The most direct guideline is D. Register devices with a remote locate and wipe facility because the incident's core impact came from two factors: loss of physical control of the device and continued exposure of sensitive records while the device remained active. A remote locate-and-wipe capability (commonly delivered through Mobile Device Management (MDM) / Enterprise Mobility Management (EMM) platforms) addresses both problems immediately: it enables administrators to identify the device's last known location (or trigger location reporting) and, critically, to remotely lock or wipe the device to prevent ongoing unauthorized access to patient data.
In healthcare environments handling regulated data, the priority during a lost-device event is rapid containment. Even if device tracking alone can help find the phone, it does not guarantee that sensitive information stops being accessed during the search. Remote wipe (often paired with remote lock, enforced encryption, and policy-based access control) reduces exposure time by allowing responders to remove protected data and invalidate application access. This is particularly important when the device is still connected to the network, because an attacker (or unauthorized holder) could continue using cached sessions, stored tokens, or locally available records until access is cut off.
Why the other options are less direct: A (anti-virus/DLP) may help detect malware or control data movement, but it does not solve the immediate lost-device containment requirement. B (VPN on public Wi-Fi) is unrelated because the problem is physical loss and inability to control the endpoint. C (install tracking software) helps locate the device, but the scenario highlights that sensitive records were exposed for hours; the most direct impact reduction is achieved when the organization can both locate and wipe/lock the device through an enrolled, centrally managed capability.
Therefore, enrolling devices in a remote locate and wipe facility would have most directly reduced the breach impact.

OSINT-based reconnaissance includes using search engines to identify publicly exposed cloud assets. CEH highlights Google dorking as a passive method to reveal S3 buckets indexed in search engines through patterns such as site:s3.amazonaws.com or keyword-based queries.

The described behavior strongly matches HTTP Response Splitting. This vulnerability occurs when an application includes unsanitized user input in HTTP response headers. By injecting carriage return and line feed characters (CRLF), an attacker can "split" the server's response into multiple parts-causing additional headers to appear or injecting unintended body content. The scenario explicitly says Raj's payloads cause
"additional headers to appear" and "inject unintended content into the output," which is the classic outcome of response splitting.
Why this matters: response splitting can enable attacks such as web cache poisoning, cookie manipulation, redirection, and cross-site scripting-like impacts through header/body injection. For example, if an attacker can inject a Set-Cookie header, they may set or overwrite cookies in the victim's browser. If they can inject a Location header, they may force redirects. If they inject content into the body, they may deliver malicious scripts or alter page behavior-especially when combined with caching intermediaries. The vulnerability typically arises in features that reflect user input into headers such as Location, Set-Cookie, Content- Disposition, or custom headers.
The other options do not match the symptoms:
XML Poisoning (B) and XXE (C) relate to XML parsing and entity resolution; they do not directly cause added HTTP headers in responses.
SSRF (D) involves forcing the server to make outbound requests to internal/external resources; it may expose data but does not primarily manifest as injected response headers and altered response structure.
Therefore, Raj is most likely exploiting A. HTTP Response Splitting.

CEH identifies spear-phishing as a targeted, context-rich social engineering method tailored to specific individuals or departments. By incorporating accurate insider details, attackers significantly increase trust and likelihood of disclosure.

The activity described is active footprinting because you are not merely listening for wireless broadcasts; you are transmitting crafted 802.11 management frames to elicit responses and gather information. In Wi-Fi reconnaissance, passive methods rely on monitoring beacon frames and other naturally occurring traffic.
Active methods, by contrast, deliberately interact with the environment-often by sending probe requests or other management frames-to prompt access points or client devices to respond with details such as SSID, supported data rates, security capabilities, and other parameters.
The scenario explicitly states you "actively send crafted management frames" and then log "immediate responses (including probe responses and capability information)." That is the defining difference between active and passive wireless footprinting. Active footprinting can reveal SSIDs that may not be visible through beacons alone (for example, networks that do not broadcast SSID in beacons may still respond under certain conditions), and it can speed discovery by forcing responses rather than waiting for periodic broadcasts or client activity.
Why the other options are less accurate:
Passive footprinting (B) contradicts the scenario because passive recon involves no transmissions from the auditor's device.
Wash command (C) refers to a specific tool/command typically associated with WPS enumeration workflows, not the general technique classification being asked here.
Network discovery software (A) is too generic; the question is asking for the technique (active vs passive), and the described behavior is clearly active.
Therefore, the correct answer is D. Active Footprinting.