ECCouncil Updated 312-49v11 Exam Questions and Answers by dulcie

Option C. Time of the Connection Attempt is the strongest answer because CHFI v11 emphasizes analyzing firewall logs , types of event correlation , timeline and kill chain analysis , and understanding how multiple events fit together during an incident investigation.

In this scenario, the firewall has already denied the connections, so Firewall Action Taken adds little new value. The Destination IP Address may show which internal asset was targeted, and the Source Port Number is usually less useful for judging intent. What most helps determine whether the activity is part of a broader intrusion attempt is the timing of the events: whether they align with other suspicious logs, occur in repeated patterns, coincide with activity on targeted hosts, or match known scanning or attack windows. Time data is essential for correlating firewall entries with IDS alerts, authentication failures, endpoint events, or other signs of coordinated activity.

Because CHFI teaches investigators to build timelines and correlate events across evidence sources, the time of the connection attempt provides the most critical context for distinguishing random scanning from a potentially coordinated intrusion attempt.

Option C is correct because Taylor is trying to confirm whether the brute-force activity against the FTP service eventually resulted in a successful login . CHFI v11 explicitly includes network protocols and packet analysis , gathering evidence via sniffers , and analyze traffic for FTP and SMB password cracking attempts under network-forensics objectives.

In FTP analysis, the response code 230 indicates that the user has been logged in successfully. That makes it the key value an investigator would filter for after observing repeated failed attempts. By contrast, 530 is associated with failed authentication or not logged in, 213 is commonly related to file status information, and 550 typically indicates file unavailability or access issues rather than successful authentication.

Because CHFI emphasizes recognizing indicators of brute-force attempts and validating attack success through packet analysis, the correct Wireshark filter is ftp.response.code == 230 . This directly confirms whether the attacker moved from repeated FTP login failures to a successful authenticated session.

The correct answer is B because ENFSI guidance describes early case handling in terms that match the scenario: assessing the case, prioritizing exhibits when there are many of them, and documenting which items were and were not examined. ENFSI’s Best Practice Manual for the Forensic Examination of Digital Technology notes that when a large number of exhibits are submitted, it may be necessary to selectively prioritize examination and clearly document which exhibits have and have not been analyzed, along with the depth of analysis. That is the essence of initial case evaluation. CHFI v11 includes investigation process setup, evidence handling, and quality-driven forensic methodology, so this question fits the stage where the laboratory decides how to triage workload before deep analysis begins. Live analysis of remote systems and acquisition of data are later operational tasks, while laboratory assessment is too generic and does not specifically capture the triage and prioritization focus described. Since the key activities here are preliminary evaluation, prioritization, and documentation of scope under heavy exhibit volume, the best matching ENFSI phase is Initial Case Evaluation.

The correct answer is A because the initial triage step with oledump is to run the tool against the file without selecting a stream first, which lists the OLE streams and marks macro-containing streams with an uppercase M. Didier Stevens’ oledump guidance explains that the tool is used to analyze OLE files and that the first inspection step is to list the streams present in the document. Only after that listing do investigators normally use options such as -s to select a specific stream for deeper inspection. This matches the question, which asks for the command to list the streams and identify where macro content is located before any macro extraction occurs. CHFI v11 includes analysis of suspicious Word, Excel, and PDF documents under malware forensics, so recognizing the correct first-pass document triage workflow is relevant to the exam. Since the task is discovery of suspicious OLE streams rather than extraction or decoding, the basic oledump invocation is the best answer among the options provided.