매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Computer Hacking Forensic Investigator (CHFIv11) 온라인 연습
최종 업데이트 시간: 2026년02월14일
당신은 온라인 연습 문제를 통해 EC-Council 312-49v11 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 312-49v11 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 150개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
This question aligns directly with CHFI v11 objectives under Computer Forensics Fundamentals and Log Analysis. Log files are among the most critical forensic artifacts because they provide a chronological and authoritative record of system, security, and application events. CHFI v11 emphasizes that logs are essential for reconstructing attack timelines, identifying unauthorized access attempts, and determining the scope of a compromise.
Artifacts such as failed sign-in attempts, security policy modifications, IDS alerts, and application errors are routinely recorded in log sources including Windows Security logs, system logs, application logs, firewall logs, and IDS/IPS logs. These logs allow investigators to correlate events across systems, identify brute-force attacks, detect privilege escalation, and recognize abnormal behavior caused by malware or misconfiguration.
Cryptographic artifacts focus on key usage and encryption operations, browser artifacts relate to user web activity, and process or memory artifacts provide insight into live execution states―but none provide the comprehensive, event-based historical visibility required to answer all aspects of the question. CHFI v11 highlights log analysis as the primary method for understanding what happened, when it happened, how it happened, and who was involved. Therefore, log file anomalies are the most relevant and reliable forensic artifacts in this scenario.
정답:
Explanation:
This scenario aligns with CHFI v11 objectives under Anti-Forensics Techniques, specifically data destruction and data wiping methods. The key indicator in the question is that all addressable locations on the storage device have been replaced with arbitrary characters, rendering the original data permanently unrecoverable―even using advanced forensic tools. CHFI v11 explains that this outcome is characteristic of intentional data overwriting, where original data is substituted with meaningless or random values to destroy evidentiary content.
This technique is commonly referred to as data wiping or data substitution, an anti-forensic method designed to defeat file recovery, carving, and residual data analysis. By overwriting every sector of the disk with irrelevant data patterns, the attacker ensures that neither file system metadata nor raw disk analysis can reconstruct the original files.
Encryption (Option A) preserves data but makes it unreadable, not destroyed. Magnetic degaussing
(Option B) affects magnetic media but does not result in structured arbitrary characters across all addressable locations as described. Physical destruction (Option C) would damage hardware rather than systematically overwrite data. Therefore, consistent with CHFI v11 classifications, the attacker employed data substitution through overwriting, making Option D the correct answer.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Data Acquisition and Duplication, specifically media preparation and data sanitization standards. Before using any storage media for forensic acquisition, investigators must ensure that it does not contain residual data that could contaminate evidence or cause data leakage. CHFI v11 stresses that data sanitization is mandatory prior to acquisition to maintain confidentiality, integrity, and forensic soundness.
According to standards such as NIST SP 800-88, DoD, NAVSO, and VSITR, simply formatting a disk is insufficient because formatting only removes file system references while leaving underlying data intact and potentially recoverable. Recycling media without sanitization poses severe security risks, and ignoring sanitization violates forensic and legal best practices.
Overwriting the target media―also known as data wiping―is a recognized and approved sanitization method. It replaces existing data with predefined patterns (e.g., zeros, ones, or random data), ensuring previous information cannot be recovered. CHFI v11 highlights overwriting as a logical sanitization technique suitable when physical destruction is not required.
Therefore, consistent with CHFI v11 and industry standards, overwriting the data on the target media is the crucial step to ensure data security before forensic data acquisition.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Operating System Forensics, specifically Windows boot process analysis and persistence mechanisms used by malware. Modern Windows operating systems use the Boot Configuration Data (BCD) store to manage boot-time settings and startup entries. Malware and advanced Trojans may modify the BCD to establish persistence by inserting malicious boot entries or altering existing ones so that malicious code executes early in the boot process.
The bcdedit command-line utility is the primary Windows tool used to view, create, modify, and delete BCD entries. CHFI v11 highlights bcdedit as a critical forensic command for examining boot manager configurations, identifying unauthorized boot loaders, and detecting suspicious startup modifications indicative of rootkits or boot-level Trojans.
