ECCouncil Updated 312-49v11 Exam Questions and Answers by cecily

Option A is correct because CHFI v11 gives strong importance to legal and ethical handling of evidence , especially in contexts where data may contain personal or sensitive information. The blueprint explicitly includes seeking consent , best practices for handling digital evidence , legal issues, privacy issues and legal compliance , preserving evidence , and chain of custody . These requirements apply directly to mobile devices, which often contain highly private data and therefore demand careful lawful handling.

Obtaining permission from the device owner , or otherwise ensuring proper legal authority, is foundational to admissibility and professional forensic practice. Just as important, the evidence collection process must comply with applicable regulations and be documented properly. CHFI also covers the mobile forensics process and stresses that sound forensic work requires procedure, documentation, and defensible evidence handling.

Option B may sometimes be operationally useful, but failing to document the action is a major forensic weakness. Option C ignores tool suitability and legal compliance. Option D directly undermines admissibility because undocumented collection damages evidentiary credibility. Therefore, the most CHFI-aligned and legally defensible response is to obtain permission and ensure the process complies with relevant legal requirements.

Option B. Live Acquisition is the best answer because the computer is actively in use for critical tasks , which means shutting it down for a static or dead acquisition would disrupt operations and may also destroy volatile evidence. In CHFI methodology, when a system is running and immediate evidence preservation is necessary, live acquisition is the appropriate approach.

A live acquisition enables the investigator to capture both volatile and non-volatile evidence while the machine remains operational. This is especially important in data theft cases, where active sessions, memory-resident artifacts, current network connections, running processes, and open documents may be crucial to understanding how the leak occurred. Since the computer is continuously used and the situation is urgent, this method best balances evidentiary need with operational reality.

Differential acquisition is not the right concept here because the question is about choosing the overall acquisition mode. Remote acquisition may be possible in some environments, but it is not the primary answer to the problem described. Static acquisition generally requires the system to be inactive. Therefore, under CHFI data acquisition principles, the correct choice is Live Acquisition .

According to the CHFI v11 Procedures and Methodology domain, the eDiscovery process requires strict accountability, transparency, and defensibility of evidence handling. One of the most critical metrics in eDiscovery investigations is the audit trail , which documents every action performed on evidence throughout its lifecycle.

An audit trail records detailed information such as user access, file modifications, data exports, searches performed, timestamps, and system changes. CHFI v11 emphasizes that maintaining complete audit trails ensures chain of custody , supports legal admissibility , and allows investigators to prove that evidence was not altered or mishandled during the investigation. This is especially important in legal proceedings, where investigators may be required to demonstrate who accessed the data, when it was accessed, and what actions were taken.

The other options represent valid forensic considerations but do not directly address the requirement for full transparency and accountability . Legal holds focus on preservation, workload metrics measure efficiency, and data extraction accuracy addresses integrity—but none provide a complete, chronological record of investigator actions.

CHFI v11 explicitly highlights tracking audit logs and maintaining detailed activity records as a best practice for eDiscovery to ensure defensibility and compliance with legal standards such as the Electronic Discovery Reference Model (EDRM) .

Therefore, the investigator is primarily focusing on audit trail metrics , making Option A the correct and CHFI v11–verified answer.

Option B. Brute Force attack is the most appropriate answer because the scenario describes an attacker making thousands of rapid attempts using many different combinations of payment data from the same IP address. CHFI v11 includes Investigating Brute Force Attack as part of its network and web attack coverage.

The defining characteristic of a brute-force style attack is repeated automated trial-and-error attempts until valid data is found. In this case, the attacker is not relying on stolen session state, changing parameters in a single trusted request, or abusing XML parsing. Instead, the attacker is systematically testing combinations at scale, which is consistent with brute-force or card-testing behavior.

Cookie poisoning would focus on modifying session or cookie values. Parameter tampering involves altering request parameters to manipulate application logic. XXE targets XML parsers. None of those fit the described pattern as directly as repeated automated attempts from one source using numerous combinations. Therefore, under CHFI’s attack-investigation objectives, the strongest answer is Brute Force attack .