ECCouncil Updated 312-49v11 Exam Questions and Answers by giulia

According to the CHFI v11 Operating System Forensics and Digital Evidence Analysis objectives, The Sleuth Kit (TSK) is a core open-source forensic framework used to analyze disk images and file systems , including NTFS, FAT, EXT, and others. TSK is designed as a modular toolkit , offering both command-line utilities (such as fsstat, fls, and istat) and a plug-in framework that enables structured, extensible analysis.

The fsstat tool is part of this framework and is used to extract file system metadata , including cluster size, inode structure, allocation status, and volume layout—key artifacts required for timeline reconstruction and anomaly detection. CHFI v11 emphasizes that investigators typically analyze disk images using TSK’s plug-in–based architecture , which allows multiple forensic modules to operate consistently on the same evidence source without altering it. This architecture is also what enables higher-level forensic platforms (such as Autopsy) to integrate TSK seamlessly.

The other options are incorrect. TSK does not perform network scans , nor does it rely on unstructured manual inspection . While TSK provides APIs for developers, writing custom code is not required for standard disk image analysis and is not the primary method emphasized in CHFI v11.

Therefore, in alignment with CHFI v11, an investigator analyzes disk images using TSK through its plug-in framework , making Option C the correct answer.

Option A is the best answer because CHFI v11 explicitly includes “Perform Static and Dynamic Malware Analysis in a Sandboxed Environment,” “Malware Analysis: Static and Dynamic,” and the “Prominence of Setting up a Controlled Malware Analysis Lab.” These objectives show that the purpose of a sandbox is to let investigators safely run malware and observe what it does without putting production systems at risk.

A ransomware sample that evades traditional antivirus must be studied through controlled execution so analysts can identify file-encryption behavior, persistence mechanisms, dropped files, registry changes, process activity, and network communications. That is exactly what a malware sandbox is built for. It provides containment while allowing the forensic team to gather behavioral indicators and build defensive countermeasures.

Option B is unsafe and contrary to forensic practice. Option C misunderstands the purpose of sandboxing, and D refers to remediation rather than analysis. Therefore, under CHFI’s malware-forensics objectives, the primary objective of using a malware sandbox is to execute and observe the ransomware in a controlled environment so its behavior can be understood and documented.

The correct answer is C because group creation is the earliest enabling action in the sequence described. Microsoft’s audit references identify Event ID 4727 as the creation of a security-enabled global group, while 4728 records a member being added, 4729 records a member being removed, and 4730 records deletion of the group. If analysts are reconstructing the privilege-escalation path, the creation of the group is the foundational event that makes later membership changes possible. In other words, the add and remove operations depend on the group already existing. CHFI v11 covers account-management events, evaluation of event logs, and using logs as evidence, so candidates are expected to reason not only from event meaning but also from event order. In a timeline analysis, identifying the first action that established the structure later used for privilege expansion is essential. That makes Event ID 4727 the correct answer. It represents the initial administrative action that enabled the subsequent changes captured in the following events.

The correct answer is B because com.apple.recentitems.plist is the user-level preference artifact associated with recently used items and application-related recent activity in macOS. Community and forensic references identify this plist in the user’s Preferences directory as storing recent-items information that can support timeline reconstruction of user activity. This makes it the best fit when the investigator wants a user-specific plist that reflects application usage around a suspicious time window. Application Support is a directory rather than the specific plist artifact being asked for. com.apple.desktop.plist and com.apple.dock.plist may contain useful configuration or interface state, but they are not the most directly relevant source for recent-item style application usage. CHFI v11 includes macOS forensic data, log files, and directories, so candidates are expected to know where user-activity artifacts reside inside the home profile. Since the question explicitly points to ~/Library/Preferences and asks for the plist that records usage relevant to recent activity, com.apple.recentitems.plist is the most appropriate answer.