
EC-COUNCIL Computer Hacking Forensic Investigator (CHFI-v11) - 312-49v11 Exam Questions
QUESTION NO: 1
Following a data breach, suspicion falls on an employee who had access to sensitive information.
Insider threat tools are deployed to scrutinize the employee's digital activities and flag any anomalous behavior, aiding both the investigation and the prevention of future breaches.
How do insider threat tools contribute to cybersecurity in the given scenario?
Following a data breach, suspicion falls on an employee who had access to sensitive information.
Insider threat tools are deployed to scrutinize the employee's digital activities and flag any anomalous behavior, aiding both the investigation and the prevention of future breaches.
How do insider threat tools contribute to cybersecurity in the given scenario?
Correct Answer: C
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 2
Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What is the next thing he should do as a security measure?
Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What is the next thing he should do as a security measure?
Correct Answer: B
QUESTION NO: 3
As a Computer Hacking Forensic Investigator (CHFI). you are investigating a possible breach on a web application protected by a Web Application Firewall (WAF). You notice some logs on the WAF that suggest there were some repeated attempts to bypass the SQL injection protection.
After inspecting the web server and MySQL database you Find no indications of data manipulation. You then decide to delve deeper and examine the database server logs. Which of the following would you most likely infer if you notice a log entry indicating a query command as
"1' OR '1'='1'; -- "?
As a Computer Hacking Forensic Investigator (CHFI). you are investigating a possible breach on a web application protected by a Web Application Firewall (WAF). You notice some logs on the WAF that suggest there were some repeated attempts to bypass the SQL injection protection.
After inspecting the web server and MySQL database you Find no indications of data manipulation. You then decide to delve deeper and examine the database server logs. Which of the following would you most likely infer if you notice a log entry indicating a query command as
"1' OR '1'='1'; -- "?
Correct Answer: C
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 4
During a malware intrusion investigation at an enterprise workstation, forensic analysts use Magnet AXIOM to reconstruct how suspicious executables were introduced and run over time.
The investigation requires an artifact that records metadata about executed programs-including file paths and execution context-even when the original binaries are no longer present on disk.
This artifact is used to support execution timeline analysis in conjunction with other system evidence. Which artifact should investigators prioritize for this purpose?
During a malware intrusion investigation at an enterprise workstation, forensic analysts use Magnet AXIOM to reconstruct how suspicious executables were introduced and run over time.
The investigation requires an artifact that records metadata about executed programs-including file paths and execution context-even when the original binaries are no longer present on disk.
This artifact is used to support execution timeline analysis in conjunction with other system evidence. Which artifact should investigators prioritize for this purpose?
Correct Answer: A
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 5
Rebecca, a seasoned forensic investigator, has been called in to investigate a potential data leak at a top-tier tech firm. The leak seems to involve confidential blueprint files which are highly valuable. The firm's network has been breached, and the leak appears to be ongoing. A junior member of Rebecca's team suggests shutting down the server to prevent further leaks. However, Rebecca knows this would violate a key principle in digital forensics. Which principle is it?
Rebecca, a seasoned forensic investigator, has been called in to investigate a potential data leak at a top-tier tech firm. The leak seems to involve confidential blueprint files which are highly valuable. The firm's network has been breached, and the leak appears to be ongoing. A junior member of Rebecca's team suggests shutting down the server to prevent further leaks. However, Rebecca knows this would violate a key principle in digital forensics. Which principle is it?
Correct Answer: A
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 6
During a late-night incident at an e-commerce site in Houston, Texas, analysts see bursts of database errors and long time-taken values in IIS logs that coincide with requests where attackers reportedly appended encoded input to the URL. To isolate and compare the exact payload strings against these spikes, which IIS W3C field should investigators parse?
During a late-night incident at an e-commerce site in Houston, Texas, analysts see bursts of database errors and long time-taken values in IIS logs that coincide with requests where attackers reportedly appended encoded input to the URL. To isolate and compare the exact payload strings against these spikes, which IIS W3C field should investigators parse?
Correct Answer: B
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 7
After reviewing evidence collected from an Android handset in an extortion investigation in Miami, Florida, analysts parse a messaging app's SQLite store. Witness screenshots show several last- minute messages, but those entries are absent from the primary database file acquired moments later. The app is known to use a performance-optimized journaling mode. Where should analysts look first to recover the most recent records that were not yet merged into the main database?
