ECCouncil 312-49v11 - Computer Hacking Forensic Investigator (CHFIv11)

According to the CHFI v11 Anti-Forensics Techniques domain, steganography is a sophisticated method used by attackers to conceal sensitive or malicious information within seemingly normal files such as images, audio files, video files, or documents. Unlike encryption, which makes data unreadable but visibly suspicious, steganography hides the existence of the data itself , making detection significantly more challenging during forensic analysis.

In steganography, data is embedded into unused or less noticeable parts of a file—such as the least significant bits (LSB) of image pixels or audio samples—without noticeably altering the file’s appearance or functionality. As a result, standard antivirus tools, intrusion detection systems, and basic forensic scans may not flag these files as suspicious. CHFI v11 highlights steganography as a common anti-forensic tactic used for covert data exfiltration, command-and-control communication, and storage of illegal or confidential information.

The other options are less effective in this scenario. File extension mismatch can often be detected through file signature analysis. Hiding data in file system structures leaves traces in metadata or unallocated space. Trial obfuscation is not a formally recognized anti-forensics technique in CHFI v11.

CHFI v11 emphasizes that detecting steganography often requires specialized steganalysis tools , statistical analysis, and anomaly detection techniques beyond conventional scanning.

Therefore, the technique used to hide sensitive information within normal-looking files—fully aligned with CHFI v11—is Steganography , making Option D the correct answer.

Option C. Autoruns is the best answer because the question is specifically about identifying services and other components configured to start automatically during boot . In CHFI-style Windows forensics and malware persistence analysis, investigators focus on auto-start mechanisms , including services, registry run keys, startup folders, drivers, scheduled tasks, and related launch points. Autoruns is designed to enumerate these persistence locations in a comprehensive way, making it the most appropriate tool among the options.

Event Viewer is useful for examining logs and system events, but it is not the primary tool for enumerating all boot-start and auto-start entries. Task Manager can show currently running processes and some startup items, but it is less complete than Autoruns for deep persistence analysis. Process Explorer is excellent for analyzing active processes and parent-child relationships, yet it is not focused on full startup enumeration.

Because Sophia wants to identify which Windows services are configured to start automatically , the most effective forensic tool is Autoruns , which directly supports malware persistence investigation and startup analysis.

Option C is the best answer because CHFI v11 specifically includes Forensic Readiness and Business Continuity , Forensics Readiness Planning and Procedures , Computer Forensics as part of the Incident Response Plan , and the need for a sound forensic investigation process . The blueprint also emphasizes Evidence Preservation , Data Acquisition and Data Analysis , and proper procedural handling during investigations.

Since John already has an incident response plan and a properly resourced SOC, the most valuable addition is a detailed procedure for evidence collection and analysis . That directly strengthens forensic readiness by ensuring that when an incident occurs, responders know how to preserve evidence, collect it properly, avoid contamination, and support future legal or disciplinary action. This is more directly tied to CHFI forensic-readiness concepts than broader security improvements.

AI-based detection , zero trust , and network reviews can all improve security posture, but they are not the clearest addition to a forensic readiness plan itself. The question is about improving the organization’s ability to investigate future incidents in a defensible manner, which is exactly what documented collection and analysis procedures provide.

Option D. Sniff and analyze packets is the best answer because the scenario states that Liam captured network traffic specifically to examine the activity associated with the suspicious transaction. In CHFI v11, network and wireless forensic work includes identifying access points, discovering active connections, and performing packet capture and analysis to reconstruct events and detect suspicious communications.

Once the investigator is actually collecting and examining traffic content, he has moved beyond discovery into the packet-sniffing and analysis phase . This is where the examiner looks for suspicious sessions, authentication attempts, remote-access behavior, protocol anomalies, and other evidence that may show how the transaction was performed remotely.

Option A is narrower and would focus more on enumerating current sessions. Options B and C are earlier wireless-network investigative activities related to locating infrastructure. Since Liam is already capturing and analyzing the actual traffic, the most accurate phase is sniff and analyze packets . That aligns best with CHFI’s traffic-analysis and network-forensics objectives.

Option A is the best answer because it directly matches CHFI v11’s treatment of Legal and IT Team Considerations for eDiscovery , the EDRM Cycle , eDiscovery collections/methodologies , and the need to manage evidence in a way that is both technically sound and legally defensible .

The IT team plays the primary role in ensuring that electronically stored information is identified, preserved, and collected without altering or damaging the evidence. That supports integrity, authenticity, and forensic soundness . The legal team, by contrast, ensures that collection scope, process, privacy considerations, and production decisions comply with the applicable rules so the evidence remains admissible and usable in court . CHFI stresses both the legal and technical dimensions of digital evidence handling, especially in eDiscovery contexts.

