A cybersecurity firm has recently discovered a new strain of ransomware circulating on the internet, posing a significant threat to organizations worldwide. This ransomware is highly sophisticated and capable of evading traditional antivirus software. To effectively combat this threat, the cybersecurity firm decides to utilize a malware sandbox for detailed analysis. Given the scenario described, what would be the primary objective of using a malware sandbox in this situation?
Correct Answer: A
Option A is the best answer because CHFI v11 explicitly includes "Perform Static and Dynamic Malware Analysis in a Sandboxed Environment," "Malware Analysis: Static and Dynamic," and the "Prominence of Setting up a Controlled Malware Analysis Lab." These objectives show that the purpose of a sandbox is to let investigators safely run malware and observe what it does without putting production systems at risk. A ransomware sample that evades traditional antivirus must be studied through controlled execution so analysts can identify file-encryption behavior, persistence mechanisms, dropped files, registry changes, process activity, and network communications. That is exactly what a malware sandbox is built for. It provides containment while allowing the forensic team to gather behavioral indicators and build defensive countermeasures. Option B is unsafe and contrary to forensic practice. Option C misunderstands the purpose of sandboxing, and D refers to remediation rather than analysis. Therefore, under CHFI's malware-forensics objectives, the primary objective of using a malware sandbox is to execute and observe the ransomware in a controlled environment so its behavior can be understood and documented.
312-49v11 Exam Question 32
Henry, a forensic investigator, has been assigned to analyze a cyber-attack that occurred on a web application hosted on an Apache server running on an Ubuntu system. The attacker is suspected of exploiting vulnerabilities within the application, and Henry needs to examine the server ' s logs to identify any suspicious activities. As part of the investigation, Henry begins by navigating to the log file storage locations to analyze the Apache access logs and error logs. These logs are crucial for understanding the nature of the attack, identifying the source IPs, the exact times of the attack, and the type of attack executed. Henry needs to locate the configuration file for Apache on Ubuntu to find where the log files are stored. In which of the following storage locations on an Ubuntu machine can Henry find useful information regarding the log files for Apache?
Correct Answer: D
According to the CHFI v11 Web Application and Linux Forensics objectives , understanding default web server configurations and log locations is essential for investigating web-based attacks. On Ubuntu systems , the Apache web server package is typically installed as apache2 , and its primary configuration file is located at /etc/apache2/apache2.conf . This configuration file plays a central role in Apache forensics because it defines or references critical settings, including log file locations , logging formats, enabled modules, virtual host configurations, and included configuration directories (such as sites-enabled and conf-enabled). The actual access and error logs are usually stored in /var/log/apache2/access.log and /var/log/apache2/error.log , but the paths to these logs are defined or confirmed through the apache2.conf file and its included configuration files. The other options are incorrect in the context of Ubuntu. Paths such as /etc/httpd/conf/httpd.conf and /var /log/httpd/ are associated with Red Hat-based distributions like CentOS and RHEL, not Ubuntu. The path /usr/local/etc/apache22/httpd.conf is typically seen in BSD-based systems or custom Apache installations, not default Ubuntu deployments. CHFI v11 emphasizes correlating Apache configuration files with access and error logs to accurately analyze attack vectors, timestamps, and source IP addresses during web application forensic investigations. Therefore, the correct and CHFI-verified answer is /etc/apache2/apache2.conf (Option D) .
312-49v11 Exam Question 33
Theodore, a forensic expert, was tasked with investigating a cybercrime involving a Windows operating system running on NTFS. In the course of the investigation, he accessed and analyzed several metadata files stored in the root directory of the file system. These metadata files maintain records for every file stored on the system, including information such as file names, sizes, timestamps, and location on disk. While examining these files, Theodore was able to discover crucial data that helped track malicious events linked to the cybercrime. Which of the following system files did Theodore access to retrieve these records?
Correct Answer: D
This question directly maps to CHFI v11 objectives under Operating System Forensics , specifically NTFS file system analysis and metadata examination . In NTFS, the Master File Table (MFT) is the core metadata file that contains a record for every file and directory on the volume. CHFI v11 emphasizes that the $MFT is one of the most critical artifacts in Windows forensics because it stores essential attributes such as file names, file sizes, creation/modification/access timestamps, permissions, and the physical location of file data on disk. Each file on an NTFS volume has at least one corresponding MFT entry, making $MFT invaluable for reconstructing user activity, detecting deleted files, and correlating timelines during cybercrime investigations. Investigators often analyze the $MFT to uncover evidence of malicious file creation, modification, execution, or deletion-even when files have been removed from the file system view. The other options serve different purposes: $LogFile tracks transactional changes, $MFTMirr holds a backup of part of the MFT, and $Volume stores volume-level information. Therefore, consistent with CHFI v11 NTFS forensic principles, the file Theodore accessed is $MFT .
312-49v11 Exam Question 34
A forensic investigator is assigned to investigate a data leak involving the distribution of sensitive corporate information across multiple online platforms. The suspect is believed to have shared the data discreetly through various public channels. To uncover evidence, the investigator needs to collect posts, photos, videos, and user interactions from multiple networks. The investigator requires a tool that can efficiently gather, organize, and analyze this data, ensuring the integrity of the evidence for further investigation. Which tool would be best suited for this task?
Correct Answer: C
This scenario aligns with CHFI v11 objectives under Network and Web Attacks and Social Media Forensics , where investigators are required to collect and analyze digital evidence from online platforms while preserving evidentiary integrity. When sensitive data is leaked through public or semi-public online channels, social media and online network artifacts such as posts, multimedia content, comments, likes, and user relationships become critical sources of evidence. Social Network Harvester is specifically designed for social media and online platform investigations. It allows forensic investigators to systematically collect data such as posts, images, videos, timestamps, usernames, and interaction metadata from multiple social networks. CHFI v11 emphasizes the importance of using purpose-built tools that support structured collection, proper documentation, and evidence preservation to maintain chain of custody and admissibility. LiME is a volatile memory acquisition tool, Elastic Stack is primarily used for log aggregation and analysis, and Guymager is a forensic disk imaging tool. None of these are suitable for harvesting social media content. Therefore, Social Network Harvester is the most appropriate CHFI-aligned tool for efficiently gathering, organizing, and analyzing social network evidence in data leakage investigations.
312-49v11 Exam Question 35
A suspected cyber-criminal was captured, and his computer was seized while he was online. The investigators found that the Tor Browser was open, and some dark websites were visited. They want to obtain as much information as possible from this active session. The investigator needs to decide between collecting a memory dump or powering down the machine for hard drive analysis. Which option would provide the most information in this situation?
Correct Answer: D
Option D is the best answer because the computer was seized while the Tor Browser was actively open , meaning the most valuable evidence may still exist in volatile memory . In CHFI methodology, when a live system contains potentially crucial active-session evidence, investigators should follow the order of volatility and collect the most easily lost evidence first. A memory dump may preserve active browser session data, in- memory artifacts, decrypted content, process information, network connections, and traces of recently accessed dark web activity that might never be written clearly to disk. Shutting down or unplugging the machine would destroy this volatile evidence immediately. Restarting into safe mode would also alter or erase the active session context. Hard drive analysis remains important later, but it would not capture the full live state of the Tor session as effectively as RAM collection. Because the goal is to obtain as much information as possible from the active session , the strongest CHFI- aligned answer is to leave the system running and collect a memory dump first before taking further acquisition steps.