CHFI 312-49v11 Dumps PDF

Option D. GLBA is the correct answer. The Gramm-Leach-Bliley Act (GLBA) is the U.S. law enacted in 1999 that requires financial institutions to explain their information-sharing practices and protect sensitive customer data through safeguards. That description matches the scenario exactly. Within CHFI v11, legal awareness is a core competency: the blueprint includes legal issues, privacy issues and legal compliance , other laws that may influence computer forensics , and rules tied to the admissibility and handling of digital evidence.

The other options do not fit the facts. GDPR is a European data protection regulation, not a 1999 U.S. financial law. HIPAA governs protected health information in the healthcare sector. PCI DSS is an industry security standard for payment card data, not a law enacted in 1999 requiring disclosure of information-sharing practices. Because the company is a financial institution and the question highlights both privacy notice and safeguarding customer information , GLBA is the only answer that fully matches the scenario.

From a CHFI perspective, recognizing applicable legal frameworks is important because investigators and compliance personnel must understand which laws govern digital evidence, privacy obligations, and organizational handling of sensitive information.

Option A is the best answer because CHFI v11 explicitly includes Rules of Evidence , Best Practices for Handling Digital Evidence , Seeking Consent , Obtaining a Warrant for Search and Seizure , Legal Issues, Privacy Issues and Legal Compliance , and the Role of Local/International Agencies during Cybercrime Investigation . When a server is shared with another company , privacy and ownership concerns become especially important, and the initial step should be to consult the appropriate legal and organizational stakeholders before taking action.

Immediately seizing the server or ignoring privacy implications could violate legal boundaries and compromise admissibility. Avoiding the server entirely may also be inappropriate if it contains critical evidence. Likewise, jumping straight to a warrant may not be the most suitable first move until counsel and management clarify ownership, scope, privacy exposure, and the least intrusive legally defensible path.

Therefore, the strongest CHFI-aligned initial approach is to consult legal experts and company management to determine the correct lawful path forward before attempting access or seizure. That protects privacy rights, preserves admissibility, and aligns the investigation with proper search-and-seizure procedure.

Option D is the best answer because the computer was seized while the Tor Browser was actively open , meaning the most valuable evidence may still exist in volatile memory . In CHFI methodology, when a live system contains potentially crucial active-session evidence, investigators should follow the order of volatility and collect the most easily lost evidence first. A memory dump may preserve active browser session data, in-memory artifacts, decrypted content, process information, network connections, and traces of recently accessed dark web activity that might never be written clearly to disk.

Shutting down or unplugging the machine would destroy this volatile evidence immediately. Restarting into safe mode would also alter or erase the active session context. Hard drive analysis remains important later, but it would not capture the full live state of the Tor session as effectively as RAM collection.

Because the goal is to obtain as much information as possible from the active session , the strongest CHFI-aligned answer is to leave the system running and collect a memory dump first before taking further acquisition steps.

Option C is the correct answer because modern Windows Sticky Notes data is stored in a SQLite database named plum.sqlite within the application’s package-specific LocalState path under the user profile. CHFI v11 supports this type of analysis by explicitly including Windows and Linux forensics using Python , SQLite Database Extraction , Windows File Analysis , and examination of Windows artifacts as part of operating system forensics and Python-based digital forensics.

The question specifically mentions using Python to extract application data, which aligns neatly with CHFI’s objective of using Python in digital forensics and with analyzing application-stored databases. Since Sticky Notes persists user note content in a SQLite file rather than in System32, Program Files, or a generic Documents folder, the package-local path is the most accurate location.

The other options are not consistent with how modern Windows Store-style applications usually store their per-user state. Therefore, for CHFI-style Windows artifact analysis and SQLite extraction, the correct path is the user’s Packages...\LocalState\plum.sqlite location.