312-49v11 ECCouncil Computer Hacking Forensic Investigator (CHFIv11) Free Practice Exam Questions (2026 Updated)

This question aligns with CHFI v11 objectives under Network and Web Attacks , specifically the classification and identification of external threats targeting organizational networks. External attacks originate outside the organization’s trusted boundary and are carried out by threat actors who do not have legitimate internal access. CHFI v11 highlights that recognizing the nature of such attacks is essential for incident detection, response, and forensic investigation.

Distributed Denial of Service (DDoS) attacks are a classic example of external attacks, where attackers overwhelm network resources with massive traffic volumes to disrupt availability. These attacks often originate from botnets distributed across the internet. Phishing attacks are another common external threat, involving deceptive emails or messages designed to trick users into revealing credentials, clicking malicious links, or downloading malware. The scenario described—customers reporting suspicious login attempts and pop-ups—strongly aligns with phishing and externally driven compromise attempts.

Software bugs are internal technical issues, insider threats originate from within the organization, and while ransomware is a type of malware, the option pairing encryption and ransomware is too broad and not explicitly external. Therefore, consistent with CHFI v11 classifications, DDoS attacks and phishing are clear examples of external attacks that pose serious threats to corporate networks.

Option A. Raw Data Acquisition is correct because a bit-for-bit copy of the original storage medium is the defining characteristic of raw acquisition. CHFI v11 covers data acquisition methods , including the need to preserve evidence integrity and create a faithful duplicate suitable for examination, validation, and possible court use. A raw image captures the disk at the lowest level, including active files, deleted space, slack space, and unallocated areas, making it highly valuable in forensic investigations.

This is different from sparse acquisition , which captures only selected or relevant data rather than the full medium. Differential acquisition is not the standard answer for a complete forensic duplicate in this context. Live data acquisition refers to collecting data from a running system, often to preserve volatile evidence, but it does not itself mean a full bit-stream copy of the storage media.

Because the question explicitly asks for the acquisition method that provides a bit-for-bit copy , the correct answer is raw data acquisition. This aligns directly with CHFI’s focus on choosing the proper imaging method, preserving evidence, and maintaining forensic integrity through accurate duplication of the original media.

According to the CHFI v11 objectives under Web Application Forensics and Log Analysis , investigators must know the default log storage locations of commonly used web servers. On Windows-based systems , Internet Information Services (IIS) stores its web server logs within the inetpub directory, which resides on the system drive by default. The standard path used by IIS for logging HTTP and HTTPS requests is:

%SystemDrive%\inetpub\logs\LogFiles

In this question, the option %SystemDrive%\inetpub correctly points to the parent directory that contains IIS-related content, including the LogFiles directory where forensic-relevant web access logs are stored. These logs record critical details such as client IP addresses, request methods, requested URLs, HTTP status codes, timestamps, and user agents—key artifacts for reconstructing web-based attacks such as SQL injection, directory traversal, brute-force attempts, and malicious file uploads.

The other options are incorrect because they reference Apache web server configuration files used on Linux or UNIX systems, not IIS. Since the server in question is Windows-based and running IIS, those paths are irrelevant to the investigation.

The CHFI Exam Blueprint v4 explicitly includes IIS web server architecture and log analysis , emphasizing familiarity with default IIS log locations as essential for effective web attack investigations and evidence collection, making Option D the correct and exam-aligned answer

Option D. Security phase is the best answer because the scenario describes cryptographic verification , checking the bootloader integrity , and enforcing policies so that only trusted software is loaded. CHFI v11 includes the booting process and specifically covers the Windows boot process: BIOS-MBR method and UEFI-GPT , which means exam candidates are expected to understand the major phases and security controls associated with modern system startup.

In UEFI-based systems, the phase concerned with validating trust and enforcing secure boot behavior is the security phase . That phase is responsible for ensuring that firmware policy is applied before control is handed to later boot components. This aligns precisely with the description in the question, where the system is not merely selecting a boot device or initializing drivers, but actively verifying trust and compliance.

The other answers are less suitable. Boot device selection focuses on choosing the device to boot from. Pre-EFI initialization prepares early hardware and platform state. Driver execution environment deals more with loading drivers and services in the UEFI environment. Because the emphasis is on trusted boot and cryptographic validation , the correct answer is the security phase .

The correct choice is C because Event ID 7035 from the Service Control Manager records that a control command was sent to a service, such as a start or stop request. It documents the issuance of the command, not the final service state. That distinction is important in forensic analysis because a stop request may appear in the timeline even if the service fails to stop, delays stopping, or transitions later. Option B more closely describes a successful state change, which is typically associated with a different event pattern such as 7036. In a CHFI v11 context, this fits the objective on Windows event logs, organization of event records, and the use of log files as evidence. Examiners are expected not only to read logs, but to interpret what an event actually means in operational terms. Here, the event shows administrative or malicious intent to manipulate the service, which can be highly relevant in persistence or sabotage investigations. For that reason, the most accurate interpretation is that a start or stop control request was sent to the service.

