312-49v11 Exam Dumps - Computer Hacking Forensic Investigator (CHFIv11)

According to the CHFI v11 Mobile Device Forensics objectives, physical acquisition of an Android device aims to obtain a bit-by-bit image of the device’s storage , allowing investigators to recover deleted files, unallocated space, and hidden artifacts. When a device is rooted , investigators can leverage low-level Linux utilities such as the dd command to perform this acquisition.

The correct forensic procedure involves first connecting the Android device to the forensic workstation , typically via USB using ADB. The investigator must then obtain a root shell , as root privileges are mandatory to access raw block devices (for example, /dev/block/mmcblk0). Next, the investigator must identify the correct source (the physical partition or block device) and define the destination , which may be an external storage location or a streamed image file captured on the forensic workstation. Finally, the dd command is executed with precise input (if=) and output (of=) parameters to create a forensic image.

CHFI v11 stresses that this process must be conducted carefully to avoid data alteration and to maintain evidentiary integrity. The other options are incorrect because Bluetooth is not used for forensic imaging, custom hardware is not required for dd-based acquisition, and vague “remote execution” does not reflect the structured steps mandated by CHFI methodology.

Therefore, the CHFI v11–verified and forensically sound procedure is to connect the device, acquire the root shell, identify the source and destination, and execute dd , making Option D the correct answer.

This question aligns with CHFI v11 objectives under Procedures and Methodology , specifically event correlation and analysis techniques used to investigate complex incidents. Event correlation is essential for transforming large volumes of logs and alerts into meaningful incident narratives. CHFI v11 describes multiple correlation approaches, each suited to different investigative needs.

The graph-based approach models systems, applications, users, and network components as nodes , while relationships such as dependencies, communications, or trust relationships are represented as edges . By constructing such graphs, investigators can visualize how events propagate across interconnected systems, identify attack paths, and determine how a compromise in one component impacts others. This approach is particularly effective in analyzing lateral movement, dependency-based failures, and multi-stage attacks in enterprise environments.

Rule-based approaches rely on predefined conditions, codebook-based approaches match patterns against known attack templates, and neural network-based approaches focus on anomaly detection using machine learning. While these are valuable, only the graph-based approach explicitly represents system dependencies and relationships in a node–edge structure. Therefore, consistent with CHFI v11 event correlation methodologies, the correct answer is Graph-Based Approach .

In CHFI v11, memory dump analysis focuses on identifying volatile artifacts , such as running processes, loaded modules, decrypted data, network connections, and application-specific memory remnants. The availability of Tor Browser artifacts in memory is highly dependent on the execution and installation state of the Tor Browser at the time of acquisition.

When the Tor Browser is opened , it generates the highest number of artifacts in memory. These include active Tor processes, circuit information, encryption keys, temporary buffers, and cached session data. Even when the Tor Browser is closed but still installed , some residual artifacts may remain in memory or be partially recoverable due to delayed memory reuse, along with indirect indicators such as prefetch references and previously allocated memory pages.

However, when the Tor Browser is uninstalled , there are no active Tor-related processes or associated memory segments loaded into RAM. As explicitly covered in the CHFI v11 blueprint under Tor Browser Forensics and Forensic Analysis: Tor Browser Uninstalled , uninstalling Tor significantly reduces both volatile and non-volatile artifacts. Consequently, memory dumps acquired after uninstallation contain the least possible number of recoverable Tor artifacts , often limited to overwritten or non-attributable memory fragments.

Therefore, based strictly on CHFI v11 objectives and forensic principles, Tor browser uninstalled (Option B) is the correct answer.

According to the CHFI v11 Procedures and Methodology domain, evidence preservation is a critical step in the forensic investigation process and is closely tied to maintaining a proper chain of custody . Preservation ensures that digital evidence remains unaltered, authentic, and legally admissible from the moment it is collected until it is presented in court or a disciplinary proceeding.

In the given scenario, the investigator is documenting every action , assigning unique identifiers , and maintaining a chain of custody log that records who handled the evidence, when it was handled, and for what purpose. CHFI v11 explicitly defines these actions as part of the evidence preservation phase , which occurs immediately after evidence identification and collection. This phase is designed to prevent evidence tampering, loss, contamination, or misidentification.

The other options do not align with the described activities. Scoping focuses on defining investigation boundaries, data analysis involves examining evidence for findings, and search and seizure refers to the legal act of collecting evidence—none of which emphasize documentation and custody tracking.

