A regional bank, operating across several cities, recently discovered discrepancies in account balances following routine audits. The issues were noticed across various branches, prompting an internal investigation. Upon deeper analysis, it was revealed that someone with prior authorization had altered financial records. The investigation uncovered that a former employee, whose credentials had not been deactivated after leaving the company, had retained full control over critical systems. This oversight allowed the individual to modify transactional data, leading to inaccurate financial reports and potential harm to the bank ' s reputation. The adjustments made by the former employee were intentional and impacted customer accounts. Despite the employee no longer being employed, the lack of action to revoke their permissions allowed these changes to occur without any barriers. What classification of cybercrimes best fits this event?
Correct Answer: D
Option D is the best answer because the scenario describes misuse of previously authorized internal access rather than an external intrusion. CHFI v11 explicitly includes Types of Computer Crimes , Cyber Crime Investigation , and Insider Threat and Identity Theft Forensics as important areas of study. It also emphasizes forensic readiness, investigative challenges, and the role of investigators in examining misuse of legitimate access. The former employee still had active credentials and was able to alter transactional records because their permissions were not revoked. That makes this an insider-style abuse of role-based access , even though the individual was no longer officially employed. The key factor is that the attacker did not need to bypass perimeter defenses or crack authentication through brute-force methods; instead, they exploited existing trusted access that remained available inside the environment. Option A would involve stolen credentials used through credential stuffing, which is not what the question states. B incorrectly frames the event as an external breach. C is too narrow and does not describe the intentional misuse of privileged access. Therefore, under CHFI's insider threat and cybercrime classification concepts, this event is best classified as abuse of role-based access from within the network .
312-49v11 Exam Question 102
During an investigation, an examiner opens an Excel file with a .xlsm extension, indicating that the document is capable of containing malicious code. Upon closer inspection, the investigator must determine if the file poses a threat. What should the investigator focus on to identify potential risks?
Correct Answer: A
Option A is the best answer because the .xlsm extension specifically indicates a macro-enabled Excel document . In malware forensics, the most direct indicator of risk in such a file is the presence of macro- containing streams or embedded VBA content . When investigators suspect a malicious Office document, they first determine whether executable macro content exists, because that is often the primary mechanism used to deliver or launch malicious behavior. While external links, metadata, and unusual size can all be useful supporting indicators, they are not as central to the threat profile of an XLSM file as macro content is. The extension itself points the examiner toward macro analysis as the most relevant first focus. If macros are present, they can be reviewed for suspicious functions, obfuscation, PowerShell or shell commands, downloader behavior, and other signs of malicious intent. Therefore, from a CHFI-style malware-document analysis perspective, the investigator should first focus on whether the file contains macro-related streams , because that is the clearest and most direct source of malicious functionality in a macro-enabled Excel document.
312-49v11 Exam Question 103
During a forensic investigation into a recent security incident within an organization, the investigator is tasked with documenting every action taken with the evidence to ensure proper chain of custody. The investigator carefully documents every action taken with the evidence in a logbook. The evidence is tagged with unique identifiers to prevent confusion. A detailed chain of custody record is also created to track the evidence ' s movement and handling throughout the investigation. Which investigation step is the investigator performing in this scenario?
Correct Answer: A
According to the CHFI v11 Procedures and Methodology domain, evidence preservation is a critical step in the forensic investigation process and is closely tied to maintaining a proper chain of custody . Preservation ensures that digital evidence remains unaltered, authentic, and legally admissible from the moment it is collected until it is presented in court or a disciplinary proceeding. In the given scenario, the investigator is documenting every action , assigning unique identifiers , and maintaining a chain of custody log that records who handled the evidence, when it was handled, and for what purpose. CHFI v11 explicitly defines these actions as part of the evidence preservation phase , which occurs immediately after evidence identification and collection. This phase is designed to prevent evidence tampering, loss, contamination, or misidentification. The other options do not align with the described activities. Scoping focuses on defining investigation boundaries, data analysis involves examining evidence for findings, and search and seizure refers to the legal act of collecting evidence-none of which emphasize documentation and custody tracking. CHFI v11 stresses that failure to properly preserve evidence and document its handling can result in evidence being challenged or ruled inadmissible . Therefore, the investigator's actions clearly correspond to preserving the evidence , making Option A the correct and CHFI v11-verified answer.
312-49v11 Exam Question 104
Sarah, a security analyst, is reviewing the security audit logs from a Windows machine to detect unauthorized activities. She comes across an event with the ID 4663 in the Windows Event Viewer, which corresponds to a specific type of system interaction. After further analysis, she determines that this event is related to an activity involving critical system objects. What does Event ID 4663 specifically indicate in relation to Windows security?
Correct Answer: A
This question aligns with CHFI v11 objectives under Operating System Forensics , specifically Windows Security Event Log analysis and object access auditing . In Windows systems, Event ID 4663 is generated when an attempt is made to access an object (such as a file, folder, registry key, or other securable object) and detailed auditing is enabled. CHFI v11 emphasizes the importance of this event in identifying unauthorized or suspicious access attempts to sensitive system resources. Event ID 4663 provides granular information about the type of access requested , such as read, write, modify, delete, or permission changes. This makes it particularly valuable in forensic investigations, as it allows investigators to determine whether a user or process attempted to modify critical system objects, which is often indicative of malicious activity, privilege abuse, or insider threats. While deletion events are logged separately (e.g., Event ID 4660), and general logon activity is captured by different event IDs (such as 4624), Event ID 4663 focuses specifically on object access attempts . Option C is partially descriptive but too broad; the defining characteristic of Event ID 4663 is the attempt to open an object with specific access rights , making option A the most precise and CHFI v11-aligned answer.
312-49v11 Exam Question 105
A cybersecurity analyst at a leading technology firm has discovered a suspicious file in the company ' s network. Concerned that it may be malware, the analyst decides to conduct both static and dynamic analysis to assess the potential threat posed by the file. In the scenario described, what would be the primary purpose of conducting static analysis on the suspicious file?
Correct Answer: A
Option A is the best answer because CHFI v11 explicitly includes Malware Analysis: Static and Dynamic and the use of a controlled malware analysis lab to examine suspicious files safely. The defining purpose of static analysis is to inspect a file without executing it , allowing the investigator to identify indicators such as strings, imports, headers, embedded resources, suspicious metadata, obfuscation, or other structural signs of malicious intent. This is different from dynamic analysis , which involves running the file in a sandbox or controlled environment to observe behavior. Option B and C therefore describe dynamic analysis, not static analysis. Option D may be part of deeper reverse engineering, but it is narrower and more advanced than the broader primary purpose of static analysis, which is safe, non-executing inspection to identify likely threats. Because the question asks for the main reason to perform static analysis, the most accurate CHFI-aligned answer is analyzing the suspicious file's code and structure without running it in order to identify potential security threats.