The other options are less suitable: bootrec is primarily used for repairing boot records, bootcfg applies to legacy systems using boot.ini, and msconfig is a GUI-based utility that does not provide full visibility into BCD boot entries. Therefore, consistent with CHFI v11 forensic best practices for detecting startup-based persistence, bcdedit is the correct command to inspect all boot manager entries for potential Trojan activity.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Operating System Forensics, specifically Windows Security Event Log analysis and object access auditing. In Windows systems, Event ID 4663 is generated when an attempt is made to access an object (such as a file, folder, registry key, or other securable object) and detailed auditing is enabled. CHFI v11 emphasizes the importance of this event in identifying unauthorized or suspicious access attempts to sensitive system resources.
Event ID 4663 provides granular information about the type of access requested, such as read, write, modify, delete, or permission changes. This makes it particularly valuable in forensic investigations, as it allows investigators to determine whether a user or process attempted to modify critical system objects, which is often indicative of malicious activity, privilege abuse, or insider threats.
While deletion events are logged separately (e.g., Event ID 4660), and general logon activity is captured by different event IDs (such as 4624), Event ID 4663 focuses specifically on object access attempts.
Option C is partially descriptive but too broad; the defining characteristic of Event ID 4663 is the attempt to open an object with specific access rights, making option A the most precise and CHFI v11Caligned answer.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Computer Forensics Fundamentals and eDiscovery and Digital Evidence Management. CHFI v11 emphasizes that one of the most effective ways to reduce eDiscovery costs and timelines is through early data reduction and intelligent filtering. Organizations increasingly rely on Technology-Assisted Review (TAR), also known as predictive coding, combined with data reduction techniques such as deduplication, de-NISTing, keyword filtering, and relevance scoring.
TAR leverages machine learning algorithms to identify patterns in relevant documents and automatically prioritize or exclude data that is unlikely to be responsive. This significantly reduces the volume of data requiring manual review while maintaining defensibility and compliance with legal and regulatory requirements. CHFI v11 highlights TAR as a best practice for handling large-scale electronic evidence efficiently, especially in litigation and regulatory investigations.
The other options support eDiscovery but do not directly reduce review scope: data retention focuses on lifecycle management, chain of custody ensures evidence integrity, and data mapping identifies data sources. None directly address excluding irrelevant data early in the review process. Therefore, consistent with CHFI v11 eDiscovery best practices, using technology-assisted review (TAR) and data reduction tools is the correct answer.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Cloud Forensics, particularly Google Cloud audit log analysis and authentication event investigation. In Google Cloud Platform (GCP), authentication-related events―such as login attempts, failed authentications, suspicious access behavior, and account lockouts―are handled by the Google Login API service. CHFI v11 emphasizes that when investigators are examining suspected credential compromise or password leaks, they must focus on authentication and identity-related logs rather than general administrative or configuration logs.
The filter protopayload.resource.labels.service="login.googleapis.com"
targets audit log entries generated by the login service, which records successful and failed login attempts, abnormal authentication behavior, and security enforcement actions such as temporary account lockouts caused by repeated failed logins. These events are critical indicators when determining whether a password leak resulted in account disabling.
The other options are less suitable: admin.googleapis.com focuses on administrative actions, the activity log name is broad and not specific to authentication failures, and metadata parameter filters do not directly isolate login-related events. Therefore, consistent with CHFI v11 cloud forensic methodology, filtering logs by the login.googleapis.com service is the most effective way to identify whether a password leak caused a user account to be disabled.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Network and Web Attacks, specifically the classification and identification of external threats targeting organizational networks. External attacks originate outside the organization’s trusted boundary and are carried out by threat actors who do not have legitimate internal access. CHFI v11 highlights that recognizing the nature of such attacks is essential for incident detection, response, and forensic investigation.