CHFI v11 stresses that failure to properly preserve evidence and document its handling can result in evidence being challenged or ruled inadmissible . Therefore, the investigator’s actions clearly correspond to preserving the evidence , making Option A the correct and CHFI v11–verified answer.

Option A is the best answer because CHFI v11 explicitly states that organizations should monitor and maintain accurate metrics and detailed tracking information related to eDiscovery . The question also emphasizes progress monitoring , data integrity and accuracy , and cost control , all of which are best supported by clearly defined metrics and stage-by-stage measurement.

By defining KPIs and measuring the volume of information at each stage , the company can track bottlenecks, evaluate collection and processing scope, manage costs, and ensure that the eDiscovery lifecycle remains defensible and organized. This is directly aligned with the CHFI blueprint’s eDiscovery objectives, which treat measurement and tracking as core best practices rather than optional administrative tasks.

The other options can still add value, but they do not address the question as directly. A centralized repository, cross-functional oversight, and training all help operations, yet the CHFI-aligned priority for monitoring effectiveness and controlling cost is accurate metrics and detailed tracking information . Therefore, the strongest answer is to define KPIs and measure information volume throughout the eDiscovery process.

Option A. Wireshark is the best answer because the task is to analyze unusual network behavior and specifically monitor DNS requests . Wireshark is designed for packet capture and protocol-level inspection, allowing the investigator to examine DNS queries, responses, timing, source systems, suspicious domains, and other traffic details in depth.

This makes it more appropriate than the other options. Nmap is primarily a network scanning tool, useful for discovery and service enumeration, not deep DNS traffic inspection. Snort is an intrusion detection and alerting tool, and while it may detect suspicious activity, it is not the best primary choice for directly inspecting DNS packet contents in a forensic investigation. Nessus is a vulnerability scanner, not a live packet-analysis utility.

From a CHFI network-forensics viewpoint, packet capture and protocol analysis are central to understanding malware-related traffic patterns such as DNS tunneling, beaconing, command-and-control lookups, or suspicious domain resolution behavior. Since Lisa needs detailed visibility into abnormal DNS requests, Wireshark is the most suitable and effective tool for this investigation.

This question aligns with CHFI v11 objectives under Malware Forensics and Static Malware Analysis of Suspicious Documents . When analyzing potentially malicious Microsoft Office documents, CHFI v11 emphasizes that investigators should always begin with static analysis before attempting any form of execution. This approach minimizes risk and helps identify embedded threats such as VBA macros, OLE objects, exploits, and obfuscation techniques without activating the payload.

The oleid tool (part of the oletools suite) is specifically designed for the initial inspection of OLE-based Microsoft Office documents . It quickly identifies indicators of compromise such as the presence of macros, embedded objects, suspicious file formats, encryption, and known exploit characteristics. CHFI v11 highlights oleid as a safe, non-intrusive first step to triage Office documents and determine whether deeper analysis (e.g., macro extraction or sandbox execution) is warranted.

Opening the document in a sandbox is a dynamic analysis step and should only occur after static indicators confirm malicious intent. The other options are either non-standard or insufficient for detecting embedded macro-based malware. Therefore, consistent with CHFI v11 malware forensics methodology, executing oleid to review suspicious components is the correct initial step.

Option C is the strongest answer because trail obfuscation is an anti-forensics technique intended to confuse investigators by altering, hiding, fragmenting, or manipulating evidence trails such as logs, timestamps, and event records. In this situation, the correct response is not a preventive security control like stronger passwords or two-factor authentication, but a forensic method that helps reconstruct the hidden activity. Advanced log analysis tools allow investigators to correlate events, identify inconsistencies, compare multiple evidence sources, and rebuild the sequence of attacker actions despite the obfuscation.

This aligns with CHFI’s emphasis on anti-forensics techniques and countermeasures , event correlation , timeline analysis , and the use of forensic tools to detect suspicious activity across distributed systems. Real-time traffic monitoring may help with ongoing attacks, but it does not directly solve the problem of reconstructing an already obscured historical trail. The question is about overcoming concealed evidence, and that requires careful retrospective analysis.

Therefore, the most appropriate CHFI-aligned approach is to use advanced log analysis and correlation tools to piece together the obscured trail and identify the likely breach source.