Home ExamRange Practice Tests

CHFI (312-49) Digital Forensics Simulation

This simulation focuses on the Analysis phase of network forensics. You will learn to interpret network traffic patterns, identify indicators of compromise (IoCs), and deduce the behavior of covert malware communications.

Investigation Scenario

A digital forensics investigator is analyzing a suspected security breach on a Windows 11 workstation within a corporate finance department. A baseline comparison of network activity indicated unauthorized outbound connections occurring during non-business hours.

The investigator acquires the perimeter firewall logs and a PCAP (Packet Capture) file from the span port connected to the workstation's switch. Upon reviewing the traffic flows, the investigator isolates a specific communication pattern directed at an unknown, external IP address located in a foreign jurisdiction.

Evidence Collected

[NETWORK LOG ANALYSIS EXTRACT]
Source IP: 10.15.22.45 (Finance-WS-02)
Destination IP: 198.51.100.77 (Uncategorized)
Protocol: HTTPS (TCP/443)

[CONNECTION TIMESTAMPS]
02:00:05 UTC - 84 bytes sent, 102 bytes received
02:05:07 UTC - 84 bytes sent, 102 bytes received
02:10:04 UTC - 84 bytes sent, 102 bytes received
02:15:06 UTC - 84 bytes sent, 2,048 bytes received
02:20:05 UTC - 84 bytes sent, 102 bytes received
02:25:05 UTC - 84 bytes sent, 102 bytes received

[ANALYSIS NOTES]
- Traffic occurs strictly every ~300 seconds (5 minutes) with a ±2 second jitter.
- Payload size is consistently small, except for the anomaly at 02:15:06.
- No corresponding user interaction (system idle).

Question

In network forensics, what does "Beaconing" typically indicate?

Investigative Hint: Look closely at the timing in the evidence (every ~300 seconds) and the very small payload size. Is this traffic erratic like human browsing, or automated and rhythmic? What is the purpose of a rhythmic "heartbeat" in an infected machine?

Expert Analysis

1. What the evidence shows

The firewall logs and PCAP summary reveal a highly rhythmic, automated outbound connection occurring every 5 minutes with slight timing jitter. The data transferred is very small (84 bytes sent), except for a single instance where more data was received (2,048 bytes). This pattern is not indicative of human web browsing.

2. Identify forensic stage

Analysis Phase. The investigator is currently examining collected network artifacts (PCAPs and logs) to understand the nature and scope of the compromise.

3. Why correct answer is correct

A is correct. In digital forensics and incident response, "beaconing" refers to the rhythmic, periodic "heartbeat" signals sent by malware (like a Remote Access Trojan or botnet agent) to an attacker's Command and Control (C2) server. The malware checks in (84 bytes) to say "I am still active, do you have new commands?". If there are no commands, the C2 server responds with an acknowledgment (102 bytes). The anomaly at 02:15:06 (2,048 bytes received) likely indicates the attacker sending a new payload or command to the infected host.

4. Why others are wrong

  • B. Wi-Fi signal: While 802.11 management frames include "beacon frames" broadcast by Access Points to announce their SSID, in network forensics analyzing external routed traffic (as seen in the IP logs), beaconing refers to malicious C2 activity, not Layer 2 wireless functionality.
  • C. Windows update: Windows updates communicate with known Microsoft CDNs, do not occur every 5 minutes continuously, and involve downloading significant amounts of data, not 84-byte heartbeats.
  • D. Downloading a large file: File downloads generate a continuous, asymmetric stream of large packets (e.g., 1500 MTU size frames maxing out bandwidth), completely unlike the intermittent, tiny payloads seen in the evidence.

5. Real-world forensic action

Upon confirming the beaconing behavior, the investigator would immediately isolate the host from the network to prevent lateral movement or data exfiltration. The next step is a memory forensic analysis (using a tool like Volatility) on the workstation to identify the specific malicious process establishing the connection on TCP/443. The destination IP (198.51.100.77) would be blocked at the perimeter firewall, and logs would be queried globally to see if any other internal hosts are beaconing to the same C2 infrastructure.

MINI LESSON: Analyzing C2 Beacon Jitter

Modern malware rarely beacons at exact, hardcoded intervals (e.g., exactly 300.00 seconds) because such strict mathematical perfection is easily detected by simple SIEM rules. To evade detection, attackers configure their malware with Jitter. Jitter introduces random variance (e.g., ±10%) to the sleep timer between beacons. As an investigator, when performing Timeline Analysis on network flows, you must look for approximate periodic intervals rather than exact matches to successfully uncover stealthy Command and Control channels.

Ready for more challenges?

Enhance your digital forensics expertise with full scenario-based practice tests.

Explore more CHFI simulations