ECCouncil Updated 312-49v11 Exam Questions and Answers by kyrie

Option D. Physical acquisition is the best answer because the question asks for the method that provides the most extensive access to Android device data, including existing data, deleted data, and system-level files . CHFI v11 explicitly covers Data Acquisition Methods , Mobile Phone Evidence Analysis , Android and iOS Forensic Analysis , and both Logical Acquisition of Android and iOS Devices and Physical Acquisition of Android and iOS Devices .

A physical acquisition captures the raw contents of device storage at a lower level than logical or file-system-only approaches. Because of that, it offers the best chance of recovering deleted artifacts and examining system areas that are not normally exposed through higher-level acquisition methods. This makes it the most comprehensive choice when the goal is to maximize evidentiary coverage.

Logical acquisition is more limited and generally focuses on accessible user data. File system acquisition can be broader than logical collection, but it still does not usually provide the same depth as a full physical image. Cloud acquisition may complement the investigation, but it does not replace direct device acquisition. Therefore, under CHFI mobile-forensics objectives, physical acquisition is the strongest answer.

The best answer is B because Gephi is purpose-built for graph visualization and network structure analysis. The scenario is not asking for memory forensics, endpoint artifact parsing, or general log dashboarding. It specifically requires relationship mapping between entities, layout-driven graph exploration, node and edge analysis, clustering, and identification of bridges or amplification patterns. Those are exactly the kinds of tasks Gephi is known for. Belkasoft X is a broader forensic suite, Redline is more focused on endpoint and memory investigation, and Kibana is excellent for searching and visualizing indexed event data, but it is not the primary choice for deep graph-centric structural examination of social relationships. The CHFI v11 blueprint includes social media forensics, event correlation, and tools used to analyze complex digital interactions. In that context, Gephi fits the requirement because it helps investigators transform large relationship datasets into visual networks that reveal central actors, coordination clusters, and suspicious propagation pathways. When a question centers on graph construction and structural relationship analytics rather than standard file or log review, Gephi is the most suitable tool among the listed options.

Option A is the best answer because the scenario already suggests that the attacker likely gained access through a remote connection using compromised credentials . The most logical next forensic step is to examine server logs for unusual login patterns , including failed logons, successful remote logins at abnormal times, privileged account use, and suspicious authentication sources. CHFI v11 explicitly includes event logs , types of logon events , evaluating account management events , and SQL Server logs as relevant evidence sources in operating system and application forensics.

Although identifying the source IP may later become important, investigators usually first validate the unauthorized access path through log review and then correlate it with IP data, account activity, and timeline evidence. A complete system scan is too broad as the next step, and reviewing recently accessed files does not directly answer how the attacker entered the database environment.

Because CHFI emphasizes log analysis , authentication event review , and timeline reconstruction when investigating intrusions, the strongest next step is to evaluate the server logs for unusual login patterns that explain how the attacker gained access.

According to the CHFI v11 Data Acquisition Concepts and Rules , sanitizing the target media is a critical preparatory step performed before acquiring forensic data, especially when reusing storage media or handling sensitive information. Sanitization refers to the process of securely erasing data so that it cannot be recovered using forensic techniques. This is typically achieved by overwriting the storage media with predefined patterns , such as sequential zeros and ones, or by using approved data wiping algorithms.

CHFI v11 clearly distinguishes sanitization from other acquisition steps. Validating data acquisition ensures the integrity and completeness of collected evidence through hash verification and comparison, not data destruction. Acquiring volatile data focuses on capturing live information such as RAM contents, running processes, and network connections before shutdown. Planning for contingency involves preparing backups, alternate tools, and procedures in case the acquisition process fails.

The scenario explicitly describes overwriting the drive to prevent any residual data recovery, which directly aligns with the CHFI v11 guideline “Sanitize the Target Media” listed under evidence handling and acquisition best practices. This step ensures privacy, prevents data leakage, and maintains legal and ethical compliance during forensic operations.

Therefore, based strictly on CHFI v11 objectives and terminology, the investigator is performing sanitization of the target media , making Option D the correct and verified answer.