Free 365 Days Exam Updates 312-49v11 dumps with test Engine Practice
Updated Verified 312-49v11 dumps Q&As - 100% Pass Guaranteed
EC-COUNCIL 312-49v11 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
NEW QUESTION # 58
You are a computer forensics investigator working with local police department and you are called to assist in an investigation of threatening emails. The complainant has printed out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the _________________________ in order to track the emails back to the suspect.
- A. Email Header
- B. Firewall log
- C. Routing Table
- D. Configuration files
Answer: A
NEW QUESTION # 59
What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network?
- A. Smurf scan
- B. Teardrop
- C. Fraggle
- D. SYN flood
Answer: C
NEW QUESTION # 60
Which of the following passwords are sent over the wire (and wireless) network, or stored on some media as it is typed without any alteration?
- A. Clear text passwords
- B. Hashed passwords
- C. Hex passwords
- D. Obfuscated passwords
Answer: A
NEW QUESTION # 61
Which ISO Standard enables laboratories to demonstrate that they comply with quality assurance and provide valid results?
- A. ISO/IEC 19025
- B. ISO/IEC 17025
- C. ISO/IEC 18025
- D. ISO/IEC 16025
Answer: B
NEW QUESTION # 62
Which of these ISO standards define the file system for optical storage media, such as CD-ROM and DVD-ROM?
- A. ISO 9960
- B. ISO 13346
- C. ISO 13490
- D. ISO 9660
Answer: D
NEW QUESTION # 63
With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ______
- A. 0
- B. 1
- C. 2
- D. 3
Answer: C
NEW QUESTION # 64
John is working on his company policies and guidelines. The section he is currently working on covers company documents; how they should be handled, stored, and eventually destroyed. John is concerned about the process whereby outdated documents are destroyed. What type of shredder should John write in the guidelines to be used when destroying documents?
- A. Cris-cross shredder
- B. Cross-hatch shredder
- C. Strip-cut shredder
- D. Cross-cut shredder
Answer: D
NEW QUESTION # 65
Windows Security Accounts Manager (SAM) is a registry file which stores passwords in a hashed format.
SAM file in Windows is located at:
- A. C:\windows\system32\Boot\SAM
- B. C:\windows\system32\drivers\SAM
- C. C:\windows\system32\config\SAM
- D. C:\windows\system32\con\SAM
Answer: C
NEW QUESTION # 66
An EC2 instance storing critical data of a company got infected with malware. The forensics team took the EBS volume snapshot of the affected Instance to perform further analysis and collected other data of evidentiary value. What should be their next step?
- A. They should keep the instance running as it stores critical data
- B. They should pause the running instance
- C. They should terminate the instance after taking necessary backup
- D. They should terminate all instances connected via the same VPC
Answer: C
NEW QUESTION # 67
What is the role of Alloc.c in Apache core?
- A. It is useful for reading and handling of the configuration files
- B. It handles allocation of resource pools
- C. It handles server start-ups and timeouts
- D. It takes care of all the data exchange and socket connections between the client and the server
Answer: B
NEW QUESTION # 68
What does Locard's Exchange Principle state?
- A. Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence
- B. Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave
- C. Digital evidence must have some characteristics to be disclosed in the court of law
- D. Any information of probative value that is either stored or transmitted in a digital form
Answer: B
NEW QUESTION # 69
In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks?
- A. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name
- B. In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name
- C. Both pharming and phishing attacks are identical
- D. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering
Answer: A
NEW QUESTION # 70
Imagine you, as a forensic investigator, are assigned to investigate a cybercrime involving a Windows-based system. The system has experienced significant file loss due to the attack, and retrieving the missing files is essential for the investigation. To facilitate this, you choose an automated tool capable of restoring critical files that were lost during the incident, ensuring the integrity of the evidence. Which tool would be the most suitable for this task?
- A. Employing Pwdump7 to extract password hashes from the system for reconstructing the missing files in their original state.
- B. Using R-Studio to scan the file system and recover corrupted, deleted, or damaged files from the Windows system.
- C. Leveraging Ophcrack to recover passwords from the target system to back up the critical files.
- D. Adopting Cain & Abel to recover passwords and sniff network traffic for restoring the lost files.
Answer: B
Explanation:
Under theCHFI v11 Operating System Forensicsdomain, investigators are required to analyze Windows file systems and recover evidence that may have been deleted, corrupted, or intentionally destroyed during a cybercrime. File loss incidents commonly occur due to malware infections, insider activity, ransomware attacks, or deliberate anti-forensic actions. Recovering such files is often critical to reconstructing events and identifying attacker intent.
R-Studiois a specialized forensic data recovery tool designed to analyze Windows file systems such asNTFS, FAT, and exFAT. It can scan allocated and unallocated disk space, identify lost partitions, and recover deleted or damaged files while preserving original metadata such as timestamps and file structure. CHFI v11 recognizes file recovery tools like R-Studio as essential forpost-incident Windows forensics, especially when investigators must restore evidence without modifying the source media.
The other options are not appropriate for file recovery.Cain & Abel,Ophcrack, andPwdump7are credential- related tools used for password recovery or hash extraction and do not perform file system reconstruction or deleted file recovery. Using such tools would not help retrieve missing files and would not align with the forensic objective described.
