In a financial institution ' s computer forensic investigation, suspicious activity reveals unauthorized access to GLBA (Gramm-Leach-Bliley Act)-protected customer data, raising concerns for customer safety. However, identifying the breach ' s source and extent poses significant challenges, complicating compliance with GLBA guidelines. What steps should be taken in a GLBA-covered computer forensic investigation when unauthorized access to sensitive customer data is discovered?
Correct Answer: D
According to CHFI v11 objectives under Computer Forensics Fundamentals and Regulations, Policies, and Ethics , a forensic investigator must ensure that technical investigation activities align with applicable legal and regulatory requirements. The Gramm-Leach-Bliley Act (GLBA) mandates that financial institutions protect customers' nonpublic personal information (NPI) and respond appropriately to any unauthorized access or disclosure. When a breach involving GLBA-protected data is identified, the organization must follow a structured incident response and forensic investigation process while maintaining compliance with privacy laws. CHFI v11 emphasizes forensic readiness, legal compliance, and ethical handling of digital evidence. Notifying affected customers of their opt-out rights and implementing safeguards to protect compromised data are core requirements of GLBA's Privacy Rule and Safeguards Rule. Ignoring the incident violates forensic and legal responsibilities, while sharing sensitive data with third parties risks further disclosure. Informing law enforcement alone is insufficient if customer notification obligations are not met. Proper customer notification demonstrates due diligence, supports transparency, and reduces legal risk. From a CHFI perspective, this approach ensures lawful evidence handling, regulatory compliance, and preservation of organizational credibility during forensic investigations.
312-49v11 Exam Question 37
An investigator is reviewing an NTFS file system for evidence of file activity during a cybercrime investigation. The investigator uses The Sleuth Kit'sflsandmactimetools to extract and analyze timestamps related to file actions. These timestamps can provide critical insights into the sequence of events leading up to and during the incident. What kind of file information is the investigator likely focusing on to reconstruct the timeline?
Correct Answer: A
Within the CHFI v11 syllabus underOperating System ForensicsandImage/Evidence Examination and Event Correlation, timeline reconstruction is a core forensic technique used to understandwhat happened, when it happened, and in what order. When analyzing NTFS file systems, investigators rely heavily onMAC times-Modified, Accessed, and Createdtimestamps-to establish file activity. The Sleuth Kit toolsflsandmactimeare specifically designed for this purpose. Theflstool extracts file and directory metadata from a forensic image, whilemactimeprocesses this metadata to generate a chronological timeline of file system events. This timeline typically includesfile creation time, last modification time, and last access time, allowing investigators to correlate file activity with known incident times, user actions, or attacker behavior. Option B describes low-level file system analysis, which is useful in other contexts but is not the primary focus ofmactime. Option C relates to system-level operational timelines rather than file activity. Option D focuses on Windows event logs, which are valuable for corroboration but are separate from NTFS file system timestamp analysis. The CHFI v11 Exam Blueprint explicitly highlightsfile system timeline creation and analysis using The Sleuth Kit, emphasizing MAC timestamps as the foundational data used to reconstruct sequences of events during digital investigations
312-49v11 Exam Question 38
During a security audit of a web application, suspicious activity indicative of a directory traversal attack is detected in the server logs. The attack appears to exploit vulnerabilities to gain unauthorized access to sensitive files and directories. In digital forensics, what is the primary objective of investigating a directory traversal attack?
