ECCouncil Updated 312-49v11 Exam Questions and Answers by sulayman

This question aligns with CHFI v11 objectives under Network and Web Attacks , specifically the classification and identification of external threats targeting organizational networks. External attacks originate outside the organization’s trusted boundary and are carried out by threat actors who do not have legitimate internal access. CHFI v11 highlights that recognizing the nature of such attacks is essential for incident detection, response, and forensic investigation.

Distributed Denial of Service (DDoS) attacks are a classic example of external attacks, where attackers overwhelm network resources with massive traffic volumes to disrupt availability. These attacks often originate from botnets distributed across the internet. Phishing attacks are another common external threat, involving deceptive emails or messages designed to trick users into revealing credentials, clicking malicious links, or downloading malware. The scenario described—customers reporting suspicious login attempts and pop-ups—strongly aligns with phishing and externally driven compromise attempts.

Software bugs are internal technical issues, insider threats originate from within the organization, and while ransomware is a type of malware, the option pairing encryption and ransomware is too broad and not explicitly external. Therefore, consistent with CHFI v11 classifications, DDoS attacks and phishing are clear examples of external attacks that pose serious threats to corporate networks.

The correct answer is A because registers and cache sit at the highest end of the order of volatility and should be collected first when a system is still live. The question highlights active sessions, encryption keys, and running processes, all of which point to volatile evidence that may disappear immediately if the system changes state or loses power. CHFI v11 emphasizes live acquisition, order of volatility, and the rule that highly volatile data must be preserved before less volatile sources such as disks or archival media. Disk storage remains important, but it does not outrank processor registers, cache, and memory-related runtime artifacts when the goal is to preserve transient evidence. Remote logging data can supplement the investigation, yet it is not the highest-priority source on the live suspect system itself. In forensic response, the earliest collection target is the most volatile information because once lost it usually cannot be recreated from static media. Since the question asks what should be prioritized immediately to preserve critical live evidence, registers and cache are the best CHFI-consistent answer.

The most accurate answer is D because the question explicitly mentions two distinct indicators together: half-open TCP sessions typical of SYN flooding and packets that have both SYN and FIN flags set. A normal TCP packet would not use SYN and FIN together in a legitimate connection setup, so that flag combination is highly suspicious and maps directly to a SYN-FIN flood pattern. A pure SYN flood would explain the half-open sessions, but it would not fully account for the stated observation that packet captures show SYN and FIN set simultaneously. CHFI v11 expects candidates to analyze network traffic for denial-of-service behaviors and to recognize packet-level evidence from abnormal TCP flag combinations. In forensic review, the exact flags matter because they help distinguish common handshake abuse from crafted packets designed to exhaust resources, evade simplistic filtering, or confuse defensive logic. Since the scenario includes the uncommon SYN-FIN combination as a defining artifact, the best answer is not the broader SYN flood label but the more precise TCP SYN-FIN flood attack. That choice best reflects the traffic evidence described in the packet capture.

Option D is the best answer because CHFI v11 explicitly includes Seeking Consent , Best Practices for Handling Digital Evidence , Legal Issues, Privacy Issues and Legal Compliance , and Managing Clients or Employers during Investigations .

When consent is not granted, the investigator cannot simply access sensitive client data on their own authority. At the same time, immediately withdrawing may not be the only appropriate response if there are lawful and ethical alternative ways to obtain relevant evidence without violating confidentiality. The CHFI-aligned approach is to respect the client’s concerns , remain within legal and ethical boundaries, and explore other permissible evidence-gathering options, such as narrower collection scopes, anonymized review procedures, or additional legal authorization where appropriate.

Options A and B clearly violate consent and confidentiality principles. Option C is too absolute and does not reflect the possibility of lawful alternative approaches. Therefore, the strongest answer under CHFI’s consent and legal-compliance principles is to respect the firm’s concerns and seek other means of gathering evidence without breaching client confidentiality .