ECCouncil 312-49v11 - Computer Hacking Forensic Investigator (CHFIv11)

Option D. The inode table is the correct answer because, in Linux file systems such as ext2, file metadata including timestamps, permissions, ownership, and file size is stored in the file’s inode , not in the file’s content blocks. CHFI v11 explicitly includes Windows, Linux, and macOS File Systems , Linux File System Analysis Tools , and File System Analysis using The Sleuth Kit (TSK) , showing that exam candidates are expected to understand file-system structures and where key forensic metadata resides.

The data blocks contain file content, while the superblock stores overall file-system-level information such as layout and status. The dentry cache is a kernel memory structure related to name lookups and is not the primary persistent source for file metadata in this context. For detailed per-file forensic metadata, the examiner must look at the inode information.

Therefore, when Emily wants the most critical metadata about a specific ext2 file, the best source is the inode table , because that is where the file’s core descriptive attributes are maintained.

Option B is the most effective answer because CHFI v11 specifically lists password protection and encryption as anti-forensic techniques and also includes anti-forensics countermeasures and tools . In addition, the blueprint references password cracking tools and using rainbow tables to crack hashed passwords , which indicates that CHFI expects investigators to understand the difference between cracking passwords, handling encryption, and choosing efficient methods.

A dictionary attack is generally more practical and efficient than a full brute-force approach when investigators suspect human-created passwords. It tests likely password candidates first, often producing results faster and with fewer resources. A brute-force attack may eventually work, but it is usually slower and less efficient as an initial strategy. Rainbow tables are mainly useful against certain hashed password scenarios, not directly for decrypting arbitrary password-protected files or directories. Phishing is not an acceptable forensic response and would be unlawful and unethical.

Since the question asks for the most effective strategy to counter password-based anti-forensics in a professional investigation, the best CHFI-aligned answer is to begin with a dictionary attack using appropriate forensic tools and procedures.

Option D. 4625 is the correct answer because this Windows security event is associated with failed logon attempts , which is exactly what Jessica needs to review when looking for signs of a possible brute-force attack. CHFI v11 explicitly includes Types of Logon Events , Windows 11 Event Logs and Other Audit Events , Evaluating Account Management Events , and Event logs as core forensic topics.

In a brute-force scenario, investigators look for repeated failed authentication attempts over time, often tied to the same account, source, or system. The relevant audit evidence is found in Windows event logging, and failed logons are one of the most important indicators when examining suspicious authentication activity. This aligns directly with CHFI’s emphasis on using logs as evidence and ensuring log credibility and integrity during an investigation.

The other event IDs listed are not the standard failed-logon event used for this purpose. Because Jessica is specifically trying to count and analyze failed login attempts , event ID 4625 is the best and most forensic-relevant choice under CHFI’s Windows log analysis objectives.

The correct answer is D because Last Run Time is the field that directly indicates the most recent recorded execution of the program represented by the Prefetch file. NirSoft’s WinPrefetchView documentation notes that the utility exposes Last Run Time values from Windows Prefetch data, and for newer Windows versions it can even show multiple recorded run times. That makes it the most useful detail for confirming recency of execution. Process EXE identifies the executable name, Run Counter shows how many times a program has run, and File Size is not an execution-timeline artifact. CHFI v11 includes analysis of Windows files, execution artifacts, and Prefetch evidence, so candidates are expected to distinguish between fields that show identity, frequency, and timing. In a case where the investigator needs to prove that the suspicious utility was run recently, the decisive indicator is not simply that it exists or was run many times, but the timestamp of the latest execution. Therefore, the detail that best confirms the most recent execution is Last Run Time.

The correct answer is A because per-event timestamps are stored within the EVENTLOGRECORD structure, not in the file header. Microsoft’s EVENTLOGRECORD definition includes fields such as TimeGenerated and TimeWritten, which provide the event-level timing needed to compare when an event occurred versus when it was written to the log. That is exactly what the question is asking for. By contrast, ELF_LOGFILE_HEADER and flags such as ELF_LOGFILE_HEADER_WRAP describe overall file-level state and logging conditions, not timestamps for individual event entries. CHFI v11 covers event log file format, EVENTLOGRECORD structure, and ELF_LOGFILE_HEADER structure, so this distinction is directly within scope. In a timeline validation scenario, analysts must separate the metadata that describes the health or status of the whole log file from the record fields that describe each event. Since the investigators need event-by-event timestamps to evaluate possible late writes around shutdown, the only correct component among the options is the EVENTLOGRECORD structure.

