According to the CHFI v11 objectives under Malware Forensics and Static Malware Analysis , the correct initial step when analyzing a suspicious document—such as a potentially malicious PDF—is to perform static analysis before any execution . Running the tool PDFiD using the command python pdfid.py infected.pdf is a standard and CHFI-aligned first action. PDFiD is designed to quickly scan a PDF file and identify suspicious elements such as /JavaScript, /OpenAction, /Launch, /EmbeddedFile, and /AA, which are commonly abused by attackers to deliver malware through PDF documents.

This approach is non-intrusive and ensures the investigator does not accidentally trigger malicious code, thereby preserving evidence integrity and maintaining forensic soundness. Opening the file in a virtual machine (Option B) constitutes dynamic analysis , which should only be performed after initial static indicators suggest malicious intent and after proper containment controls are in place. Metadata extraction (Option C) is useful but limited, as metadata alone does not reliably expose embedded exploit code. Manual hex inspection (Option D) is advanced and time-consuming and is not recommended as the first step.

The CHFI v11 Exam Blueprint emphasizes a structured malware analysis workflow , starting with static analysis tools like PDFiD for suspicious documents, making Option A the most appropriate and exam-accurate answer

Option C is the strongest answer because the scenario describes frequent, high-volume outbound communications from an internal system to an untrusted external server , including large binary files that do not fit normal business workflows. CHFI v11 explicitly includes Indicators of Compromise (IoC) , Analyze Traffic to Detect Malware Activity , and Examine Data Exfiltration Attempts made through FTP under its network-forensics objectives.

These are classic signs of data exfiltration . The foreign destination, unusual data type, abnormal transfer volume, and deviation from standard operations all point toward unauthorized outbound movement of sensitive information. That is a more precise fit than failed connection attempts, off-hours logins, or reboot anomalies.

In CHFI terms, investigators use traffic analysis, log review, and event correlation to identify whether an internal host is behaving like a staging or exfiltration node. Since the question focuses on unexpected external communications and atypical outbound file transfers, the most accurate indicator of compromise is abnormal outbound traffic suggesting data exfiltration .

The correct answer is D because IBM QRadar is built around real-time ingestion, normalization, and correlation of events and flows from many different sources, then presenting those results through a unified investigative interface. The CHFI v11 blueprint includes centralized logging, SIEM solutions, and event correlation approaches, so the exam expects candidates to identify tools that can combine diverse evidence streams into actionable security findings. IBM documentation states that QRadar consolidates log source and network flow data, performs immediate normalization and correlation, and provides dashboards, offenses, log activity, and network activity views for analysts. That lines up closely with the scenario’s need for real-time, cross-source analysis. ELK can aggregate and visualize data effectively, but the question stresses built-in correlation of activity across sources as it occurs. OSSEC is host-focused, and EventLog Analyzer is more centered on log monitoring and analysis rather than the broader SIEM-style cross-source correlation platform described here. For CHFI-style tool selection, a requirement for unified, real-time event correlation across network and system telemetry points most directly to IBM QRadar.

Option D is the correct answer because CHFI v11 explicitly includes registry-based malware persistence mechanisms , identifying malware persistence , and system behavior analysis involving registry artifacts, startup programs, processes, services, and Windows event logs .

The Run key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is one of the most common Windows registry locations used by malware to achieve automatic execution at startup . When a value is placed there, the referenced program can be launched when the system starts or when a user logs in, depending on the context. Because the question specifically asks about auto-start functionality , this key is the most relevant place to examine.

The other paths are less suitable. Explorer\Advanced generally stores user interface preferences, Uninstall relates to installed program information, and Policies\Explorer\ShellNoRoam is not the primary classic auto-start persistence location being tested here. Under CHFI malware forensics and Windows registry analysis objectives, the examiner should focus first on the CurrentVersion\Run key to track persistence behavior tied to startup execution.

According to the CHFI v11 Operating System and Malware Forensics objectives , Windows Event ID 5156 is generated by the Windows Filtering Platform (WFP) and indicates that a network connection has been permitted . This event is highly valuable in malware investigations because it records detailed information about process-level network activity , which is a common indicator of compromise.

Event ID 5156 logs typically include:

Process name and Process ID (PID) that initiated the network connection

Source and destination IP addresses

Source and destination ports

Protocol used (TCP/UDP)

Direction of the connection (inbound or outbound)

CHFI v11 explicitly highlights the importance of Windows Security Event Logs in tracing malware behavior, especially for identifying command-and-control (C2) communications , data exfiltration attempts, and lateral movement. By analyzing Event ID 5156, investigators can directly correlate a specific executable or malicious process with external IP addresses , helping establish attacker infrastructure and timelines.

The other options are incorrect because Event ID 5156 does not record credentials, file deletion paths, or registry modification details. Those artifacts are found in other event IDs or forensic sources such as registry hives, file system metadata, or Sysmon logs.

