Linda, a network security analyst, is reviewing the firewall logs after the security team identified unusual activity on the company's network. The firewall logs show multiple inbound connection attempts that were blocked, and Linda notices that the source IP address in these logs corresponds to an address that falls outside the organization ' s normal network range. This unfamiliar IP raises a red flag, and Linda knows that this could potentially be an attempt to breach the network. Given the suspicious nature of the traffic and the company ' s recent focus on strengthening security measures, Linda must take the next step in her investigation to determine whether this activity is part of a broader attack attempt or if it is a legitimate request that was mistakenly flagged. At this point, Linda considers several options. Which of the following steps should she take next to further investigate the potential security breach caused by this suspicious external IP address?
Correct Answer: C
Option C is the best answer because CHFI v11 emphasizes the Role of Threat Intelligence in Computer Forensics , Indicators of Compromise (IoC) , and the analysis of firewall and network logs during attack investigations. When an unfamiliar external IP appears repeatedly in blocked inbound attempts, one of the most useful next steps is to determine whether that address is linked to known malicious infrastructure or threat intelligence feeds. Checking threat-intelligence associations helps the investigator decide whether the activity is likely part of a broader intrusion campaign, commodity scanning, botnet behavior, or a known hostile source. That is more directly useful than checking firewall health, which does not address the source's intent. Looking for prior successful logins from the same IP may be helpful later, but it is less immediate than determining whether the IP is already known to be suspicious. Logging all traffic for the future is good practice, but it does not answer the present investigative question. Therefore, under CHFI's network-forensics and threat-intelligence principles, Linda should next verify whether the source IP is associated with known threat intelligence sources .
312-49v11 Exam Question 67
As the senior forensic analyst for an international software development firm, you're tasked with handling an ongoing investigation into suspected insider threats. Several project files have been reported as missing from the company's secured servers. In one instance, a junior team member reported receiving an email, seemingly from his manager, instructing him to move specific files to a shared network location. After complying, the files disappeared. As part of your investigation, you have acquired disk images of all systems involved. What should be your next step?
Correct Answer: D
Option D is the best answer because the scenario strongly suggests a deceptive email-based social engineering event that triggered the movement and disappearance of the files. The most important next step is to identify whether the email was genuinely sent by the manager or whether it was spoofed, relayed, or otherwise malicious. In CHFI terms, this aligns with examining the source of the incident , correlating email artifacts with server logs , and reconstructing the sequence of events to determine attribution and attack method. Although disk images have already been acquired, the question asks for the next step in the investigation. Since the trigger was a suspicious instruction sent by email, analyzing email headers can reveal sender path, relay details, spoofing indicators, and authentication issues. Reviewing server logs can then confirm access activity, file movement, and related actions around the same timeframe. That gives the investigator a clearer understanding of whether this was phishing, impersonation, or insider misuse. Option A is too broad, B is premature, and C focuses on consequences rather than the initiating cause. Therefore, header and log analysis is the strongest first analytical move.
312-49v11 Exam Question 68
An international airline recently discovered a cyber intrusion in their reservation system. The breach was intricately planned and executed, leaving very few traces behind. The threat actors utilized sophisticated anti- forensics techniques, including data obfuscation and log manipulation, making it challenging for the internal cybersecurity team to trace the attack ' s origin and understand its full impact. Faced with this complicated investigation, which of the following should be the first course of action for the cybersecurity team?
Correct Answer: C
Option C is the best first course of action because, in a complex intrusion involving anti-forensics , the investigation must first establish the scope and impact of the breach before deeper reverse engineering or broad remediation decisions are made. CHFI v11 emphasizes the forensic investigation process , including first response , evidence preservation , case analysis , and understanding indicators of compromise and anti-forensics challenges . Determining exactly what data was compromised is foundational. It helps investigators define the severity of the incident, identify affected systems and stakeholders, prioritize evidence collection, and support legal, regulatory, and business response requirements. Without first establishing the compromised data set, later activities such as reverse engineering attacker methods or deploying broad controls may be less targeted and less effective. Option A may become important later, but it is not the most immediate first step in understanding breach impact. B and D are response measures, yet prematurely changing the environment can complicate forensic analysis. Therefore, under CHFI's investigation-process and anti-forensics principles, the most appropriate first action is to identify the exact data that has been compromised .
312-49v11 Exam Question 69
As a cybersecurity analyst, recently, you detected an unusual increase in network traffic originating from multiple endpoints within the organization's network. Upon further investigation, you discovered that several employees received phishing emails containing seemingly innocuous attachments. However, these attachments are suspected to be part of a GootLoader campaign, a notorious malware distribution method. What could be concluded for the attachments?
Correct Answer: A
Option A is the best answer because the question explicitly identifies the attachments as being associated with a GootLoader campaign , which is commonly understood as a malware delivery mechanism that uses deceptive content to stage later malicious activity. In this context, the attachment is most logically interpreted as a first-stage payload or infection vector rather than the final malware objective itself. From a CHFI-style malware forensics perspective, investigators first determine how malicious code was delivered , then analyze what subsequent payloads or behaviors followed. In phishing-driven infection chains, the initial attachment often acts as the first phase that enables download, execution, or delivery of additional malware. That fits the fact pattern far better than assuming the attachment itself must specifically be spyware, ransomware, or a zero-day exploit. Options B , C , and D may describe possible later effects in some campaigns, but the most defensible conclusion from the wording is that these attachments are part of the initial delivery stage of GootLoader. Therefore, the correct answer is that the attachments are likely serving as the first-stage payload in the campaign and should be analyzed as the initial malicious component in the infection chain.
312-49v11 Exam Question 70
You ' re a digital forensics investigator tasked with analyzing a bitmap image file (BMP) to gather information about its structure and contents. Understanding the file structure and data components is essential for conducting a thorough analysis. Which component of a bitmap image file contains data about the type, size, and layout of the file?
Correct Answer: C
According to the CHFI v11 objectives under Analyzing Various File Types and Image File Analysis (BMP) , understanding bitmap (BMP) file structure is critical for identifying hidden data, detecting tampering, and validating file integrity during forensic investigations. A BMP file is composed of multiple structured components, each serving a specific purpose. The Information Header (also known as the DIB header ) is the component that contains detailed metadata about the bitmap image. This includes essential attributes such as image width and height, color depth (bits per pixel), compression method, image size, resolution, and pixel layout . These attributes define how the image data should be interpreted and rendered, making the information header central to forensic analysis. Investigators rely on this header to verify whether image properties are consistent with expectations or have been manipulated. The File Header (Option A) primarily identifies the file as a BMP and provides the offset to the image data, but it does not describe the image layout in detail. Image data (Option B) contains the actual pixel values, while the RGBQUAD array (Option D) defines the color palette for indexed images and does not describe file structure. The CHFI Exam Blueprint v4 explicitly covers BMP file analysis and hex-level examination , highlighting the Information Header as the key structure for understanding bitmap characteristics, making Option C the correct and exam-aligned answer