Last Attempt 312-49v11 Questions

Option A. Sawmill is the best answer because the scenario specifically requires a tool for parsing large volumes of IIS logs , identifying suspicious patterns, and generating detailed reports to support timeline reconstruction. In CHFI-style web-server investigations, examiners are expected to use specialized log-analysis tools to process IIS and Apache logs efficiently rather than relying only on manual review.

Sawmill is well suited to this type of work because it is designed for log analysis and reporting across web-server environments. That makes it the most appropriate choice among the listed options. DSInternals PowerShell is more associated with Active Directory and internal Windows directory analysis, not IIS log parsing. Hunchly is more focused on web capture and investigation support, not enterprise IIS log analytics. Jalheon is not the strongest fit for the specific requirements described.

Because the question emphasizes efficient parsing , anomaly detection , and report generation for IIS logs, the most accurate CHFI-aligned answer is Sawmill . It best supports structured web log analysis during breach investigations.

Option D. GOST R 50739-95 (2 passes) is the best answer because the question specifically describes a sanitization method that writes zeros on the first pass and random bytes on the second pass . Among the listed choices, that pattern matches the 2-pass GOST method . CHFI v11 includes sanitize the target media under rules and procedures related to evidence handling, showing that candidates are expected to understand how media sanitization supports secure handling of sensitive storage devices and prevents residual data exposure.

This question is focused on the operational detail of a wiping standard. The other options involve more passes and therefore do not match the exact requirement stated. NAVSO P-5239-26 (MFM) and NAVSO P-5239-26 (RLL) are 3-pass methods, while VSITR is a 7-pass method. Since the scenario emphasizes first zeros, then random bytes , and wants the correct standard associated with that sequence, GOST R 50739-95 is the only option that fits.

From a CHFI perspective, sanitization matters because investigators and security teams must know how to prepare or dispose of media securely while protecting evidence integrity and sensitive data.

Option D. The inode table is the correct answer because, in Linux file systems such as ext2, file metadata including timestamps, permissions, ownership, and file size is stored in the file’s inode , not in the file’s content blocks. CHFI v11 explicitly includes Windows, Linux, and macOS File Systems , Linux File System Analysis Tools , and File System Analysis using The Sleuth Kit (TSK) , showing that exam candidates are expected to understand file-system structures and where key forensic metadata resides.

The data blocks contain file content, while the superblock stores overall file-system-level information such as layout and status. The dentry cache is a kernel memory structure related to name lookups and is not the primary persistent source for file metadata in this context. For detailed per-file forensic metadata, the examiner must look at the inode information.

Therefore, when Emily wants the most critical metadata about a specific ext2 file, the best source is the inode table , because that is where the file’s core descriptive attributes are maintained.

Option C is correct because malware that executes solely in memory without leaving a conventional file on disk is characteristic of fileless malware . CHFI v11 includes Malware Analysis: Static and Dynamic , memory analysis , and the use of controlled labs to inspect malware behavior, all of which are especially important when dealing with threats that avoid leaving traditional disk artifacts.

Fileless malware is challenging because many traditional security and forensic techniques rely on file-based indicators such as suspicious executables, hashes, or disk-resident payloads. When the malware lives primarily in memory, investigators must rely more heavily on live response, memory dumps, process analysis, and volatile artifact examination . That makes detection and reconstruction more difficult, especially after the system is shut down.

Option A may describe a separate evasion method, but it does not directly explain the lack of disk artifacts. Option B concerns propagation, not stealth in memory. Option D could be a later stage in some infections, but the core challenge described here is the absence of a file-based payload. Therefore, the best CHFI-aligned answer is that this is fileless malware , which is harder to detect and analyze because it executes in memory.