Therefore, in accordance with CHFI v11 Operating System Forensics principles, the most suitable tool for restoring lost files from a compromised Windows system isR-Studio, makingOption Bthe correct answer.
NEW QUESTION # 71
During a forensic investigation into a suspected data breach, the eDiscovery team is tasked with collecting and preserving digital evidence from a compromised computer system. The team must deploy specialized tools to extract relevant data, such as emails, files, and system logs, from the machine. One team member is responsible for deploying these tools, configuring them for the specific needs of the investigation, and maintaining them throughout the entire data collection process. This individual ensures that the tools operate correctly and remain effective during the forensic analysis. Which of the following members of the eDiscovery team is responsible for this task?
- A. Review personnel can aid in implementing the tools needed for the eDiscovery team.
- B. An eDiscovery software expert can help set up the necessary tools for the eDiscovery team.
- C. Processing personnel can assist in the process of deploying the required tools for the eDiscovery team.
- D. An eDiscovery attorney can support the deployment of essential tools for the eDiscovery team.
Answer: B
Explanation:
According to the CHFI v11 curriculum and Exam Blueprint v4, theeDiscovery processinvolves multiple specialized roles, each with clearly defined responsibilities to ensure evidence is collected, preserved, processed, and reviewed in a forensically sound manner. The role described in this scenario aligns specifically with that of aneDiscovery software expert.
An eDiscovery software expert is responsible for thedeployment, configuration, validation, and maintenance of forensic and eDiscovery toolsused during evidence collection and analysis. This includes ensuring that tools used for acquiring emails, files, logs, and system artifacts are properly configured for the target environment, function correctly throughout the investigation, and comply with forensic best practices.
CHFI v11 emphasizes the importance of tool reliability, validation, and proper configuration to maintain evidence integrity and legal admissibility.
Other roles listed are not appropriate in this context. An eDiscovery attorney (Option A) focuses on legal oversight, scope definition, and compliance. Processing personnel (Option B) handle data normalization, indexing, and preparation after collection. Review personnel (Option C) analyze processed data for relevance and privilege. None of these roles are responsible for tool deployment or maintenance.
Therefore, based on CHFI v11 eDiscovery role definitions and responsibilities, the correct and exam-aligned answer isAn eDiscovery software expert
NEW QUESTION # 72
Rachel, a forensic investigator, is examining a network-attached storage (NAS) device to recover files from a shared storage system used by a company. She needs to understand how files are being accessed and shared across different users. Which of the following file-sharing protocols should Rachel examine to understand how the files are accessed in this environment?
- A. SMB/CIFS
- B. RAID
- C. SMTP
- D. iSCSI
Answer: A
Explanation:
According to the CHFI v11 objectives underDigital Evidence,Operating System Forensics, andNetwork- Based Evidence, understanding file-sharing protocols is essential when investigatingNetwork-Attached Storage (NAS)systems. NAS devices are designed to provide shared file access to multiple users over a network, and the most commonly used protocol for this purpose-especially in Windows-based and mixed environments-isSMB/CIFS (Server Message Block / Common Internet File System).
SMB/CIFS governs how files, folders, printers, and other resources are accessed and shared across the network. By examining SMB/CIFS activity, a forensic investigator can determinewhich users accessed specific files, when the access occurred, what operations were performed (read, write, delete), and from which systems the access originated. These details are crucial for reconstructing user activity, identifying unauthorized access, and correlating actions across multiple endpoints connected to the NAS.
The other options are incorrect. SMTP (Option A) is an email transmission protocol and unrelated to file sharing. iSCSI (Option B) is a block-level storage protocol used for SAN environments, not user-level file sharing. RAID (Option C) is a disk redundancy technology and does not control how files are accessed over the network.
The CHFI Exam Blueprint v4 highlightsSMB/CIFS analysisas a key area for investigating shared storage environments, making it the correct and exam-aligned protocol for understanding file access on NAS devices
NEW QUESTION # 73
The given image displays information about date and time of installation of the OS along with service packs, patches, and sub-directories. What command or tool did the investigator use to view this output?
- A. dir /o:s
- B. dir /o:d
- C. dir /o:n
- D. dir /o:e
Answer: B
NEW QUESTION # 74
Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack?
- A. Mail bombing
- B. Email spoofing
- C. Email spamming
- D. Phishing
Answer: A
NEW QUESTION # 75
When obtaining a warrant it is important to:
- A. particularly describe the place to be searched and particularly describe the items to be seized
- B. generally describe the place to be searched and particularly describe the items to be seized
- C. particularly describe the place to be searched and generally describe the items to be seized
- D. generally describe the place to be searched and generally describe the items to be seized
Answer: A
NEW QUESTION # 76
Which of the following tools is not a data acquisition hardware tool?
- A. UltraKit
- B. F-Response Imager
- C. Atola Insight Forensic
- D. Triage-Responder
Answer: B
NEW QUESTION # 77
......
Provide Valid Dumps To Help You Prepare For Computer Hacking Forensic Investigator (CHFI-v11) Exam: https://www.freecram.com/EC-COUNCIL-certification/312-49v11-exam-dumps.html
312-49v11 Dumps Questions [2026] Pass for Exam: https://drive.google.com/open?id=1hzdea0iZ7QxdroCWXtZF9r6XQZc00EEJ