understandinghowmalware maintains persistence allows investigators to fully eradicate the threat and prevent reinfection. If persistence artifacts are not identified and removed, the malware can continuously reinstall itself, rendering cleanup efforts ineffective and allowing attackers to maintain long-term access. CHFI v11 highlights registry-based persistence, startup folders, services, cron jobs, launch agents, and boot-level persistence as common techniques that must be analyzed.

Additionally, identifying persistence helps investigators reconstruct the attack timeline, understand attacker intent, and determine the scope of compromise. The other options are not primary forensic objectives—system performance, malware geography, or network optimization are unrelated to persistence analysis. Therefore, in accordance with CHFI v11 malware forensics principles, identifying malware persistence is essential to prevent future infections and ensure the long-term security of the system.

According to theCHFI v11 Procedures and Methodologydomain, theIncident Response Process Flowfollows a structured sequence to ensure incidents are handled efficiently, lawfully, and with minimal impact. Once an incident is detected andstakeholders such as management, third-party vendors, and affected clients are informed, thenext immediate priority is containment.

Containmentfocuses onlimiting the scope and impact of the incidentto prevent further damage, data loss, or lateral movement by the attacker. This may include isolating affected systems, blocking malicious IP addresses, disabling compromised accounts, segmenting networks, or applying temporary firewall rules. CHFI v11 emphasizes that containment must be executed swiftly to preserve evidence while stopping the ongoing threat.

The other options represent different phases of the incident response lifecycle.Incident triageandincident recording and assignmentoccur earlier, during detection and initial response.Eradicationis a later phase that involves removing malware, closing vulnerabilities, and eliminating attacker persistence—but only after the threat has been successfully contained.

CHFI v11 explicitly states that failing to prioritize containment after notification can allow attackers to continue exploiting systems, leading to greater organizational and legal consequences. Therefore, the correct and CHFI v11–verified immediate priority isContainment, makingOption Athe correct answer.

According to theCHFI v11 Computer Forensics Fundamentalsmodule, one of thecore responsibilities of a forensic investigatoris to ensure theproper handling, preservation, and integrity of digital evidence. This responsibility is foundational to the entire forensic process and directly impacts theadmissibility of evidence in court.

In the given scenario, the investigator creates aforensic imageof the suspect’s hard drive rather than working directly on the original media. CHFI v11 explicitly states that investigators must always perform analysis on abit-by-bit forensic copywhile preserving the original evidence in a secure, controlled environment. This practice prevents accidental modification, contamination, or destruction of original data and ensures compliance with thebest evidence ruleandchain of custody requirements.

The act of securely storing the original drive and working only on the forensic image demonstrates strict adherence to evidence preservation principles. While recovering deleted files is an investigative goal, the scenario emphasizesmaintaining integrity and preventing alteration, which aligns directly with evidence handling and preservation—not reporting, stakeholder engagement, or device reconstruction.

CHFI v11 consistently reinforces that failure to preserve evidence properly can lead tolegal challenges, evidence exclusion, or case dismissal, regardless of the quality of the technical analysis performed.

Therefore, the responsibility being fulfilled in this scenario—fully aligned with CHFI v11—isensuring appropriate handling and preservation of evidence, makingOption Athe correct answer.

This question aligns with CHFI v11 objectives underCloud Forensics, particularly focusing on evidence acquisition and analysis in cloud environments such as Google Cloud Platform (GCP). Unlike traditional on-premises systems, cloud infrastructures rely heavily onlogs and metadataas primary sources of forensic evidence because investigators often do not have direct access to physical hardware.

CHFI v11 emphasizes that cloud service logs—such as audit logs, access logs, activity logs, and resource metadata—are crucial for reconstructing events in a cloud-based incident. In GCP, these logs record detailed information aboutuser actions, API calls, authentication attempts, resource creation or deletion, privilege changes, and interactions with cloud services. This enables investigators to trace malicious activity, identify compromised accounts, establish timelines, and attribute actions to specific users or service accounts.

While logs may incidentally include IP addresses or device-related hints, their primary forensic value lies in trackingwhat actions were performed, when they occurred, and by whom. Encryption mechanisms are predefined by the cloud provider and are not inferred from logs during investigations. Therefore, consistent with CHFI v11 cloud forensics methodology, logs and metadata are essential for tracking user actions and interactions within the GCP environment, making option D the correct answer.

This scenario directly aligns with CHFI v11 objectives underAnti-Forensics Techniques, specifically techniques used to alter or destroy forensic artifacts to obstruct investigations. Log files on macOS systems—such as system logs, application logs, and security logs—are critical sources of evidence that help investigators reconstruct user activity, detect intrusions, and build event timelines.

When an attackeralters, deletes, or modifies log entries, the anti-forensic technique employed is classified asdata manipulation. CHFI v11 defines data manipulation as the intentional modification, deletion, or corruption of data or metadata to mislead investigators or erase traces of malicious activity. Log tampering is a classic example, as attackers often remove evidence of unauthorized access, privilege escalation, or persistence mechanisms.

Data encryption would make logs unreadable but not selectively altered or deleted. Data hiding involves concealing information in alternate locations (e.g., steganography or hidden files), while data obfuscation focuses on making data confusing but still present. In contrast, the complete deletion or alteration of log messages is a deliberate attempt to falsify or erase evidence. Therefore, consistent with CHFI v11 anti-forensics classifications,data manipulationis the correct and most accurate answer.