ECCouncil Updated 312-49v11 Exam Questions and Answers by arla

According to the CHFI v11 Operating System Forensics curriculum, timestamp manipulation is a common anti-forensics technique used by attackers to obscure activity timelines. On NTFS file systems , each file maintains multiple sets of timestamps—such as $STANDARD_INFORMATION and $FILE_NAME attributes—stored within the Master File Table (MFT) . Discrepancies between these timestamp sets are strong indicators of timestamp tampering .

analyzeMFT is a specialized forensic tool designed explicitly to parse and analyze the NTFS Master File Table . CHFI v11 highlights MFT analysis as a critical method for detecting time-stomping attacks , where attackers alter file timestamps using utilities like timestomp. analyzeMFT allows investigators to compare multiple timestamp attributes, identify anomalies, reconstruct timelines, and detect inconsistencies that standard file system views cannot reveal.

The other tools are not appropriate for this task. Regshot is used to compare Windows Registry snapshots, OSForensics is a general forensic suite but is not specifically optimized for low-level MFT timestamp comparison, and Process Explorer is a live system monitoring tool focused on running processes rather than file system metadata.

CHFI v11 explicitly emphasizes NTFS MFT analysis as the authoritative method for identifying manipulated timestamps. Therefore, the most accurate and CHFI-aligned tool for detecting timestamp modifications on NTFS file systems is analyzeMFT , making Option A the correct answer.

Option B is the strongest answer because it directly points to a host or mail system being used to send spam, which is a common operational sign of malware compromise. The CHFI v11 blueprint includes malware behavior, malware artifacts and indicators, and system and network level analysis. In a case where a mail server is relaying suspicious traffic and message errors are appearing, investigators should focus first on alerts showing that spam is being sent from the affected system or associated email environment. That is more specific and more probative than general performance symptoms such as slowdown. Unexplained bounced emails can occur as a side effect, but they are less direct than confirmed alerts of outbound spam activity. Numerous unwanted emails and social posts is too broad and less tied to forensic validation of the suspect host. From an examiner’s perspective, the key is to identify evidence that the compromised machine is actively participating in spam distribution or botnet-style messaging behavior. That aligns with CHFI’s expectation that analysts recognize malware indicators not just by file artifacts, but also by suspicious communications and abnormal message-sending patterns across the environment.

The best answer is C because defining what must be collected, where relevant electronically stored information exists, and how it should be preserved for litigation is fundamentally a legal-scoping responsibility. CHFI v11 places strong emphasis on eDiscovery process flow, the Electronic Discovery Reference Model cycle, legal issues, evidence admissibility, and the relationship between forensic handling and judicial use. That means the person who frames collection scope and preservation requirements must understand legal relevance, regulatory exposure, privilege, and defensibility. IT support personnel may help identify systems and retrieve data, but they do not normally decide legal collection boundaries. Team leads may coordinate execution, and project managers may track schedules and resources, yet neither is the primary authority on admissibility and legal sufficiency. The legal expert or eDiscovery attorney is the role best positioned to define the collection scenario in a way that aligns business systems with litigation duties. In CHFI-style reasoning, whenever the task centers on determining what evidence should be collected for legal proceedings and how to preserve it to satisfy compliance requirements, the legal expert or eDiscovery attorney is the most appropriate answer.

Option A. Time-based correlation is the best answer because the scenario involves multiple servers , each generating separate logs and events, and the investigator needs to reconstruct the breach efficiently and identify its root cause . CHFI v11 explicitly includes Types of Event Correlation , Event Correlation Approaches , Timeline and Kill Chain Analysis , and centralized logging using SIEM solutions as part of evidence examination and network/log analysis.

When several systems are involved, the most effective first way to connect the activity is to correlate events by time so the examiner can determine the sequence of actions across hosts. This helps answer critical questions such as what happened first, which server was initially affected, how the attacker moved, and when key indicators appeared. That is exactly how investigators build a timeline and isolate the origin or progression of an incident.

Log-based correlation groups similar logs, alert-based correlation focuses on alerts, and rule-based correlation applies predefined logic, but the question stresses identifying the root cause across multiple servers and logs , which is most directly supported by constructing a chronological event sequence . Therefore, under CHFI event-correlation and timeline-analysis objectives, time-based correlation is the strongest answer.