The described content matches the Assessment Overview section because it focuses on how the vulnerability assessment was executed rather than what was found. An assessment report typically includes a part that explains the methodology and approach used to perform scanning so stakeholders can understand the process, validate coverage, and interpret results correctly. In this scenario, Nikhil is documenting the scanning methodology, target information, type and scope of scans, and the tools used. These elements provide context and transparency about the assessment process, assumptions, and boundaries-exactly what an overview is meant to capture.
This section is also intentionally not listing specific vulnerabilities or affected assets, which further confirms it is not the Findings section. Findings is where the report enumerates discovered vulnerabilities, affected systems, evidence, severity, and recommendations. Similarly, it is not the Risk Assessment section because that portion generally interprets the findings to determine likelihood and impact, prioritizes risks, and may map issues to business impact or compliance requirements. Since Nikhil is only describing the scanning approach and scope, risk analysis is premature and out of place.
Why not Supporting Information? Supporting information usually contains appendices or reference material that supplements the core report-such as raw scan outputs, detailed configuration data, asset inventories, screenshots, logs, tool configurations, or glossary/definitions. While tool names and technical details can appear there, the narrative about methodology, targets, scope, and scan types is more appropriately part of the main body's overview so readers understand the assessment context before reviewing results.
Therefore, the section Nikhil is working on is C. Assessment Overview, which establishes the assessment context and explains the scanning approach prior to presenting findings and risk conclusions.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies "Insecure Data Storage" as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

In the CEH SQL injection methodology, the initial stages focus on understanding where and how user- controlled input enters the application and reaches backend components such as database queries. The activity described is reconnaissance and mapping of input vectors: Rachel is observing the shipment search function, watching HTTP GET parameters, and determining whether those parameters are processed in a way that could influence SQL logic. This directly corresponds to the phase commonly described as identifying data entry paths, where the tester locates all possible points of injection such as URL query strings, form fields, cookies, HTTP headers, and API parameters.
At this stage, the ethical hacker is not yet executing payloads to exploit the database. Instead, they are profiling the request structure, parameter names, values, and server responses to understand how the application behaves when supplied with different inputs. CEH guidance emphasizes that effective SQL injection testing begins by enumerating input sources and determining which of them appear to be reflected in server-side operations. Monitoring HTTP GET requests is a typical technique because query string parameters often map to backend search queries, filters, or record lookups, making them frequent injection candidates if server-side validation and query construction are weak.
The other options occur later. Launching SQL injection attacks involves actively injecting test characters and payloads to confirm injection. Database enumeration happens after a vulnerability is confirmed, to extract schema information and data. Advanced SQL injection refers to more specialized techniques such as out-of- band, time-based blind, or WAF evasion. Since the task here is identifying and assessing potential injection points, the correct step is identifying data entry paths.

The CEH IoT and APT Threat modules describe APT groups as highly skilled adversaries that favor stealth, persistence, and advanced exploitation techniques. IoT environments are particularly attractive due to:
Limited monitoring
Infrequent firmware updates
Weak or proprietary security mechanisms
CEH highlights that APT actors often exploit zero-day vulnerabilities in firmware to gain long-term, covert access to IoT systems. Firmware-level exploitation allows attackers to maintain persistence while evading traditional security controls.
Option C is correct.
Option A is noisy and short-term.
Option B is common but less sophisticated for APTs.
Option D is possible but secondary compared to firmware exploitation.
CEH emphasizes firmware security as a critical concern in IoT deployments.