Distributed Denial of Service (DDoS) attacks are a classic example of external attacks, where attackers overwhelm network resources with massive traffic volumes to disrupt availability. These attacks often originate from botnets distributed across the internet. Phishing attacks are another common external threat, involving deceptive emails or messages designed to trick users into revealing credentials, clicking malicious links, or downloading malware. The scenario described―customers reporting suspicious login attempts and pop-ups―strongly aligns with phishing and externally driven compromise attempts.
Software bugs are internal technical issues, insider threats originate from within the organization, and while ransomware is a type of malware, the option pairing encryption and ransomware is too broad and not explicitly external. Therefore, consistent with CHFI v11 classifications, DDoS attacks and phishing are clear examples of external attacks that pose serious threats to corporate networks.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Operating System Forensics, specifically Windows Registry forensics and binary data analysis. Windows registry hive files (such as SYSTEM, SOFTWARE, SAM, and NTUSER.DAT) are stored in binary format and contain valuable forensic artifacts related to user activity, program execution, persistence mechanisms, and system configuration. CHFI v11 emphasizes that forensic investigators must use tools capable of low-level binary inspection to accurately analyze these files.
Hex Workshop is a professional hex editor designed for detailed examination, interpretation, and manipulation of binary data. It allows investigators to view registry hive files at the hexadecimal level, search for specific byte patterns, validate offsets, and correlate raw binary structures with known registry data formats. This capability is essential when registry files are corrupted, partially deleted, or need manual verification beyond automated tools.
The other options are unsuitable: Camtasia is a screen recording tool, Rufus is used for creating bootable USB drives, and Dundas BI is a business intelligence and data visualization platform. None provide binary-level forensic analysis functionality. Therefore, consistent with CHFI v11 registry and binary forensic analysis practices, Hex Workshop is the most appropriate tool for examining registry files in this scenario.
정답:
Explanation:
This question aligns directly with CHFI v11 objectives under Dark Web Forensics and Tor Browser Forensics. The Tor Browser is specifically designed to minimize persistent artifacts and anonymize user activity, which makes forensic investigations particularly challenging. CHFI v11 emphasizes that the primary objective in Tor BrowserCrelated investigations is to identify and extract residual artifacts across multiple operational states of the browser.
Investigators must analyze evidence when the Tor Browser is open, closed, and even after uninstallation, because artifacts may exist in different locations depending on the browser’s state. Memory dumps can reveal live artifacts such as email content, session data, credentials, and attachments when the browser is running. Storage analysis can uncover downloaded email attachments, cached files, and remnants left behind after normal usage or uninstallation.
CHFI v11 specifically highlights scenarios involving email forensics with Tor Browser open and closed, memory acquisition, and post-uninstallation analysis as complementary techniques rather than isolated tasks. Focusing on only one browser state would result in incomplete evidence collection. Therefore, the overarching forensic objective is to explore email artifacts and attachments across various Tor Browser states, making option B the correct and CHFI-aligned answer.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Operating System Forensics and Volatile and Non-Volatile Data Analysis, particularly the recovery of artifacts from live memory and system files such as pagefile.sys. Private browsing modes (e.g., InPrivate, Incognito) are designed to minimize persistent artifacts on disk; however, CHFI v11 emphasizes that memory, page files, and swap files often retain remnants of browsing activity, including URLs, session data, cached content, and credentials.
FTK® Imager is a forensically sound tool widely used for live data acquisition, memory capture, and analysis of volatile artifacts. It allows investigators to acquire RAM, pagefile.sys, hiberfil.sys, and other critical system files without altering evidence integrity. CHFI v11 specifically highlights FTK Imager as a preferred tool for collecting and examining live system data and recovering artifacts that are not available through traditional disk-only analysis.
PsLoggedOn is used to identify logged-in users, Exeinfo analyzes executable file formats, and zsteg is a steganography detection tool. None of these are suitable for live memory or pagefile analysis. Therefore, consistent with CHFI v11 forensic best practices, FTK® Imager is the correct tool to recover private browsing artifacts from live Windows systems.