After reviewing evidence collected from an Android handset in an extortion investigation in Miami, Florida, analysts parse a messaging app's SQLite store. Witness screenshots show several last- minute messages, but those entries are absent from the primary database file acquired moments later. The app is known to use a performance-optimized journaling mode. Where should analysts look first to recover the most recent records that were not yet merged into the main database?
Correct Answer: D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 8
Sarah, a forensic investigator, is conducting an investigation on a macOS device that is suspected to have been compromised. She is tasked with gathering evidence of unauthorized access to the system. As part of her investigation, she needs to locate information related to when and who accessed the system. In addition to reviewing general system logs, Sarah knows she must focus on certain types of system files that might provide detailed data on unauthorized activities. Which area of the macOs file system would provide the most relevant information regarding logon attempts and other authentication events?
Sarah, a forensic investigator, is conducting an investigation on a macOS device that is suspected to have been compromised. She is tasked with gathering evidence of unauthorized access to the system. As part of her investigation, she needs to locate information related to when and who accessed the system. In addition to reviewing general system logs, Sarah knows she must focus on certain types of system files that might provide detailed data on unauthorized activities. Which area of the macOs file system would provide the most relevant information regarding logon attempts and other authentication events?
Correct Answer: D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 9
During a malware investigation at a tech firm in Miami, forensic analysts suspect that the attacker attempted to conceal activity by removing traces of previously executed programs on the compromised workstation. What source of evidence would best allow investigators to reconstruct execution activity and identify attempts to remove traces of prior programs?
During a malware investigation at a tech firm in Miami, forensic analysts suspect that the attacker attempted to conceal activity by removing traces of previously executed programs on the compromised workstation. What source of evidence would best allow investigators to reconstruct execution activity and identify attempts to remove traces of prior programs?
Correct Answer: A
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 10
Which of the following is considered as the starting point of a database and stores user data and database objects in an MS SQL server?
Which of the following is considered as the starting point of a database and stores user data and database objects in an MS SQL server?
Correct Answer: D
QUESTION NO: 11
Sophia, a network security analyst, is reviewing the logs from a Cisco router in an attempt to identify suspicious traffic patterns. She encounters a log entry that matches the criteria for an access control list (ACL) filter, showing that a TCP or UDP packet was detected based on the applied rules. Based on the log entry description, which of the following is the correct mnemonic for this log message?
Sophia, a network security analyst, is reviewing the logs from a Cisco router in an attempt to identify suspicious traffic patterns. She encounters a log entry that matches the criteria for an access control list (ACL) filter, showing that a TCP or UDP packet was detected based on the applied rules. Based on the log entry description, which of the following is the correct mnemonic for this log message?
Correct Answer: C
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 12
An organization investigates a series of cyberattacks that seem to originate from a prominent hacker collective. The attacks appear highly coordinated and use advanced malware, with command-and-control infrastructure resembling that of an organization with a specific geopolitical agenda. However, investigators suspect the attackers might be using tools to mimic the collective's established tactics and obscure their true identity. Which attribution challenge is the organization most likely facing?
An organization investigates a series of cyberattacks that seem to originate from a prominent hacker collective. The attacks appear highly coordinated and use advanced malware, with command-and-control infrastructure resembling that of an organization with a specific geopolitical agenda. However, investigators suspect the attackers might be using tools to mimic the collective's established tactics and obscure their true identity. Which attribution challenge is the organization most likely facing?
Correct Answer: D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 13
In a corporate investigation involving suspected data theft from Google Workspace accounts, the forensic examiner needs to analyze email communications to gather evidence. Which approach aligns best with Google Workspace Forensics principles?
In a corporate investigation involving suspected data theft from Google Workspace accounts, the forensic examiner needs to analyze email communications to gather evidence. Which approach aligns best with Google Workspace Forensics principles?
Correct Answer: B
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 14
Alex, a system administrator, is tasked with converting an existing EXT2 file system to an EXT3 file system on a Linux machine. The EXT2 file system is currently in use, and Alex needs to enable journaling to convert it to EXT3. Which of the following commands should Alex use to achieve this conversion?
Alex, a system administrator, is tasked with converting an existing EXT2 file system to an EXT3 file system on a Linux machine. The EXT2 file system is currently in use, and Alex needs to enable journaling to convert it to EXT3. Which of the following commands should Alex use to achieve this conversion?
Correct Answer: B
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).




