ECCouncil Updated 312-49v11 Exam Questions and Answers by amarah

Option A is the best answer because CHFI v11 explicitly includes Rules of Evidence , Best Practices for Handling Digital Evidence , Seeking Consent , Obtaining a Warrant for Search and Seizure , Legal Issues, Privacy Issues and Legal Compliance , and the Role of Local/International Agencies during Cybercrime Investigation . When a server is shared with another company , privacy and ownership concerns become especially important, and the initial step should be to consult the appropriate legal and organizational stakeholders before taking action.

Immediately seizing the server or ignoring privacy implications could violate legal boundaries and compromise admissibility. Avoiding the server entirely may also be inappropriate if it contains critical evidence. Likewise, jumping straight to a warrant may not be the most suitable first move until counsel and management clarify ownership, scope, privacy exposure, and the least intrusive legally defensible path.

Therefore, the strongest CHFI-aligned initial approach is to consult legal experts and company management to determine the correct lawful path forward before attempting access or seizure. That protects privacy rights, preserves admissibility, and aligns the investigation with proper search-and-seizure procedure.

The correct answer is D because Azure AD Audit Logs are designed to record directory-level changes inside the identity-management environment, including administrative modifications to users, groups, applications, and role-related actions. In a privilege-escalation case, investigators need to know who made the change, what was changed, and when it happened. That is exactly the kind of evidence Azure AD Audit Logs are meant to provide. In contrast, Azure AD Sign-in Logs focus on authentication attempts and sign-in context, not administrative change history. Azure Monitor Logs are broader telemetry and analytics sources, while Azure Activity Logs mainly track actions performed on Azure resource management objects at the subscription and resource level. The CHFI v11 blueprint includes cloud forensics, Azure log sources, and acquisition of cloud evidence, so the exam expects candidates to distinguish between identity-plane evidence and infrastructure-plane evidence. Since the question specifically points to changes in the organization’s identity-management environment and administrative role assignments, Azure AD Audit Logs are the most precise and defensible source for forensic review. This is consistent with Microsoft documentation that describes Entra ID audit logs as recording traceable directory changes and helping determine who made a change.

According to the CHFI v11 objectives under Web Application Forensics and Log Analysis , investigators must know the default log storage locations of commonly used web servers. On Windows-based systems , Internet Information Services (IIS) stores its web server logs within the inetpub directory, which resides on the system drive by default. The standard path used by IIS for logging HTTP and HTTPS requests is:

%SystemDrive%\inetpub\logs\LogFiles

In this question, the option %SystemDrive%\inetpub correctly points to the parent directory that contains IIS-related content, including the LogFiles directory where forensic-relevant web access logs are stored. These logs record critical details such as client IP addresses, request methods, requested URLs, HTTP status codes, timestamps, and user agents—key artifacts for reconstructing web-based attacks such as SQL injection, directory traversal, brute-force attempts, and malicious file uploads.

The other options are incorrect because they reference Apache web server configuration files used on Linux or UNIX systems, not IIS. Since the server in question is Windows-based and running IIS, those paths are irrelevant to the investigation.

The CHFI Exam Blueprint v4 explicitly includes IIS web server architecture and log analysis , emphasizing familiarity with default IIS log locations as essential for effective web attack investigations and evidence collection, making Option D the correct and exam-aligned answer

Answer B fits best because the investigators are correlating evidence from different security domains, in this case endpoint protection data and network intrusion-detection telemetry. Cross-domain event correlation is used when analysts combine events from separate domains or control layers to uncover a wider incident pattern that is not obvious when each alert stream is reviewed alone. The CHFI v11 blueprint specifically includes event correlation approaches, prerequisites of event correlation, and reconstruction of incident timelines. That is exactly what is happening here: antivirus alerts show suspicious activity on hosts, while IDS alerts reveal related outbound DNS behavior on the network. Together, these data sources can expose malware staging, command-and-control attempts, or data exfiltration paths. Route correlation and topology-based correlation do not fit as well because the question does not emphasize pathing through infrastructure topology. Multivariate correlation usually refers more broadly to statistical relationships across variables, not the explicit joining of alerts from separate investigative domains. Therefore, the strongest CHFI-aligned interpretation is cross-domain event correlation.