ECCouncil Updated 312-49v11 Exam Questions and Answers by matias

The correct answer is D because a shared folder accessed over SMB from multiple departments is the typical behavior of Network-Attached Storage. NAS provides file-level access over the network using protocols such as SMB or NFS, making it ideal for shared departmental folders and common user access. That matches the scenario exactly. By contrast, the question separately mentions a high-speed Fibre Channel storage fabric for databases, which is characteristic of a Storage Area Network rather than the shared folder system being asked about. RAID is a disk redundancy or performance arrangement, not a network storage access model, and JBOD simply refers to a grouping of disks without describing a networked file-sharing architecture. CHFI v11 includes NAS and SAN storage concepts under digital evidence fundamentals, so candidates are expected to distinguish file-level network storage from block-level storage fabrics. In exam terms, when the clue is SMB-accessible shared folders used by multiple departments, the correct storage model is NAS. The Fibre Channel reference is included to contrast it with SAN and test whether the candidate can separate the two architectures correctly.

According to the CHFI v11 Operating System and Malware Forensics objectives , Windows Event ID 5156 is generated by the Windows Filtering Platform (WFP) and indicates that a network connection has been permitted . This event is highly valuable in malware investigations because it records detailed information about process-level network activity , which is a common indicator of compromise.

Event ID 5156 logs typically include:

Process name and Process ID (PID) that initiated the network connection

Source and destination IP addresses

Source and destination ports

Protocol used (TCP/UDP)

Direction of the connection (inbound or outbound)

CHFI v11 explicitly highlights the importance of Windows Security Event Logs in tracing malware behavior, especially for identifying command-and-control (C2) communications , data exfiltration attempts, and lateral movement. By analyzing Event ID 5156, investigators can directly correlate a specific executable or malicious process with external IP addresses , helping establish attacker infrastructure and timelines.

The other options are incorrect because Event ID 5156 does not record credentials, file deletion paths, or registry modification details. Those artifacts are found in other event IDs or forensic sources such as registry hives, file system metadata, or Sysmon logs.

Therefore, the key forensic value of Event ID 5156 lies in revealing the process responsible for the network communication and the IP address it connected to , making Option D the correct and CHFI v11–verified answer.

The correct answer is C because graph-based event correlation is well suited for linking related events across time, hosts, and indicators in order to expose relationships within distributed attack activity. The scenario emphasizes grouping events, identifying recurring indicators, and uncovering links between multiple compromised endpoints. Those requirements align naturally with graph-oriented analysis, where entities and events can be represented as connected nodes and edges. CHFI v11 includes event correlation approaches, types of event correlation, and timeline analysis, so candidates are expected to understand which approach best reveals patterns across many related observations. Field-based methods usually depend on direct matching of structured values, which can be useful but is narrower than the relationship-driven view described. Neural network and codebook-based approaches are more specialized analytical methods, but the wording of the question points most clearly to a model that reveals interconnected activity across distributed systems. In forensic investigation, graph-based correlation helps analysts visualize and connect repeated indicators, shared infrastructure, timing relationships, and propagation patterns. That makes graph-based approach the strongest CHFI-aligned answer.

According to the CHFI v11 objectives under Malware Forensics and Static Malware Analysis , the correct initial step when analyzing a suspicious document—such as a potentially malicious PDF—is to perform static analysis before any execution . Running the tool PDFiD using the command python pdfid.py infected.pdf is a standard and CHFI-aligned first action. PDFiD is designed to quickly scan a PDF file and identify suspicious elements such as /JavaScript, /OpenAction, /Launch, /EmbeddedFile, and /AA, which are commonly abused by attackers to deliver malware through PDF documents.

This approach is non-intrusive and ensures the investigator does not accidentally trigger malicious code, thereby preserving evidence integrity and maintaining forensic soundness. Opening the file in a virtual machine (Option B) constitutes dynamic analysis , which should only be performed after initial static indicators suggest malicious intent and after proper containment controls are in place. Metadata extraction (Option C) is useful but limited, as metadata alone does not reliably expose embedded exploit code. Manual hex inspection (Option D) is advanced and time-consuming and is not recommended as the first step.

The CHFI v11 Exam Blueprint emphasizes a structured malware analysis workflow , starting with static analysis tools like PDFiD for suspicious documents, making Option A the most appropriate and exam-accurate answer