According to the CHFI v11 curriculum under Network Forensics and Analyzing Network Attacks , the primary purpose of using network log analysis tools during a suspected Distributed Denial-of-Service (DDoS) attack is to identify the source and nature of the attack traffic . DDoS attacks overwhelm network resources by flooding them with a massive volume of malicious traffic originating from multiple compromised systems.
By analyzing firewall logs, IDS/IPS logs, router logs, and server access logs, investigators can detect abnormal traffic patterns such as unusually high connection rates, repeated requests from multiple IP addresses, malformed packets, or protocol misuse. These indicators help forensic investigators trace the origin of attack traffic , identify botnet behavior, determine attack vectors (e.g., SYN flood, UDP flood, HTTP flood), and assess the scope and impact of the attack.
Option A refers to long-term security improvements, which may result from the investigation but are not the immediate goal. Option C focuses on performance tuning rather than forensic detection. Option D is unrelated to incident response or attack investigation.
The CHFI v11 Exam Blueprint emphasizes log analysis for detecting DoS and DDoS attacks , including identifying malicious traffic sources and correlating events across network devices. Therefore, the correct and exam-aligned purpose of network log analysis in this scenario is identifying the source of the cyberattack