Option B is too narrow and misstates the legal team’s role. C focuses on analysis rather than the stated primary benefit. D reverses the responsibilities. Therefore, the core advantage of involving both teams is that IT preserves evidentiary integrity while legal protects admissibility and compliance .

The best answer is D because the scenario explicitly centers on limited time for examination. CHFI v11 teaches that the choice of acquisition method depends on practical investigative constraints, including the nature of the evidence, volatility, legal scope, and the time available to perform extraction. Here, the dominant operational factor is that investigators cannot spend long periods examining the devices at the scene. That means the acquisition approach must be chosen primarily with time constraints in mind, possibly favoring targeted or faster collection options over slower, more exhaustive methods. Required live data could also influence the method in some cases, but the question does not emphasize volatile memory or active-system state as the main issue. Recovery of deleted data is a goal that may matter later, and available tools are always relevant, but neither is the direct constraint highlighted by the scenario. In CHFI-style reasoning, when the examination setting itself limits how long responders can work, the most immediate deciding factor for acquisition strategy is the time available for extraction. Therefore, time constraints should most directly guide the method selection.

The correct answer is C because RAID 6 uses distributed parity and is designed to tolerate the failure of any two drives in the array. Storage references and vendor documentation describe RAID 6 as similar to RAID 5 but with an additional parity block arrangement that allows continued operation after two simultaneous disk failures. That matches the scenario exactly. RAID 5 also distributes parity, but it only tolerates a single drive failure. RAID 0 offers striping with no redundancy at all, and RAID 1 relies on mirroring rather than the distributed data-plus-parity design described in the question. CHFI v11 includes RAID storage systems and the logical structure of disks, so candidates are expected to know how fault tolerance differs across RAID levels. In forensic analysis of enterprise storage, recognizing the correct RAID configuration matters because it affects data availability, reconstruction strategy, and interpretation of how evidence survives hardware faults. Since the array continues functioning after two drive failures with distributed parity, the correct answer is RAID 6. (ibm.com)

The correct answer is A because hashing is the standard validation method used to confirm that a forensic image exactly matches the original source. CHFI v11 includes data acquisition validation tools and emphasizes validating acquired evidence as part of sound forensic methodology. By calculating cryptographic hash values such as MD5 or SHA-256 on both the original media and the acquired duplicate, the examiner can demonstrate that the contents are identical at the time of acquisition. This is one of the most important ways to support evidentiary integrity and courtroom defensibility. Compression does not validate equivalence, RAID reconstruction is unrelated unless the source itself is a RAID system requiring assembly, and data sanitization applies to preparing media, not proving a copied image is exact. In forensic practice, the duplicate is trusted only when a validation process confirms there has been no alteration during acquisition or storage. Since the question asks for the method that proves the duplicate image is an exact copy, the correct answer is computing cryptographic hash values such as MD5 or SHA-256.

The best answer is D because in Windows security group membership events, the field that identifies the account actually added to or removed from the group is the Member ID field. The Target Account Name refers to the group being modified, not the user or object inserted into or deleted from that group. Caller User Name identifies the subject who performed the action, which is useful for attribution, but it does not identify the changed member itself. The first line of the event description is not a reliable field-level answer because the question asks for the specific data element. This aligns with the CHFI v11 objectives on event logs, evaluating account-management events, and log files as evidence. In practice, forensic analysts must separate three things in a group change event: the actor who made the change, the group that was affected, and the member object that was added or removed. Microsoft’s auditing documentation for these events shows that Member identifies the distinguished name or SID-linked object involved in the membership change. For exam purposes, that makes Member ID the most precise and defensible choice.

The correct answer is D because high entropy and the absence of readable strings are classic indicators that a sample may be packed, encrypted, or otherwise obfuscated. In static malware analysis, one of the first priorities in such a case is to identify the packing or obfuscation method so the analyst can understand how the file has been transformed and what additional unpacking or decoding steps may be needed. CHFI v11 includes static and dynamic malware analysis, analysis of suspicious files, and techniques for understanding malware structure before execution. Local or online malware scanning can provide reputation information, but it does not directly explain the structural concealment method. File fingerprinting identifies known samples, and strings analysis is useful, but the question already tells us that strings are scarce and entropy is high, making raw string extraction less informative. In forensic malware work, those clues point directly to packing or obfuscation. Therefore, the most appropriate static technique is to identify the packing or obfuscation methods used by the sample before any runtime testing begins.