Correct Answer: C
According to the CHFI v11 Network and Web Attacks domain, a directory traversal attack (also known as path traversal) is a web-based attack in which an attacker manipulates input parameters (such as ../ sequences) to access files and directories outside the intended web root . This can expose sensitive resources such as configuration files, credentials, source code, system files, and application logs. The primary forensic objective when investigating a directory traversal attack is to determine the scope and impact of unauthorized access . CHFI v11 emphasizes that investigators must analyze web server logs, application logs, and access records to identify: * Which files or directories were accessed * Whether sensitive or confidential data was exposed * The time frame of the attack * The attacker's source IP and request patterns * Whether data was viewed, downloaded, or potentially modified Understanding the extent of data compromise is critical for incident response, regulatory notification, damage assessment, and legal proceedings. It also helps determine whether further attacks (such as privilege escalation or lateral movement) may have occurred following the traversal exploit. The other options are not aligned with forensic goals. Hardware configuration analysis and bandwidth optimization are operational tasks, not forensic objectives. Enhancing user experience is unrelated to incident investigation. CHFI v11 clearly states that the focus of web attack forensics is impact assessment and evidence reconstruction , making determining unauthorized access and data compromise the correct objective. Therefore, the correct and CHFI v11-verified answer is Option C .
312-49v11 Exam Question 39
You are a forensic investigator working for a cybersecurity firm tasked with analyzing a suspicious Microsoft Office document named "infected_doc." The document was discovered in an email attachment sent to multiple employees at a large corporation. Concerns have been raised about potential malware embedded within the document, particularly involving VBA macros. As a forensic investigator examining the "infected_doc" Microsoft Office document, what initial step would you take to identify suspicious or malicious components within the file?
Correct Answer: A
This question aligns with CHFI v11 objectives under Malware Forensics and Static Malware Analysis of Suspicious Documents . When analyzing potentially malicious Microsoft Office documents, CHFI v11 emphasizes that investigators should always begin with static analysis before attempting any form of execution. This approach minimizes risk and helps identify embedded threats such as VBA macros, OLE objects, exploits, and obfuscation techniques without activating the payload. The oleid tool (part of the oletools suite) is specifically designed for the initial inspection of OLE-based Microsoft Office documents . It quickly identifies indicators of compromise such as the presence of macros, embedded objects, suspicious file formats, encryption, and known exploit characteristics. CHFI v11 highlights oleid as a safe, non-intrusive first step to triage Office documents and determine whether deeper analysis (e.g., macro extraction or sandbox execution) is warranted. Opening the document in a sandbox is a dynamic analysis step and should only occur after static indicators confirm malicious intent. The other options are either non-standard or insufficient for detecting embedded macro-based malware. Therefore, consistent with CHFI v11 malware forensics methodology, executing oleid to review suspicious components is the correct initial step.
312-49v11 Exam Question 40
During a forensic investigation into a recent security incident within an organization, the investigator is tasked with documenting every action taken with the evidence to ensure proper chain of custody. The investigator carefully documents every action taken with the evidence in a logbook. The evidence is tagged with unique identifiers to prevent confusion. A detailed chain of custody record is also created to track the evidence's movement and handling throughout the investigation. Which investigation step is the investigator performing in this scenario?
Correct Answer: A
According to theCHFI v11 Procedures and Methodologydomain,evidence preservationis a critical step in the forensic investigation process and is closely tied to maintaining aproper chain of custody. Preservation ensures that digital evidence remainsunaltered, authentic, and legally admissiblefrom the moment it is collected until it is presented in court or a disciplinary proceeding. In the given scenario, the investigator isdocumenting every action, assigningunique identifiers, and maintaining achain of custody logthat records who handled the evidence, when it was handled, and for what purpose. CHFI v11 explicitly defines these actions as part of theevidence preservation phase, which occurs immediately after evidence identification and collection. This phase is designed to prevent evidence tampering, loss, contamination, or misidentification. The other options do not align with the described activities.Scopingfocuses on defining investigation boundaries,data analysisinvolves examining evidence for findings, andsearch and seizurerefers to the legal act of collecting evidence-none of which emphasize documentation and custody tracking. CHFI v11 stresses that failure to properly preserve evidence and document its handling can result inevidence being challenged or ruled inadmissible. Therefore, the investigator's actions clearly correspond to preserving the evidence, makingOption Athe correct and CHFI v11-verified answer.