ECCouncil Updated 312-49v11 Exam Questions and Answers by adelaide

According to the CHFI v11 objectives under Network Forensics and Wireless Network Security , investigators must be able to discover, analyze, and visualize wireless network activity when assessing potential threats such as rogue access points, weak encryption, or signal leakage beyond controlled premises. NetSurveyor is a specialized wireless network discovery and diagnostic tool designed precisely for this purpose.

NetSurveyor passively detects nearby wireless access points and displays real-time information such as SSID (AP name), signal strength, channel usage, encryption type, and MAC addresses . One of its key strengths—explicitly aligned with CHFI training—is its ability to present this data using graphical charts and diagnostic views , making it easier for investigators to identify abnormal signal patterns, unauthorized APs, or overlapping channels that may indicate security weaknesses or malicious activity.

The other options are not suitable for wireless network assessment. John the Ripper and hashcat are password-cracking tools used in credential analysis, not network visualization. Netcraft is primarily used for website and server footprinting, not real-time wireless network monitoring.

The CHFI Exam Blueprint v4 emphasizes investigating wireless network traffic, detecting rogue access points, and performing attack and vulnerability monitoring , all of which require tools like NetSurveyor. Therefore, NetSurveyor is the most appropriate and exam-aligned tool for this scenario

According to the CHFI v11 objectives under Setting Up a Computer Forensics Lab and Ensuring Quality Assurance , maintaining strict control over who can access the forensic laboratory is a fundamental security requirement. The scenario described clearly aligns with physical access considerations , which focus on controlling, monitoring, and documenting entry into the forensic facility. Recording visitor details such as identity, time of entry, and purpose of visit ensures accountability and helps protect sensitive evidence, forensic tools, and investigation data from unauthorized access or tampering.

CHFI v11 emphasizes that forensic labs must implement visitor logs, access authorization procedures, and monitoring mechanisms as part of best practices. These measures directly support the chain of custody by demonstrating that evidence was only accessible to authorized individuals, which is essential for legal admissibility. In the event of an audit or court proceeding, access records can be used to prove that evidence integrity was preserved throughout the investigation lifecycle.

Human resource considerations (Option A) relate to staffing, training, and role assignments, not visitor access. Work area considerations (Option B) address workspace layout and equipment placement. Physical and structural design considerations (Option D) involve building architecture and security infrastructure such as locks or surveillance systems, but not the administrative tracking of visitors.

Therefore, in accordance with CHFI v11 forensic lab security guidelines, physical access considerations best describe the security control being implemented

The correct answer is B because ASCII is the character encoding standard that uses 7 bits and represents 128 unique characters. Those characters include English letters, digits, punctuation marks, and control characters, which matches the exact constraints described in the question. CHFI v11 includes character encoding standards such as ASCII and Unicode under file and data analysis, so candidates are expected to connect specific encoding limits to the right standard. UTF-8, UTF-16, and Unicode support much larger character sets and are designed to represent international text beyond the basic 128-character range. Although UTF-8 is backward compatible with ASCII for the first 128 characters, the question is explicitly asking for the compact 7-bit standard itself. In forensic recovery, identifying the correct encoding helps examiners reconstruct deleted text fragments accurately and avoid misinterpreting byte values as the wrong character set. Since the fragment set is limited to standard English characters and basic punctuation within a 128-symbol 7-bit scheme, ASCII is the only option that precisely fits. That makes ASCII the correct CHFI-aligned answer.

Option C. Sysmon is the best answer because CHFI v11 explicitly includes system behavior analysis involving monitoring files and folders , along with monitoring processes, services, startup programs, Windows event logs, API calls, and device drivers . In this scenario, Bob needs a tool that can log file and folder changes on a Windows system so he can understand how the malware modified the environment to hide itself.

Sysmon is designed to generate detailed system activity logs that can help investigators track suspicious changes and correlate them with process execution and other indicators of compromise. That makes it much more appropriate than the other choices. IDA Pro is primarily for reverse engineering binaries, EnCase is a broad forensic suite rather than a dedicated real-time system activity monitor, and FTK Imager focuses on imaging and evidence preview rather than ongoing change logging.

Because the question is specifically about monitoring and logging changes to files and folders , Sysmon is the most direct and CHFI-aligned answer for observing malware behavior at the system level.