CEH v13 identifies the Idle Scan as one of the most stealthy and advanced reconnaissance techniques due to its ability to avoid generating any traffic directly between the attacker and the target. Using a "zombie host," which has predictable IP ID sequencing, the attacker forges packets so that all scan traffic appears to originate from the zombie. The IDS sees communication only between the zombie and the target, not the attacker. This allows evasion of network monitoring tools, traffic correlation systems, and intrusion detection signatures.
CEH highlights Idle Scanning as a core technique for bypassing sophisticated detection controls because it leaves no direct fingerprint of the attacker. Options A and B still originate from the attacker's IP. Option C can evade some filters but remains detectable due to packet anomalies. Only Idle Scanning provides full origin obfuscation, making it the most appropriate method for stealth port enumeration.

The best answer is BPDU Guard on edge ports. CEH network defense material explains that BPDU Guard is used on access or edge ports where end-user devices are expected, not switches. If a device connected to such a port begins sending Bridge Protocol Data Units, the switch treats that as an abnormal condition and can shut the port down or place it in an error-disabled state. This prevents unauthorized or misconfigured devices from participating in spanning-tree and influencing root bridge election or topology decisions. That matches the scenario, where a newly connected device introduced a more favorable bridge priority and triggered spanning- tree recalculations. Root Guard is also related to protecting spanning-tree hierarchy, but it is typically applied where you want to prevent a downstream switch from becoming root while still allowing BPDU participation under controlled conditions. CEH exam framing usually expects BPDU Guard when the threat originates from an end-host-facing access port in a conference room or office edge location. Because the goal is to stop unauthorized edge-connected devices from affecting spanning-tree at all, enabling BPDU Guard on edge ports is the most appropriate control.

The correct answer is HTTP Server Core because the scenario describes the primary module of a web server that processes incoming requests and coordinates with additional modules responsible for encryption, URL rewriting, and authentication. In CEH-aligned web server architecture concepts, the core HTTP engine is responsible for handling client requests, managing connections, parsing HTTP headers, and passing requests to the appropriate modules for further processing.
Modern web servers such as Apache HTTP Server or Nginx operate using a modular architecture. The core component manages the fundamental HTTP protocol operations, while optional or loadable modules extend functionality. For example, SSL or TLS modules handle encryption, rewrite modules manage URL manipulation, and authentication modules enforce access controls. The description in the question clearly aligns with this architecture, where a central processing unit works in conjunction with supporting modules.
The other options do not fit. The Document Root refers only to the directory location from which web content is served. A Virtual Document Tree relates to how URLs are logically mapped to file paths. An Application Server is a separate server component that processes business logic, often interacting with backend systems, rather than directly managing HTTP request parsing at the core level.
Therefore, Jake is analyzing the HTTP Server Core, which is responsible for handling incoming requests and integrating modular security and performance features within the web server environment.

The Certified Ethical Hacker (CEH) Social Engineering module defines tailgating as a physical social engineering attack where an unauthorized person follows an authorized individual into a restricted area.
Option C precisely matches CEH's definition.
Option A is pretexting.
Option B is baiting.
Option D is phishing.
CEH stresses physical security awareness as critical as cyber defenses.

The correct answer is B. Known-plaintext attack because the scenario explicitly provides paired samples of plaintext and ciphertext for the same underlying data. In a known-plaintext attack, the analyst possesses one or more examples where the original message (plaintext) is known and the corresponding encrypted output (ciphertext) is also available. These pairs can be used to analyze the cipher's behavior, validate hypotheses about modes/parameters, and-depending on the algorithm, implementation weaknesses, and key management-attempt to recover the encryption key or decrypt other ciphertexts encrypted under the same key.
Here, Evelyn has "original template records (standard headers and form fields)" and their "encrypted counterparts" in the stolen backup set. Medical record formats commonly contain predictable structures (fixed headers, repeated field names, standardized forms), which increases the likelihood of having accurate known plaintext segments. With enough known plaintext/ciphertext pairs, an attacker may identify patterns caused by weak encryption choices, reused keys, reused IVs/nonces, insecure modes (e.g., ECB revealing structure), or flawed custom crypto. Even when strong algorithms are used, known-plaintext material can still be valuable for confirming the encryption scheme and detecting implementation errors.
Why the other options are not correct: Ciphertext-only assumes the attacker has only encrypted data and no plaintext examples-contradicted by the templates. Chosen-plaintext requires the ability to submit arbitrary plaintexts to an encryption oracle and receive ciphertexts, which the scenario does not indicate. Chosen- ciphertext requires the ability to submit ciphertexts to a decryption oracle and observe outputs, also not described.
Because Evelyn has real, matching plaintext-ciphertext pairs from the same dataset, the most appropriate cryptanalytic approach is a known-plaintext attack.