ECCouncil 312-49v11 - Computer Hacking Forensic Investigator (CHFIv11)

Option C is the strongest answer because the scenario describes frequent, high-volume outbound communications from an internal system to an untrusted external server , including large binary files that do not fit normal business workflows. CHFI v11 explicitly includes Indicators of Compromise (IoC) , Analyze Traffic to Detect Malware Activity , and Examine Data Exfiltration Attempts made through FTP under its network-forensics objectives.

These are classic signs of data exfiltration . The foreign destination, unusual data type, abnormal transfer volume, and deviation from standard operations all point toward unauthorized outbound movement of sensitive information. That is a more precise fit than failed connection attempts, off-hours logins, or reboot anomalies.

In CHFI terms, investigators use traffic analysis, log review, and event correlation to identify whether an internal host is behaving like a staging or exfiltration node. Since the question focuses on unexpected external communications and atypical outbound file transfers, the most accurate indicator of compromise is abnormal outbound traffic suggesting data exfiltration .

Option D is the correct answer because a brute force attack refers to a process in which attackers systematically guess passwords or encryption keys until they obtain valid access. CHFI v11 explicitly includes Investigating Brute Force Attack as part of its network and web attack objectives, making this a core concept candidates are expected to recognize.

This differs from social engineering, parameter manipulation, or exploitation of technical vulnerabilities. The defining feature of brute force is repeated trial-and-error authentication attempts , often automated, using many possible password combinations or key values. In online banking scenarios, this can manifest as repeated login attempts against customer accounts, frequently from the same source or through distributed infrastructure.

Option A describes interface manipulation, B is social engineering, and C is exploitation of vulnerabilities more generally. None of those captures the essential meaning of brute force. Therefore, under CHFI’s attack-investigation framework, the most accurate interpretation is that attackers are systematically guessing credentials or keys to gain unauthorized access .

Option B is the strongest answer because it directly points to a host or mail system being used to send spam, which is a common operational sign of malware compromise. The CHFI v11 blueprint includes malware behavior, malware artifacts and indicators, and system and network level analysis. In a case where a mail server is relaying suspicious traffic and message errors are appearing, investigators should focus first on alerts showing that spam is being sent from the affected system or associated email environment. That is more specific and more probative than general performance symptoms such as slowdown. Unexplained bounced emails can occur as a side effect, but they are less direct than confirmed alerts of outbound spam activity. Numerous unwanted emails and social posts is too broad and less tied to forensic validation of the suspect host. From an examiner’s perspective, the key is to identify evidence that the compromised machine is actively participating in spam distribution or botnet-style messaging behavior. That aligns with CHFI’s expectation that analysts recognize malware indicators not just by file artifacts, but also by suspicious communications and abnormal message-sending patterns across the environment.

This question aligns with CHFI v11 objectives under Malware Forensics and Static Malware Analysis of Suspicious Documents . When analyzing potentially malicious Microsoft Office documents, CHFI v11 emphasizes that investigators should always begin with static analysis before attempting any form of execution. This approach minimizes risk and helps identify embedded threats such as VBA macros, OLE objects, exploits, and obfuscation techniques without activating the payload.

The oleid tool (part of the oletools suite) is specifically designed for the initial inspection of OLE-based Microsoft Office documents . It quickly identifies indicators of compromise such as the presence of macros, embedded objects, suspicious file formats, encryption, and known exploit characteristics. CHFI v11 highlights oleid as a safe, non-intrusive first step to triage Office documents and determine whether deeper analysis (e.g., macro extraction or sandbox execution) is warranted.

Opening the document in a sandbox is a dynamic analysis step and should only occur after static indicators confirm malicious intent. The other options are either non-standard or insufficient for detecting embedded macro-based malware. Therefore, consistent with CHFI v11 malware forensics methodology, executing oleid to review suspicious components is the correct initial step.

The correct answer is B because ASCII is the character encoding standard that uses 7 bits and represents 128 unique characters. Those characters include English letters, digits, punctuation marks, and control characters, which matches the exact constraints described in the question. CHFI v11 includes character encoding standards such as ASCII and Unicode under file and data analysis, so candidates are expected to connect specific encoding limits to the right standard. UTF-8, UTF-16, and Unicode support much larger character sets and are designed to represent international text beyond the basic 128-character range. Although UTF-8 is backward compatible with ASCII for the first 128 characters, the question is explicitly asking for the compact 7-bit standard itself. In forensic recovery, identifying the correct encoding helps examiners reconstruct deleted text fragments accurately and avoid misinterpreting byte values as the wrong character set. Since the fragment set is limited to standard English characters and basic punctuation within a 128-symbol 7-bit scheme, ASCII is the only option that precisely fits. That makes ASCII the correct CHFI-aligned answer.