The correct answer is D because sparse acquisition is specifically used when investigators collect only selected data that is relevant to the case rather than imaging the entire disk. In CHFI v11, the data acquisition objectives emphasize understanding different acquisition types and determining the most suitable method depending on the investigative need, time constraints, and storage considerations. A bitstream acquisition captures the whole media at the sector level, including slack space and deleted data, which is not what the question describes. Logical acquisition usually focuses on active files and folders visible through the file system, but the wording here highlights a deliberate case-focused subset chosen to reduce time and storage, which is the classic rationale for sparse acquisition. This method is useful when investigators must quickly preserve high-value evidence without creating a complete forensic image. In exam terms, whenever the scenario stresses targeted collection of specific files, folders, or fragments tied to the incident, while avoiding full disk capture, sparse acquisition is the best fit. That matches the CHFI objective on selecting appropriate acquisition methods for different evidence situations.

The correct answer is C because this describes chain of custody documentation, whose purpose is to record the movement and handling of evidence from the moment it is collected through transfer, storage, examination, and presentation. CHFI v11 explicitly includes chain of custody, preserving evidence, and best practices for handling digital evidence. In a case involving multiple custodians, the essential need is not just to list who was involved, but to maintain a continuous documented history showing where the evidence went, who possessed it, when transfers occurred, and under what conditions. That continuous record is what allows an examiner to rebut claims that the evidence was altered, substituted, or tampered with. Option A captures part of that idea but is incomplete because it does not emphasize the end-to-end movement of the evidence. Option B describes procedures, and option D describes initial collection details, but neither establishes the full transfer history. For CHFI exam purposes, the key documentation element that proves continuity of possession is the record documenting the movement of evidence from origin through examination.

As defined in the CHFI v11 Procedures and Methodology domain, directed collection is an eDiscovery methodology in which investigators deliberately limit evidence collection to specific data sets, file types, directories, custodians, or system areas that are known or highly likely to contain relevant information. This approach is commonly used to reduce data volume, minimize business disruption, and lower legal and operational costs while maintaining forensic relevance.

In the given scenario, the investigator intentionally restricts the scope of ESI by targeting specific directories and file types , rather than collecting full disk images or all user data. CHFI v11 explicitly describes this as directed (or targeted) collection , which is aligned with the Electronic Discovery Reference Model (EDRM) best practices. Directed collection helps investigators remain compliant with legal proportionality requirements and reduces exposure to irrelevant or private third-party data.

The other options do not match the scenario. Custodian self-collection introduces risk and is generally discouraged due to evidence integrity concerns. Incremental collection focuses on changes since a prior collection, not selective scope reduction. Remote acquisition refers to the method of access, not the collection strategy itself.

CHFI v11 emphasizes directed collection as a preferred methodology when investigators already understand where relevant evidence resides and need to collect it efficiently and defensibly. Therefore, the correct and CHFI v11–verified answer is directed collection of definite data sets and system areas , making Option D correct.

The right answer is A because the Windows Run key is intended to launch a program every time a user logs on, which makes it a classic registry-based persistence mechanism for malware. In contrast, RunOnce is designed for one-time execution and is removed after processing, so it does not best match the wording about recurring execution after reboot. The CHFI v11 blueprint specifically covers registry-based malware persistence mechanisms and identifying how malicious software survives restarts. That objective expects candidates to distinguish one-time startup artifacts from repeat-execution startup artifacts. From a forensic angle, the Run key is highly valuable because it can show how a threat repeatedly re-establishes itself, launches payloads, or triggers follow-on scripts whenever a user session begins. This kind of persistence is commonly examined alongside other startup evidence such as services, scheduled tasks, and startup folders. Microsoft’s own documentation states that the Run key makes a program run every time the user logs on, while RunOnce executes only one time. That makes Run the only answer that fully matches the persistence behavior described in the question.

According to the CHFI v11 objectives under Malware Forensics and Linux Memory and System Behavior Analysis , monitoring system calls is a core technique for understanding how malware interacts with the operating system at a low level. On Linux systems, strace is the primary and most effective tool for this purpose.

strace intercepts and records system calls made by a process, along with the signals received and return values. Since all interactions between user-space programs and the Linux kernel occur via system calls, tracing them provides deep visibility into malware behavior. Using strace, investigators can observe actions such as file creation or modification (open, write), privilege escalation attempts (setuid), network communications (connect, sendto), process creation (fork, execve), and access to protected system resources. This makes strace indispensable for dynamic malware analysis on Linux , as emphasized in CHFI v11.

The other options are incorrect. Process Explorer and Autoruns are Windows-based tools and do not operate on Linux systems. Regshot is also Windows-specific and is used to compare registry snapshots, which are irrelevant in Linux environments.

The CHFI Exam Blueprint v4 explicitly includes Linux malware behavior analysis and monitoring system-level activity , making strace the correct, forensically sound, and exam-aligned tool for tracking malware system calls

Option C is the best answer because the scenario involves multiple jurisdictions , privacy rights , and even diplomatic immunity , which makes strict legal compliance essential. In CHFI methodology, investigators must respect rules of evidence , search and seizure requirements , privacy laws , and the need to obtain lawful authority before accessing systems or seizing digital evidence. When a case crosses borders, coordination with legal counsel and appropriate authorities becomes even more important.

The other options are clearly improper. Waiting for the suspect to leave and then seizing the device without legal authority is not defensible. Remotely accessing the computer without authorization would violate legal and ethical standards. Secretly entering the suspect’s residence is also unlawful and would likely render any evidence inadmissible. The urgency of the case does not override legal procedure.

Therefore, the proper first move is to consult legal counsel and seek the necessary warrant or international legal authorization before proceeding. This preserves admissibility, protects the investigation, and aligns with CHFI’s focus on lawful evidence handling in complex international cybercrime cases.