Option C. Sysmon is the best answer because CHFI v11 explicitly includes system behavior analysis involving monitoring files and folders , along with monitoring processes, services, startup programs, Windows event logs, API calls, and device drivers . In this scenario, Bob needs a tool that can log file and folder changes on a Windows system so he can understand how the malware modified the environment to hide itself.

Sysmon is designed to generate detailed system activity logs that can help investigators track suspicious changes and correlate them with process execution and other indicators of compromise. That makes it much more appropriate than the other choices. IDA Pro is primarily for reverse engineering binaries, EnCase is a broad forensic suite rather than a dedicated real-time system activity monitor, and FTK Imager focuses on imaging and evidence preview rather than ongoing change logging.

Because the question is specifically about monitoring and logging changes to files and folders , Sysmon is the most direct and CHFI-aligned answer for observing malware behavior at the system level.

Option D is the intended answer. The question appears to contain a typo: “PNC” is almost certainly meant to be PNG . CHFI v11 explicitly includes Understanding Hex Editors and Hexadecimal Notation , Image File Analysis: JPEG and BMP , and Hex View of Popular Image File Formats , which means candidates are expected to recognize file types from signature bytes in hex view.

The well-known PNG file signature begins with the bytes 89 50 4E 47 . The sequence shown in the question, “89 50 4c” , looks incomplete or slightly mistyped, but it is clearly intended to point toward the PNG signature pattern rather than BMP, JPEG, or PDF. BMP files begin differently, JPEG files usually start with FF D8 FF , and PDF files begin with 25 50 44 46 corresponding to %PDF.

Because CHFI expects forensic investigators to identify file types through hexadecimal file-header analysis , the only reasonable answer from the choices is the typoed D , representing PNG . Therefore, Michael is looking at what the exam item intends to be a PNG image file .

The correct answer is B because once investigators have already identified the active port with netstat, the next step is to determine what that port is commonly associated with and whether its use is expected in the environment. Referring to online port databases or trusted service-port references helps analysts map a port number to known applications, registered services, or suspicious historical usage patterns. CHFI v11 includes malware behavior analysis at the system and network level, including monitoring ports and network activities, so candidates are expected to move from observation to interpretation. Option D only repeats the step that has already been performed. Option A is too vague because simply calling a port suspicious does not explain why. Option C is unsafe and unnecessary because the file has already been executed and the relevant network artifact has been observed. In a forensic workflow, after identifying an unknown active port, investigators should validate its meaning through recognized service-port references and then correlate that knowledge with process, destination, and timing evidence. That makes online port databases the best answer.

According to the CHFI v11 Regulations, Policies, and Ethics domain, privacy issues most commonly arise during the forensic analysis phase of a cybercrime investigation. While search warrants legally authorize investigators to collect and examine specific digital evidence, they are typically scope-limited to the suspect, systems, data types, and timeframes defined in the warrant.

During forensic analysis , investigators may inadvertently encounter personal or sensitive information belonging to third parties , such as usernames, email addresses, chat records, credentials, or identifiers of other users connected to the system. CHFI v11 explicitly highlights this phase as legally and ethically sensitive because analysts must ensure that non-relevant data and third-party information are handled carefully to avoid violations of privacy laws and data protection regulations.

Implementing network security measures is a preventive activity, not an investigative one. Obtaining search warrants is a legal safeguard designed to protect privacy, not create privacy concerns. Preserving anonymity is a mitigation action, not the step that introduces the risk.

CHFI v11 stresses the importance of minimization, access control, proper documentation, and legal oversight during forensic analysis to prevent misuse or overexposure of unrelated personal data. Failure to manage privacy during this phase can result in legal challenges, evidence exclusion, or regulatory violations.

Therefore, the step that raises privacy-related concerns in this scenario is conducting forensic analysis , making Option B the correct and CHFI v11–verified answer.

Option D is the best answer because removing and reinserting the CMOS battery is a traditional hardware method used to reset stored motherboard configuration settings, including the BIOS password on some systems. CHFI v11 includes Booting Process , Windows Boot Process: BIOS-MBR Method and UEFI-GPT , and under tools it explicitly mentions a Tool to Reset Admin Password , showing that exam candidates are expected to understand system-access and startup-related recovery concepts.

The question is specifically about a BIOS password , not full-disk encryption or operating-system user credentials. Removing the CMOS battery does not decrypt the hard drive and does not normally bypass Windows or Linux user account passwords. Its purpose in this context is to clear or reset firmware-level settings maintained by the motherboard.

Option C is close in wording, but the more precise and intended answer is that the action is being used to reset the BIOS password itself. Therefore, under CHFI operating-system and boot-process concepts, the correct choice is D .