The correct answer is C because when a live system is found displaying an active session, the first responder should immediately preserve what is visible on the screen before that information changes or disappears. CHFI v11 places strong emphasis on first response, documenting the electronic crime scene, and preserving volatile or transient evidence. A screen may show logged-in users, running applications, chats, remote sessions, command windows, or other live artifacts that can vanish if the user session locks, the system sleeps, or the machine is powered down. Photographing the monitor and noting what is displayed creates an early evidentiary snapshot that helps reconstruct the scene later. Option A is good general practice, but it is broader and less urgent than capturing the live display. Option B may matter if witnesses exist, and option D is a later evidence-handling concern. The question asks what should be prioritized at the scene to support later reconstruction, and CHFI-style reasoning favors recording the immediate visual state of active systems before that state changes. That makes photographing the monitor and noting observations the best first-response action.

The best answer is A because the requirement that a warrant specify the place to be searched and the items to be seized is what limits the search to the court-approved scope. CHFI v11 covers search and seizure, obtaining a warrant, preserving evidence, and legal requirements affecting forensic work. In practice, this is the particularity requirement that prevents overly broad searches and helps ensure the examination stays focused on authorized evidence only. That limitation is especially important in digital forensics because a device may contain large amounts of unrelated personal or business information. Option B is too general and does not explain how scope is limited. Option C concerns timing rather than the boundaries of the search itself. Option D is not a core warrant requirement that defines what may be searched or seized. In CHFI-style legal reasoning, whenever the question asks what keeps a warrant narrowly tailored and tied to judicial approval, the correct answer is the provision that identifies the exact place to search and the exact items to seize. That is the central safeguard against an overbroad digital search.

Option A. Tor browser opened is the best answer because a memory dump captures the live contents of RAM, and the richest set of Tor-related evidence will exist when the Tor Browser is actively running . CHFI v11 explicitly includes Dark Web Forensics , TOR Browser artifacts , and analysis of memory and system artifacts to identify user activity and applications in use.

When Tor is open, memory may contain process data, loaded modules, active connections, recently rendered pages, configuration details, session-related artifacts, and fragments of user activity that may not be fully preserved elsewhere. If Tor is merely installed , the examiner may only find static installation artifacts. If it is closed , many live-session artifacts may already be gone from memory. If it is uninstalled , evidence may be even more limited.

Because the question asks which condition results in the maximum possible number of artifacts in a memory dump , the answer is clearly the state in which the application is actively executing. Therefore, under CHFI dark web and memory-forensics principles, the correct answer is Tor browser opened .

The correct answer is B because AWS CloudTrail is the native AWS audit service that records management-plane actions such as API calls and administrative changes, including timestamps, source IP addresses, user identity information, and request parameters. AWS documentation explicitly states that CloudTrail records information such as the identity of the user, the start time of the API call, the source IP address, the request parameters, and related response elements. That matches the scenario exactly. CHFI v11 includes cloud forensics and AWS forensic evidence sources, so candidates are expected to recognize CloudTrail as the primary account activity history for reconstructing cloud actions over time. Azure Monitor Logs, Microsoft Sentinel, and Google Logs Explorer are tied to other ecosystems or broader monitoring and analytics use cases, but the question asks for the native platform that records management-plane activity inside a single provider’s environment. Because the activity described involves API calls, configuration changes, and detailed audit reconstruction in AWS, the correct service is AWS CloudTrail.

Option D is the best answer because CHFI v11 emphasizes selecting the best data acquisition method , enabling write protection , and preserving evidence integrity while minimizing contamination. The blueprint also includes Live Mac Data Collection – Imaging, RAM and Volatile Data , collecting and analyzing macOS artifacts , and acquisition best practices across different evidence types.

In this scenario, the concern about macOS-specific malware makes it risky to boot into the suspect’s normal operating system, because that could execute malicious code, alter artifacts, or modify evidence. A forensic boot disk allows the investigator to start the system in a controlled environment that bypasses the installed macOS and reduces the chance of the suspect environment changing the data during acquisition. That supports a more forensically sound copy .

Removing the hard drive may be possible in some cases, but it is not always practical on macOS hardware and is not the best general answer here. Live acquisition and network-based acquisition both increase the risk of changes to the evidence state. Therefore, based on CHFI acquisition methodology and Mac forensic objectives, the strongest answer is to use a forensic boot disk for controlled disk access and imaging.