ECCouncil Updated 312-49v11 Exam Questions and Answers by gurfateh

According to the CHFI v11 Operating System Forensics objectives, Linux system logs are a critical source of evidence for identifying unauthorized access, brute-force attempts, and SSH key–based authentication activities . On modern Linux systems that use systemd , SSH-related events are logged and managed by the system journal , which can be queried using the journalctl utility.

The command journalctl -u ssh retrieves all log entries associated with the SSH service unit , making it the most appropriate command when an investigator needs a complete and unfiltered view of SSH activity. SSH key fingerprints are typically logged during public key authentication events , including successful and failed login attempts, and may appear alongside details such as usernames, source IP addresses, and authentication methods.

While options A and C restrict log output to specific time ranges and option B follows logs in real time, the question specifically asks which command should be executed to view the SSH key fingerprint in the SSH unit logs . CHFI v11 best practices recommend starting with the base unit log query to ensure no relevant artifacts are missed before applying filters.

Therefore, to reliably extract SSH key fingerprints and correlate authentication activity during forensic analysis, Hazel should execute journalctl -u ssh , making Option D the correct and CHFI v11–verified answer.

The correct answer is B because the Web Application Firewall is itself a primary evidence source during web-attack investigations, especially when the incident involves bot traffic, injection attempts, and application-facing abuse. CHFI v11 explicitly includes WAF fundamentals, benefits and limitations of WAF, and web-application forensics involving collection and analysis of multiple log sources. In methodology terms, when investigators are assembling evidence for a web attack, they are expected to gather logs not only from web and application servers, but also from defensive controls such as the WAF because those systems often capture blocked requests, signatures triggered, payload patterns, source information, and timestamps. The other options are not evidence-collection steps focused on the gateway. Tracing the attacking IP is an attribution task that usually comes later, encrypting and checksumming logs is an integrity-preservation measure rather than the collection step itself, and forensic imaging is aimed at storage media rather than gateway log evidence. Because the question asks which methodology step explicitly includes output from the software-based gateway, the correct answer is to collect WAF logs.

Option B. UFED Cellebrite is the strongest answer because CHFI v11 explicitly includes Logical Acquisition of Android and iOS Devices , Physical Acquisition of Android and iOS Devices , and Android and iOS Forensic Analysis under mobile forensics. The question asks for a tool that can perform a thorough logical acquisition of both Android and iOS , and among the listed options, UFED Cellebrite is the one most clearly suited to cross-platform mobile forensic collection.

ADB is Android-specific and does not address iOS acquisition. FTK Imager is primarily used for disk imaging and evidence preview rather than full mobile logical acquisition across both ecosystems. iPhone Backup Extractor focuses on iPhone backup data and does not cover Android in the same way.

Because the scenario requires a single solution that supports both major mobile platforms, the most appropriate CHFI-aligned answer is UFED Cellebrite . It matches the blueprint’s mobile acquisition objectives and the practical need for a forensic tool capable of structured logical collection from both Android and iOS devices.

Option C is the strongest answer because trail obfuscation is an anti-forensics technique intended to confuse investigators by altering, hiding, fragmenting, or manipulating evidence trails such as logs, timestamps, and event records. In this situation, the correct response is not a preventive security control like stronger passwords or two-factor authentication, but a forensic method that helps reconstruct the hidden activity. Advanced log analysis tools allow investigators to correlate events, identify inconsistencies, compare multiple evidence sources, and rebuild the sequence of attacker actions despite the obfuscation.

This aligns with CHFI’s emphasis on anti-forensics techniques and countermeasures , event correlation , timeline analysis , and the use of forensic tools to detect suspicious activity across distributed systems. Real-time traffic monitoring may help with ongoing attacks, but it does not directly solve the problem of reconstructing an already obscured historical trail. The question is about overcoming concealed evidence, and that requires careful retrospective analysis.

Therefore, the most appropriate CHFI-aligned approach is to use advanced log analysis and correlation tools to piece together the obscured trail and identify the likely breach source.