Evelyn, a forensic investigator, is tasked with analyzing a Linux machine suspected of harboring malicious activity. She needs to examine open files and identify which processes are associated with those files. Which Volatility Framework plugin should Evelyn use to list the open files and their associated processes from a RAM image?
Correct Answer: C
Option C. linux.lsof is the correct answer because the requirement is to identify open files and the processes associated with those files from a Linux memory image. In forensic practice, the naming of the plugin itself is a strong indicator: lsof stands for list open files , which directly matches the question. CHFI v11 includes Linux forensics , memory analysis , and the examination of system and process artifacts as part of operating system forensics. In that context, an investigator must know which analysis method or plugin maps to a specific artifact need. The other options do not match the requested task as precisely. linux.pslist is used to list running processes, but not specifically open files. linux.mount would be relevant to mounted file systems rather than file handles tied to processes. linux.malfind is associated with finding suspicious or injected memory regions, not enumerating open files. Because the task is to correlate file activity with process context in RAM, linux.lsof is the most accurate and forensicly appropriate choice under CHFI-style Linux memory analysis objectives.
312-49v11 Exam Question 117
An organization is preparing to establish an in-house eDiscovery team to handle the identification, collection, and preservation of electronic evidence for a cybercrime investigation. This team is comprised of experts from both the legal and IT departments, ensuring that the process is not only efficient but also fully compliant with legal standards. The legal team is tasked with defining the specific scenarios, protocols, and legal guidelines under which evidence can be collected, ensuring that the entire process aligns with legal frameworks and requirements. Meanwhile, the IT team is responsible for managing the technical aspects of the collection process, ensuring that evidence is gathered in a secure and forensically sound manner, avoiding any risk of data alteration or loss. By bringing together both legal and IT professionals, the organization can ensure that both the technical and legal facets of eDiscovery are handled appropriately. What is the primary benefit of involving both legal and IT teams in the eDiscovery process?
Correct Answer: A
Option A is the best answer because it directly matches CHFI v11's treatment of Legal and IT Team Considerations for eDiscovery , the EDRM Cycle , eDiscovery collections/methodologies , and the need to manage evidence in a way that is both technically sound and legally defensible . The IT team plays the primary role in ensuring that electronically stored information is identified, preserved, and collected without altering or damaging the evidence. That supports integrity, authenticity, and forensic soundness . The legal team, by contrast, ensures that collection scope, process, privacy considerations, and production decisions comply with the applicable rules so the evidence remains admissible and usable in court . CHFI stresses both the legal and technical dimensions of digital evidence handling, especially in eDiscovery contexts. Option B is too narrow and misstates the legal team's role. C focuses on analysis rather than the stated primary benefit. D reverses the responsibilities. Therefore, the core advantage of involving both teams is that IT preserves evidentiary integrity while legal protects admissibility and compliance .
312-49v11 Exam Question 118
Rachel, a computer forensic investigator, is investigating a case of data theft at a law firm. She needs to capture and analyze the data present in a specific computer which is believed to be the source of the data leak. However, the computer is continuously being used for critical tasks. Rachel is considering her options for data acquisition. Given the urgency of the situation, which type of data acquisition should Rachel choose?
Correct Answer: B
Option B. Live Acquisition is the best answer because the computer is actively in use for critical tasks , which means shutting it down for a static or dead acquisition would disrupt operations and may also destroy volatile evidence. In CHFI methodology, when a system is running and immediate evidence preservation is necessary, live acquisition is the appropriate approach. A live acquisition enables the investigator to capture both volatile and non-volatile evidence while the machine remains operational. This is especially important in data theft cases, where active sessions, memory- resident artifacts, current network connections, running processes, and open documents may be crucial to understanding how the leak occurred. Since the computer is continuously used and the situation is urgent, this method best balances evidentiary need with operational reality. Differential acquisition is not the right concept here because the question is about choosing the overall acquisition mode. Remote acquisition may be possible in some environments, but it is not the primary answer to the problem described. Static acquisition generally requires the system to be inactive. Therefore, under CHFI data acquisition principles, the correct choice is Live Acquisition .
312-49v11 Exam Question 119
Following a cyber incident in an organization where most employees use MacBooks, a forensic investigator named Alex is tasked with analyzing one of the affected Mac systems. Alex needs a comprehensive Mac forensic tool capable of analyzing system logs, artifacts, file systems, and user activities. What should be Alex ' s tool of choice?
Correct Answer: B
Option B. Magnet AXIOM is the best answer because CHFI v11 explicitly includes MAC Forensic Tools , Collecting and Analyzing macOS Artifacts , Analyzing macOS User Activities , Viewing Log Messages in Mac , and APFS file system analysis as important objectives for operating system forensics. The question asks for a comprehensive Mac forensic tool that can handle system logs, artifacts, file systems, and user activity. Among the options, Magnet AXIOM is the one that best fits that broad forensic role. Wireshark is a network traffic analysis tool, not a full Mac forensic suite. Metasploit is a penetration testing and exploitation framework, not an evidence-analysis platform. IDA Pro is used for reverse engineering binaries, which is far narrower than the full-system forensic requirement described here. Because Alex needs a single tool capable of broad macOS evidence examination, the most suitable CHFI- aligned answer is Magnet AXIOM . It best matches the blueprint's focus on Mac artifact analysis, user activity reconstruction, and forensic tool use across operating systems.
312-49v11 Exam Question 120
The legal team of the financial institution is tasked with collecting, processing, reviewing, and producing relevant ESI in response to the litigation. The ESI includes a vast array of financial records, emails, and documents stored across multiple servers and databases. To manage eDiscovery effectively and meet legal obligations, the organization should adopt which comprehensive strategy aligned with the Electronic Discovery Reference Model {EDRM) Cycle.
Correct Answer: C
Option C is the strongest answer because it best reflects a structured, defensible approach under the EDRM Cycle . CHFI v11 explicitly covers the eDiscovery Process Flow , the Electronic Discovery Reference Model (EDRM) Cycle , accurate metrics and tracking information related to eDiscovery , eDiscovery collections/methodologies , and best practices to mitigate costs and risk . These objectives support a deliberate strategy that identifies the right custodians and data sources early, rather than collecting indiscriminately. Conducting early case assessment (ECA) allows the organization to narrow scope, focus collection, preserve relevant metadata, and reduce unnecessary burden during later review and production. That is especially important where data spans multiple servers and databases and includes records, emails, and documents. This approach aligns well with CHFI's emphasis on legal and IT coordination in eDiscovery. Option A is incorrect because overlooking metadata preservation can damage evidentiary value. Option B does not remove the organization's obligation to remain compliant. Option D may help with governance generally, but it is not the immediate comprehensive litigation response described here. Therefore, ECA- focused targeted collection is the best EDRM-aligned strategy.