Therefore, the key forensic value of Event ID 5156 lies in revealing the process responsible for the network communication and the IP address it connected to , making Option D the correct and CHFI v11–verified answer.

The correct answer is A because AutomaticDestinations files are the primary Jump List artifacts used to record documents opened through an application, including programs accessed from the taskbar. In this scenario, Excel is pinned to the taskbar, but the question asks which artifact type helps identify the spreadsheets opened through that program. That points to the Jump List records that store recent and frequent document usage for the application, which are found in AutomaticDestinations files. CustomDestinations are different; they are used for developer-defined or manually customized Jump List behavior and are more associated with custom pinned items or application-specific structures. AppID is not a Jump List file type at all; it is the identifier used to associate a Jump List with a specific application. A malicious LNK is also not the correct artifact category here. The CHFI v11 blueprint includes analysis of LNK files and Jump Lists under Windows artifact examination, so candidates are expected to know which artifact reveals document access history tied to user activity. For opened documents through a pinned application, AutomaticDestinations is the best forensic source.

The right answer is A because the Windows Run key is intended to launch a program every time a user logs on, which makes it a classic registry-based persistence mechanism for malware. In contrast, RunOnce is designed for one-time execution and is removed after processing, so it does not best match the wording about recurring execution after reboot. The CHFI v11 blueprint specifically covers registry-based malware persistence mechanisms and identifying how malicious software survives restarts. That objective expects candidates to distinguish one-time startup artifacts from repeat-execution startup artifacts. From a forensic angle, the Run key is highly valuable because it can show how a threat repeatedly re-establishes itself, launches payloads, or triggers follow-on scripts whenever a user session begins. This kind of persistence is commonly examined alongside other startup evidence such as services, scheduled tasks, and startup folders. Microsoft’s own documentation states that the Run key makes a program run every time the user logs on, while RunOnce executes only one time. That makes Run the only answer that fully matches the persistence behavior described in the question.

This scenario aligns with CHFI v11 objectives under Mobile and IoT Forensics and Cross-Platform Digital Evidence Correlation . Modern cyberattacks frequently involve multiple devices and operating systems working together as part of a single attack chain. In mobile forensic investigations, Android and iOS devices often store artifacts that reflect interactions with external systems such as Windows and Linux machines. These artifacts may include USB connection logs, file transfer records, SSH keys, shared application data, cloud sync traces, or remnants of malware propagation.

CHFI v11 emphasizes the importance of event correlation and timeline analysis across heterogeneous environments. By analyzing Windows- and Linux-related files found on a mobile device, investigators can establish relationships between compromised endpoints, reconstruct attacker movement, and identify how data or malware was transferred between systems. This cross-device correlation is essential for attributing actions, understanding lateral movement, and proving coordinated activity during an incident.

The other options focus on device identification details, which are typically obtained through mobile hardware and OS artifacts, not through external system files. Therefore, the correct forensic purpose is to establish connections between multiple devices involved in the cyberattack, making option C the correct and CHFI-aligned answer.

Option D. Security phase is the best answer because the scenario describes cryptographic verification , checking the bootloader integrity , and enforcing policies so that only trusted software is loaded. CHFI v11 includes the booting process and specifically covers the Windows boot process: BIOS-MBR method and UEFI-GPT , which means exam candidates are expected to understand the major phases and security controls associated with modern system startup.

In UEFI-based systems, the phase concerned with validating trust and enforcing secure boot behavior is the security phase . That phase is responsible for ensuring that firmware policy is applied before control is handed to later boot components. This aligns precisely with the description in the question, where the system is not merely selecting a boot device or initializing drivers, but actively verifying trust and compliance.

The other answers are less suitable. Boot device selection focuses on choosing the device to boot from. Pre-EFI initialization prepares early hardware and platform state. Driver execution environment deals more with loading drivers and services in the UEFI environment. Because the emphasis is on trusted boot and cryptographic validation , the correct answer is the security phase .

This question aligns with CHFI v11 objectives related to legal compliance, rules of evidence, and handling privileged information during forensic investigations. In digital forensics, investigators frequently work alongside legal teams, making it critical to understand when attorney-client privilege or work-product protection may be waived. Under the U.S. Federal Rules of Evidence (Rule 502), an unintentional or inadvertent disclosure does not automatically extend the waiver of privilege to undisclosed communications.

For a waiver to extend beyond the disclosed material, strict conditions must be met. The waiver must be intentional , the disclosed and undisclosed communications must concern the same subject matter , and fairness must require that the undisclosed information also be considered. CHFI v11 emphasizes that forensic investigators must preserve confidentiality, respect legal protections, and avoid actions that could improperly broaden legal exposure during investigations.

Options B and C are incorrect because unintentional or accidental disclosures are explicitly protected from subject-matter waiver under Rule 502. Option A is incorrect because waiver extension only applies when communications involve the same subject matter. Therefore, Option D correctly reflects both legal standards and CHFI-aligned best practices for evidence handling and legal awareness during forensic investigations.