ECCouncil Updated 312-49v11 Exam Questions and Answers by fateh

The best answer is C because wireless traffic in enterprise environments may be distributed across multiple access points and channels, which means a single capture position or standard capture setup can miss portions of the conversation. That creates the exact symptom described in the question: partial captures and gaps that make it difficult to correlate timestamps and device activity. CHFI v11 includes wireless network investigation and detection of access point issues, spoofing, and related wireless attack conditions, so candidates are expected to understand that collection limitations often arise from the architecture of the wireless environment itself. The problem here is not simply that results are inaccurate in a general sense. It is that the investigator cannot see all relevant traffic when it is spread across different infrastructure points. Interoperability with other networks does not explain the missing packets, and impersonation attacks may complicate attribution but do not best explain incomplete capture visibility. In forensic practice, incomplete observation across multiple access points is a direct and common reason wireless evidence becomes fragmented and correlation becomes difficult.

Option C. Olevba is the best answer because CHFI v11 explicitly includes Analyzing Suspicious Word, Excel, and PDF Documents and Tools to Analyze Suspicious Word and PDF Documents as part of malware forensics and static/dynamic analysis.

The suspicious file here is a Word document , and the question asks for a tool suitable for static analysis to detect hidden malicious content. Olevba is specifically known for analyzing Office documents and extracting or inspecting VBA macro content , suspicious strings, and obfuscation indicators without executing the document. That fits the requirement exactly.

FLOSS is mainly used for extracting obfuscated strings from binaries. PEStudio is more appropriate for PE files such as Windows executables and DLLs. Cuckoo Sandbox is a dynamic analysis environment, not the most direct tool for static Office document inspection. Therefore, within CHFI’s malware-document analysis scope, the most effective choice is Olevba for static analysis of the suspicious Word file.

Option C. Autoruns is the best answer because the question is specifically about identifying services and other components configured to start automatically during boot . In CHFI-style Windows forensics and malware persistence analysis, investigators focus on auto-start mechanisms , including services, registry run keys, startup folders, drivers, scheduled tasks, and related launch points. Autoruns is designed to enumerate these persistence locations in a comprehensive way, making it the most appropriate tool among the options.

Event Viewer is useful for examining logs and system events, but it is not the primary tool for enumerating all boot-start and auto-start entries. Task Manager can show currently running processes and some startup items, but it is less complete than Autoruns for deep persistence analysis. Process Explorer is excellent for analyzing active processes and parent-child relationships, yet it is not focused on full startup enumeration.

Because Sophia wants to identify which Windows services are configured to start automatically , the most effective forensic tool is Autoruns , which directly supports malware persistence investigation and startup analysis.

The correct answer is D because firewall logs are the most direct source for identifying initial inbound connection attempts to internal hosts. They typically record source and destination IP addresses, ports, protocols, allow or deny decisions, and timestamps for traffic crossing the network boundary. That makes them especially useful for tracing the first connection attempt made against the organization’s internal systems. IDS logs are valuable for detecting suspicious patterns or known signatures, but they are not always the clearest source for establishing the earliest boundary-crossing connection itself. DHCP logs track IP address assignments, which helps with host attribution after the fact, and honeypot logs capture interactions with decoy systems rather than the real internal host mentioned in the question. CHFI v11 includes analysis of firewall, IDS, honeypot, router, and DHCP logs under network forensics, so this question is testing whether the examiner can match the investigative goal to the right source. When the objective is to identify the first inbound connection to an internal host, firewall logs should be prioritized.