Free ECCouncil 312-49v11 Practice Exam with Questions & Answers | Set: 5

This scenario aligns with CHFI v11 objectives under Computer Forensics Fundamentals and Insider Threat and Identity Theft Forensics . One of the defining characteristics of an insider threat is that the attacker already possesses authorized or legitimate access to internal systems, applications, or sensitive data. CHFI v11 emphasizes that insider attacks often bypass perimeter defenses because the malicious activity originates from trusted accounts, internal IP ranges, or authenticated sessions.

If sensitive data is altered from within the organization’s network using valid credentials, it strongly suggests insider involvement. Insiders may include disgruntled employees, contractors, or partners who misuse their access privileges intentionally or unintentionally. This type of breach is often detected through anomalies in user behavior, access logs, privilege misuse, or violations of least-privilege principles.

The other options point to external attack indicators. Social engineering typically targets users from outside the network, known external IP addresses suggest external threat actors, and DDoS attacks are characteristic of external disruption rather than internal data manipulation. CHFI v11 highlights that distinguishing insiders from external attackers is critical for attribution, legal action, and remediation. Therefore, legitimate internal access to systems and data is the strongest indicator that the breach was carried out by an insider.

This question maps directly to CHFI v11 objectives under Computer Forensics Fundamentals and Standards and Best Practices Related to Computer Forensics , specifically the ENFSI Best Practices for the Forensic Examination of Digital Technology . ENFSI (European Network of Forensic Science Institutes) guidelines focus primarily on ensuring that digital evidence is handled in a secure, reliable, and forensically sound manner so that it remains admissible and defensible in legal proceedings.

The examiner’s primary concern under ENFSI best practices is the secure handling of digital evidence , which includes proper acquisition, preservation, documentation, storage, and chain of custody management. These practices ensure evidence integrity, prevent contamination or alteration, and allow results to be independently verified. CHFI v11 emphasizes that forensic investigators must be able to demonstrate that evidence has not been tampered with and that standardized procedures were followed throughout the investigation lifecycle.

While GDPR, ISO/IEC 17025, and ISO/IEC 27001 are important regulatory and security frameworks, they are not the core focus of ENFSI forensic examination guidelines. ENFSI is evidence-centric, prioritizing secure evidence handling and methodological consistency. Therefore, establishing secure evidence-handling protocols is the correct and CHFI-aligned answer.

The correct answer is A because the scenario spans the full lifecycle of incident handling rather than only one stage. It includes readiness and role assignment, communication, containment, eradication of the malicious code, recovery of services, and a later lessons-learned review. Microsoft’s incident-response guidance, aligned to NIST SP 800-61, describes the overall process as preparation, detection and analysis, containment with eradication and recovery, and post-incident activity. CHFI v11 similarly includes computer forensics as part of the incident response plan and an overview of incident response process flow. Because the question asks for the structured approach that best describes the complete method being followed, a single phase like Preparation, Post-Incident Activities, or Eradication would be too narrow. The team is clearly moving through multiple coordinated stages of one overall framework. In exam terms, when a scenario describes the entire progression from preparation through recovery and review, the correct answer is the overall incident response process flow, not one isolated sub-phase.

The correct answer is B because the malware is displaying analysis-environment awareness and changing its behavior when it detects that it is being observed. MITRE documents virtualization and sandbox evasion as a technique where malware checks for signs of a virtual machine or sandbox and then disengages, terminates, or conceals its true functions. That is exactly what the scenario describes. CHFI v11 includes malware analysis challenges, controlled malware analysis labs, and general rules for malware analysis, all of which prepare candidates to recognize anti-analysis behavior as a practical obstacle. Option A refers to obfuscation and concealment techniques inside the malware itself, which are different from runtime detection of the analysis environment. Option C is not a challenge or tactic, and option D is the goal of analysis rather than the behavior being observed. In a forensic sandbox, when a specimen stops, sleeps, or changes its path because it detects a monitored environment, the key concept is sandbox or analysis-environment evasion. Therefore, the best answer is detection of analysis environments and modification of execution behavior.

According to the CHFI v11 Forensic Investigation Process and Event Correlation objectives , the forensic technique that enables investigators to reconstruct the sequence of events and determine the root cause of an incident is data analysis . Data analysis is the phase where collected evidence is examined, correlated, and interpreted to extract meaningful insights about attacker behavior.

During data analysis, investigators examine logs, timestamps, file system metadata, registry entries, network traffic, memory artifacts, and security alerts to perform timeline analysis , event correlation , and kill chain reconstruction . CHFI v11 explicitly highlights techniques such as timeline creation, event deconfliction, and correlation analysis as essential for identifying the time of attack , vulnerabilities exploited , methods used , and actions performed by the attacker .

The other options represent different forensic phases but do not directly achieve the stated goal. Data acquisition focuses on collecting evidence in a forensically sound manner, not interpreting it. Data duplication involves creating forensic copies to preserve evidence integrity. Photographing the crime scene applies primarily to physical forensics and documentation, not digital event reconstruction.

