312-49v11 Exam Dumps - Computer Hacking Forensic Investigator (CHFIv11)

The correct answer is A because information_schema.tables is the clearest sign that the attacker is querying MySQL’s metadata catalog to enumerate database objects. In MySQL, INFORMATION_SCHEMA is the system metadata repository, and the TABLES view exposes information about available tables. That makes information_schema.tables the most explicit indicator of schema discovery activity. The other literals may appear in related enumeration queries, but they are not as definitive on their own. table_name is merely a column name, database() returns the current database context, and a table_schema filter only narrows results after the metadata source has already been targeted. CHFI v11 includes MySQL forensics, viewing the information schema, and investigation of database evidence repositories, so candidates are expected to recognize metadata-enumeration patterns in logs. In a blind SQL injection case, attackers commonly query INFORMATION_SCHEMA to list databases, tables, and columns when direct output is restricted. Since the question asks which literal most clearly signals metadata catalog access for object listings, information_schema.tables is the strongest and most specific answer.

Option A is the best answer because the question explicitly identifies the attachments as being associated with a GootLoader campaign , which is commonly understood as a malware delivery mechanism that uses deceptive content to stage later malicious activity. In this context, the attachment is most logically interpreted as a first-stage payload or infection vector rather than the final malware objective itself.

From a CHFI-style malware forensics perspective, investigators first determine how malicious code was delivered , then analyze what subsequent payloads or behaviors followed. In phishing-driven infection chains, the initial attachment often acts as the first phase that enables download, execution, or delivery of additional malware. That fits the fact pattern far better than assuming the attachment itself must specifically be spyware, ransomware, or a zero-day exploit.

Options B , C , and D may describe possible later effects in some campaigns, but the most defensible conclusion from the wording is that these attachments are part of the initial delivery stage of GootLoader. Therefore, the correct answer is that the attachments are likely serving as the first-stage payload in the campaign and should be analyzed as the initial malicious component in the infection chain.

Option B. Hash database lookup is the best answer because the question is specifically about automating the review of a very large number of files and identifying potential evidence more efficiently. CHFI v11 includes hash analysis , identifying suspicious or known files through hashes , and the use of forensic tools to streamline evidence examination across large datasets.

A hash database lookup allows the investigator to compare file hashes against known-good or known-bad sets, quickly filtering out benign system files and highlighting files that are suspicious, altered, or already associated with malicious activity. This is exactly the kind of automation that reduces manual effort in a large-scale file-system analysis.

File carving is useful for recovering deleted content, but it does not primarily automate file triage. File system timeline helps reconstruct activity order, and disk imaging is an acquisition task rather than a feature for rapidly identifying potential evidence. Therefore, under CHFI forensic-analysis principles, the most effective TSK feature for automating identification of relevant evidence is hash database lookup .

This scenario directly aligns with CHFI v11 objectives under Anti-Forensics Techniques , specifically techniques used to alter or destroy forensic artifacts to obstruct investigations. Log files on macOS systems—such as system logs, application logs, and security logs—are critical sources of evidence that help investigators reconstruct user activity, detect intrusions, and build event timelines.

When an attacker alters, deletes, or modifies log entries , the anti-forensic technique employed is classified as data manipulation . CHFI v11 defines data manipulation as the intentional modification, deletion, or corruption of data or metadata to mislead investigators or erase traces of malicious activity. Log tampering is a classic example, as attackers often remove evidence of unauthorized access, privilege escalation, or persistence mechanisms.

Data encryption would make logs unreadable but not selectively altered or deleted. Data hiding involves concealing information in alternate locations (e.g., steganography or hidden files), while data obfuscation focuses on making data confusing but still present. In contrast, the complete deletion or alteration of log messages is a deliberate attempt to falsify or erase evidence. Therefore, consistent with CHFI v11 anti-forensics classifications, data manipulation is the correct and most accurate answer.