Online 312-49v11 Questions Video

According to the CHFI v11 Mobile and IoT Forensics domain, the preservation stage is specifically responsible for ensuring that digital evidence remains unaltered, intact, and legally admissible throughout the forensic lifecycle. Preservation begins immediately after evidence is identified and continues until the investigation is concluded and evidence is presented in court.

In IoT investigations, preservation is especially critical because IoT devices—such as smart locks, cameras, sensors, and hubs—often contain volatile data , limited storage, and continuous network connectivity. CHFI v11 emphasizes that investigators must take steps such as isolating devices from networks, disabling remote access, preventing firmware updates, maintaining power states when necessary, and documenting handling procedures to avoid unintentional data modification or loss.

While evidence identification and collection focuses on locating and acquiring devices and data sources, it does not by itself guarantee protection against alteration. Data analysis and presentation/reporting occur later and rely on evidence that has already been preserved correctly. Any failure in preservation can compromise chain of custody and result in evidence being challenged or excluded.

CHFI v11 explicitly states that preservation safeguards evidence integrity before, during, and after collection , making it the foundation of a defensible IoT forensic investigation.

Therefore, the stage that ensures evidence integrity by preventing alteration before collection is Preservation , making Option D the correct and CHFI v11–verified answer.

Option D is the most useful answer because it provides the clearest indication that the activity may be part of a larger security issue rather than just routine login failures or missing-file requests. A mod_security entry showing that a rule was triggered for a possible SQL injection attempt directly suggests malicious web-application attack behavior and points to a broader intrusion pattern.

Option C is useful for confirming failed authentication activity, but by itself it may still reflect simple credential guessing or user error. Option B only shows a missing file request, which could be benign or accidental. Option A is the least suspicious of the choices. By contrast, an application firewall or security module explicitly flagging a possible SQL injection attempt strongly indicates that the server may be under targeted attack and that the failed logins could be part of a coordinated campaign.

From a CHFI perspective, log entries that directly indicate known attack techniques are especially valuable during web-server investigations. Therefore, the Apache log entry most likely to help David determine that the failed attempts were tied to a larger security problem is the mod_security alert for possible SQL injection .

Option B. Hash database lookup is the best answer because the question is specifically about automating the review of a very large number of files and identifying potential evidence more efficiently. CHFI v11 includes hash analysis , identifying suspicious or known files through hashes , and the use of forensic tools to streamline evidence examination across large datasets.

A hash database lookup allows the investigator to compare file hashes against known-good or known-bad sets, quickly filtering out benign system files and highlighting files that are suspicious, altered, or already associated with malicious activity. This is exactly the kind of automation that reduces manual effort in a large-scale file-system analysis.

File carving is useful for recovering deleted content, but it does not primarily automate file triage. File system timeline helps reconstruct activity order, and disk imaging is an acquisition task rather than a feature for rapidly identifying potential evidence. Therefore, under CHFI forensic-analysis principles, the most effective TSK feature for automating identification of relevant evidence is hash database lookup .

According to the CHFI v11 objectives under Malware Forensics and Static Malware Analysis , the correct initial step when analyzing a suspicious document—such as a potentially malicious PDF—is to perform static analysis before any execution . Running the tool PDFiD using the command python pdfid.py infected.pdf is a standard and CHFI-aligned first action. PDFiD is designed to quickly scan a PDF file and identify suspicious elements such as /JavaScript, /OpenAction, /Launch, /EmbeddedFile, and /AA, which are commonly abused by attackers to deliver malware through PDF documents.

This approach is non-intrusive and ensures the investigator does not accidentally trigger malicious code, thereby preserving evidence integrity and maintaining forensic soundness. Opening the file in a virtual machine (Option B) constitutes dynamic analysis , which should only be performed after initial static indicators suggest malicious intent and after proper containment controls are in place. Metadata extraction (Option C) is useful but limited, as metadata alone does not reliably expose embedded exploit code. Manual hex inspection (Option D) is advanced and time-consuming and is not recommended as the first step.

The CHFI v11 Exam Blueprint emphasizes a structured malware analysis workflow , starting with static analysis tools like PDFiD for suspicious documents, making Option A the most appropriate and exam-accurate answer