CHFI v11 emphasizes that without proper data analysis , raw evidence remains unstructured and cannot support attribution, root cause analysis, or legal prosecution. Therefore, to uncover the complete sequence of malicious activities and generate an accurate incident timeline, Data analysis is the most effective forensic technique.

Hence, the correct and CHFI-verified answer is Option C .

The correct answer is B because Google Transfer Appliance is specifically designed for large-scale offline data movement into Google Cloud when network bandwidth is limited or impractical. Google documents it as a high-capacity storage appliance that customers load on-premises and then securely ship to a Google upload facility, where the data is transferred into Cloud Storage. That matches the scenario exactly: the site is isolated, the bandwidth is constrained, and the volume is extremely large at 600 TB. In CHFI v11, cloud forensics includes understanding cloud platforms and evidence acquisition approaches, so recognizing the difference between online transfer services and offline shipping methods is important. Data Transfer Services generally rely on network-based transfers and are not the best choice when direct connectivity is a bottleneck. Cloud Storage for Firebase is unrelated to bulk evidence migration, and Backup and DR is intended for protection and recovery workflows rather than secure offline ingestion. When the exam scenario stresses secure shipment of very large datasets into Google Cloud without relying on available bandwidth, Transfer Appliance is the only option that cleanly fits the operational requirement.

Under the CHFI v11 objectives related to Cloud Forensics and AWS Forensics , log preservation is a critical requirement for effective investigation and legal admissibility. In Amazon Web Services, CloudWatch Logs retention policies allow investigators to control how long log data is stored before it is automatically deleted. Modifying retention policies for individual log groups ensures that relevant forensic artifacts—such as authentication logs, API activity records, and system events—remain available for analysis throughout the investigation lifecycle.

In this scenario, the investigator’s goal is not to analyze or query logs immediately, but to extend or manage the lifespan of log data so that it is not lost due to default retention limits. This aligns precisely with the feature that allows investigators to modify retention policies for individual log groups . CHFI v11 highlights the importance of preserving cloud-based evidence early, as cloud logs may be ephemeral and subject to automatic deletion if not properly configured.

Option A refers to general monitoring capabilities, while Option B focuses on querying and searching log data using Logs Insights—both are analytical functions, not retention management. Option D involves alerting mechanisms and does not control log storage duration.

The CHFI Exam Blueprint v4 explicitly includes logs in AWS and cloud evidence acquisition , emphasizing retention configuration as a key forensic readiness and investigation task, making Option C the correct and exam-aligned answer

The correct answer is C because Google Cloud positions Hyperdisk as its recommended durable block storage and specifically describes Hyperdisk Throughput as a fit for scale-out analytics workloads. Google’s documentation states that Hyperdisk is the fastest and most efficient durable disk for Compute Engine, and its block storage guidance highlights Hyperdisk Throughput for scale-out analytics use cases. That aligns well with a mission-critical SQL Server environment that needs strong persistence, scalable performance, and advanced storage management. Local SSD is very fast but is tied to the host and does not offer the same persistence characteristics expected for this kind of workload. Standard Persistent Disk is durable and broadly useful, but the question emphasizes scaling out analytics and high performance, which points more strongly to Hyperdisk’s workload-optimized offerings. CHFI v11 includes cloud platforms and storage-related evidence considerations, so candidates are expected to recognize when a cloud service’s performance and durability profile best matches the scenario. Here, Hyperdisk is the most appropriate answer.

Option C is the strongest answer because the scenario emphasizes two critical forensic requirements: maintaining chain of custody and ensuring the findings are usable in court . CHFI v11 gives heavy importance to evidence preservation , chain of custody , data acquisition methodology , and validating data acquisition . These objectives make it clear that before deep analysis begins, the examiner must first preserve the integrity of the evidence and document it in a defensible way.

Creating hash values for the leaked files at the start provides a baseline for proving that the evidence has not been altered during handling, storage, or later examination. This is especially important when dealing with a very large dataset and multiple investigators or later court scrutiny. Hashing supports integrity verification and ties directly into the broader chain of custody process.

Option A risks examining unverified evidence. Option B may help later with triage, but it should not come before integrity controls. Option D increases the risk of poor evidence control if done before proper preservation and verification. Therefore, under CHFI data acquisition and legal evidence principles, Jenny should first hash the files and preserve evidence integrity before conducting substantive analysis.

The correct answer is C because the signature FF D8 FF E0 is a well-known JPEG file header, and FF D9 is the standard JPEG end-of-image marker. In forensic file analysis, CHFI v11 expects candidates to understand file signatures and identify common file formats from hexadecimal headers and trailers, especially when working with carved fragments from unallocated space. The second signature in the question, 42 4D, identifies a BMP file because those bytes correspond to the Bitmap header. This contrast helps confirm that the first fragment is the JPEG one. Recognizing these signatures is important when file extensions are missing, corrupted, or intentionally changed to mislead investigators. JPEG files are especially common in photo evidence, email attachments, web artifacts, and recovered user content, so being able to identify them from raw hex data is a practical forensic skill. In CHFI-style questions, when the fragment begins with FF D8 FF E0 and closes with FF D9, the correct file type is JPEG. That answer aligns directly with the blueprint objective on image file analysis and hexadecimal file identification.