312-49v11 Exam Dumps : Computer Hacking Forensic Investigator (CHFIv11)

Option A is the correct answer because the task is specifically to create a new Windows service , and the add command is the one that performs service creation. CHFI v11 covers system behavior analysis , including services , startup programs , and how malicious or legitimate executables can be configured to run automatically within Windows.

In this context, the investigator or administrator needs the command that defines the service name, display name, startup characteristics, and related options for deployment. That is exactly what the srvman.exe add syntax is intended to do. By contrast, delete removes a service, stop halts a running service, and run executes or launches an existing service-related action rather than creating a new service entry.

Because the question asks which command should be used to create the service on the system, the only matching choice is the add command. Therefore, the strongest CHFI-aligned answer is A , since it reflects the correct service-creation operation.

Option D. GOST R 50739-95 (2 passes) is the best answer because the question specifically describes a sanitization method that writes zeros on the first pass and random bytes on the second pass . Among the listed choices, that pattern matches the 2-pass GOST method . CHFI v11 includes sanitize the target media under rules and procedures related to evidence handling, showing that candidates are expected to understand how media sanitization supports secure handling of sensitive storage devices and prevents residual data exposure.

This question is focused on the operational detail of a wiping standard. The other options involve more passes and therefore do not match the exact requirement stated. NAVSO P-5239-26 (MFM) and NAVSO P-5239-26 (RLL) are 3-pass methods, while VSITR is a 7-pass method. Since the scenario emphasizes first zeros, then random bytes , and wants the correct standard associated with that sequence, GOST R 50739-95 is the only option that fits.

From a CHFI perspective, sanitization matters because investigators and security teams must know how to prepare or dispose of media securely while protecting evidence integrity and sensitive data.

This scenario directly aligns with CHFI v11 objectives under Data Acquisition and Duplication and Digital Forensic Imaging and Recovery Tools . In large-scale enterprise investigations—especially within financial institutions—CHFI v11 emphasizes the importance of tools that support full disk imaging, rapid system recovery, and granular restoration to ensure both forensic analysis and business continuity.

Macrium Reflect Server is specifically designed for server environments and supports full image-level backups, differential and incremental imaging, and selective file and folder recovery from forensic images. This allows investigators to restore entire systems to operational status quickly while simultaneously extracting specific files, logs, or configuration data needed to assess breach impact and verify data integrity. Importantly, Macrium Reflect supports both physical and virtual systems, making it suitable for complex enterprise infrastructures.

Snagit and Ezvid are multimedia screen-recording tools with no forensic or recovery capability, while VMware vSphere Hypervisor is a virtualization platform rather than a forensic imaging or recovery solution. CHFI v11 stresses that appropriate tool selection is critical to preserving evidence integrity while minimizing operational downtime. Therefore, Macrium Reflect Server is the most suitable and CHFI-aligned tool for rapid, reliable, and forensically sound system and data recovery in this scenario.