A cybersecurity firm is conducting a forensic investigation into a suspected data breach at a financial institution. During the investigation, the forensic analysts encounter encrypted files protected by strong passwords, hindering their ability to access critical evidence related to the breach. Considering the challenges posed by password protection in digital forensics investigations, which anti- forensics technique is being employed to impede the forensic analysis process in this scenario?
Correct Answer: C
This scenario aligns with CHFI v11 objectives underAnti-Forensics Techniques, specifically techniques used by attackers to prevent investigators from accessing digital evidence.Data encryptionis a well-known and widely used anti-forensic method where files are encrypted using strong cryptographic algorithms and protected with complex passwords. While encryption is a legitimate security control, adversaries often misuse it to deliberately obstruct forensic analysis and delay investigations. CHFI v11 explains that encrypted files render data unreadable without the correct decryption key, making it extremely difficult for investigators to examine file contents within acceptable timeframes. This can significantly hinder evidence discovery, timeline reconstruction, and incident scoping. Investigators must then rely on password cracking, key recovery, memory forensics, or legal assistance to access the data-each of which introduces complexity, cost, and time delays. Data manipulation involves altering or deleting evidence, data obfuscation focuses on making data confusing but still accessible, and data hiding conceals information in alternate locations. In contrast, the defining characteristic in this scenario ispassword-protected encrypted files, which directly corresponds to data encryption. Therefore, consistent with CHFI v11 classifications,data encryptionis the correct anti-forensic technique being employed.
312-49v11 Exam Question 12
You ' re a forensic investigator tasked with analyzing a potential security breach on an Internet Information Services (IIS) web server. Your objective is to collect and analyze IIS logs to determine how and from where the attack occurred. Where are IIS log files typically stored by default on Windows Server operating systems?
Correct Answer: C
According to the CHFI v11 objectives under Web Application Forensics and Log Analysis , knowing the default storage locations of web server logs is essential for reconstructing web-based attacks. On Windows Server operating systems, Internet Information Services (IIS) stores its HTTP and HTTPS request logs by default in the directory: %SystemDrive%\inetpub\logs\LogFiles This directory contains subfolders such as W3SVC1, W3SVC2, etc., where each folder corresponds to a specific IIS website instance. The log files stored here record critical forensic details including client IP addresses, timestamps, HTTP methods, requested URLs, status codes, user agents, and referrers . These artifacts allow investigators to identify attack vectors such as SQL injection, command injection, directory traversal, brute-force attempts, and web shell uploads. The other options are incorrect because they do not represent default IIS log locations. %AppData% is user- profile specific, %ProgramFiles% contains application binaries rather than logs, and %SystemRoot% \Logs\IIS is not a standard IIS logging path. The CHFI Exam Blueprint v4 explicitly covers IIS web server architecture and log analysis , emphasizing familiarity with default log paths to ensure timely evidence acquisition and accurate incident reconstruction. Therefore, %SystemDrive%\inetpub\logs\LogFiles is the correct and exam-aligned answer
312-49v11 Exam Question 13
After a cybercrime investigation involving a compromised Windows system, an investigator is tasked with recovering private browsing artifacts. The investigator decides to retrieve data from the pagefile. sys and other live memory captures to identify traces of activity from private browsing modes. Which tool should the investigator use to analyze the live system and recover these private browsing artifacts?
Correct Answer: C
This question aligns with CHFI v11 objectives underOperating System ForensicsandVolatile and Non- Volatile Data Analysis, particularly the recovery of artifacts from live memory and system files such as pagefile.sys. Private browsing modes (e.g., InPrivate, Incognito) are designed to minimize persistent artifacts on disk; however, CHFI v11 emphasizes thatmemory, page files, and swap files often retain remnants of browsing activity, including URLs, session data, cached content, and credentials. FTK Imageris a forensically sound tool widely used forlive data acquisition, memory capture, and analysis of volatile artifacts. It allows investigators to acquire RAM, pagefile.sys, hiberfil.sys, and other critical system files without altering evidence integrity. CHFI v11 specifically highlights FTK Imager as a preferred tool for collecting and examining live system data and recovering artifacts that are not available through traditional disk-only analysis. PsLoggedOn is used to identify logged-in users, Exeinfo analyzes executable file formats, and zsteg is a steganography detection tool. None of these are suitable for live memory or pagefile analysis. Therefore, consistent with CHFI v11 forensic best practices,FTK Imageris the correct tool to recover private browsing artifacts from live Windows systems.
312-49v11 Exam Question 14
Theodore, a forensic expert, was tasked with investigating a cybercrime involving a Windows operating system running on NTFS. In the course of the investigation, he accessed and analyzed several metadata files stored in the root directory of the file system. These metadata files maintain records for every file stored on the system, including information such as file names, sizes, timestamps, and location on disk. While examining these files, Theodore was able to discover crucial data that helped track malicious events linked to the cybercrime. Which of the following system files did Theodore access to retrieve these records?
Correct Answer: D
This question directly maps to CHFI v11 objectives under Operating System Forensics , specifically NTFS file system analysis and metadata examination . In NTFS, the Master File Table (MFT) is the core metadata file that contains a record for every file and directory on the volume. CHFI v11 emphasizes that the $MFT is one of the most critical artifacts in Windows forensics because it stores essential attributes such as file names, file sizes, creation/modification/access timestamps, permissions, and the physical location of file data on disk. Each file on an NTFS volume has at least one corresponding MFT entry, making $MFT invaluable for reconstructing user activity, detecting deleted files, and correlating timelines during cybercrime investigations. Investigators often analyze the $MFT to uncover evidence of malicious file creation, modification, execution, or deletion-even when files have been removed from the file system view. The other options serve different purposes: $LogFile tracks transactional changes, $MFTMirr holds a backup of part of the MFT, and $Volume stores volume-level information. Therefore, consistent with CHFI v11 NTFS forensic principles, the file Theodore accessed is $MFT .
312-49v11 Exam Question 15
Forensic investigators respond to a smart home burglary. They identify, collect, and preserve IoT devices, then analyze data from cloud services and synced smartphones. A detailed report is prepared for court presentation, outlining the investigation process and the evidence collected. Which stage of theIoT forensic processensures thatevidence integrity is maintained by preventing alteration before collection?
Correct Answer: D
According to theCHFI v11 Mobile and IoT Forensicsdomain, thepreservation stageis specifically responsible for ensuring that digital evidence remainsunaltered, intact, and legally admissiblethroughout the forensic lifecycle. Preservation beginsimmediately after evidence is identifiedand continues until the investigation is concluded and evidence is presented in court. In IoT investigations, preservation is especially critical because IoT devices-such as smart locks, cameras, sensors, and hubs-often containvolatile data, limited storage, and continuous network connectivity. CHFI v11 emphasizes that investigators must take steps such asisolating devices from networks, disabling remote access, preventing firmware updates, maintaining power states when necessary, and documenting handling proceduresto avoid unintentional data modification or loss. Whileevidence identification and collectionfocuses on locating and acquiring devices and data sources, it does not by itself guarantee protection against alteration.Data analysisandpresentation/reportingoccur later and rely on evidence that has already been preserved correctly. Any failure in preservation can compromise chain of custody and result in evidence being challenged or excluded. CHFI v11 explicitly states thatpreservation safeguards evidence integrity before, during, and after collection, making it the foundation of a defensible IoT forensic investigation. Therefore, the stage that ensures evidence integrity by preventing alteration before collection isPreservation, makingOption Dthe correct and CHFI v11-verified answer.