정답:
Explanation:
This question directly maps to CHFI v11 objectives under Operating System Forensics, specifically NTFS file system analysis and metadata examination. In NTFS, the Master File Table (MFT) is the core metadata file that contains a record for every file and directory on the volume. CHFI v11 emphasizes that the $MFT is one of the most critical artifacts in Windows forensics because it stores essential attributes such as file names, file sizes, creation/modification/access timestamps, permissions, and the physical location of file data on disk.
Each file on an NTFS volume has at least one corresponding MFT entry, making $MFT invaluable for reconstructing user activity, detecting deleted files, and correlating timelines during cybercrime investigations. Investigators often analyze the $MFT to uncover evidence of malicious file creation, modification, execution, or deletion―even when files have been removed from the file system view.
The other options serve different purposes: $LogFile tracks transactional changes, $MFTMirr holds a backup of part of the MFT, and $Volume stores volume-level information. Therefore, consistent with CHFI v11 NTFS forensic principles, the file Theodore accessed is $MFT.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Network and Web Attacks, specifically the role and functionality of Intrusion Detection Systems (IDS) in network security monitoring and incident response. CHFI v11 emphasizes that IDS solutions such as Snort, Juniper IDS, and Check Point are designed not only to monitor and analyze network traffic but also to actively alert security personnel when suspicious or malicious activity is detected.
An IDS continuously inspects packets, sessions, and events against predefined signatures, behavioral models, or anomaly thresholds. When a potential intrusion, policy violation, or attack pattern is identified, the system’s primary operational response is to generate real-time alerts. These alerts are delivered through multiple channels―such as email notifications, pager alerts, dashboards, syslog messages, and SNMP traps―to ensure timely awareness and rapid response by security administrators.
While IDS platforms may support reporting, log forwarding, or signature updates, these are secondary or supporting capabilities. The critical value of IDS in a forensic and operational context lies in its ability to promptly notify defenders of threats as they occur or are detected. Therefore, consistent with CHFI v11 IDS principles, the correct answer is vigilantly alerting security administrators via multiple notification channels.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Malware Forensics and Static Malware Analysis of Suspicious Documents. When analyzing potentially malicious Microsoft Office documents, CHFI v11 emphasizes that investigators should always begin with static analysis before attempting any form of execution. This approach minimizes risk and helps identify embedded threats such as VBA macros, OLE objects, exploits, and obfuscation techniques without activating the payload.
The oleid tool (part of the oletools suite) is specifically designed for the initial inspection of OLE-based Microsoft Office documents. It quickly identifies indicators of compromise such as the presence of macros, embedded objects, suspicious file formats, encryption, and known exploit characteristics. CHFI v11 highlights oleid as a safe, non-intrusive first step to triage Office documents and determine whether deeper analysis (e.g., macro extraction or sandbox execution) is warranted.
Opening the document in a sandbox is a dynamic analysis step and should only occur after static indicators confirm malicious intent. The other options are either non-standard or insufficient for detecting embedded macro-based malware. Therefore, consistent with CHFI v11 malware forensics methodology, executing oleid to review suspicious components is the correct initial step.
정답:
Explanation:
This question aligns with CHFI v11 objectives under Data Acquisition and Duplication, specifically image validation and forensic integrity verification. After acquiring a forensic image, it is a mandatory best practice to verify that the image is an exact bit-for-bit replica of the original evidence source. CHFI v11 stresses that verification protects evidence integrity and supports legal admissibility by proving that no data was altered during acquisition.
The dcfldd tool―an enhanced version of the Unix dd utility―supports forensic features such as hashing, logging, splitting, and image verification. The vf (verify file) parameter in the command
dcfldd if=/dev/sda vf=image.dd
directly compares the original input device (/dev/sda) with the previously created image file (image.dd). This ensures that both sources match exactly, sector by sector.
Option B performs imaging with hashing but does not verify an existing image against the original drive.
Option C simply creates an image without validation, and Option D uses dd with file splitting, which lacks forensic verification features. Therefore, consistent with CHFI v11 acquisition validation standards, Option A is the correct command to verify the forensic image against the original medium.