According to the CHFI v11 Forensic Investigation Process and Event Correlation objectives , the forensic technique that enables investigators to reconstruct the sequence of events and determine the root cause of an incident is data analysis . Data analysis is the phase where collected evidence is examined, correlated, and interpreted to extract meaningful insights about attacker behavior.
During data analysis, investigators examine logs, timestamps, file system metadata, registry entries, network traffic, memory artifacts, and security alerts to perform timeline analysis , event correlation , and kill chain reconstruction . CHFI v11 explicitly highlights techniques such as timeline creation, event deconfliction, and correlation analysis as essential for identifying the time of attack , vulnerabilities exploited , methods used , and actions performed by the attacker .
The other options represent different forensic phases but do not directly achieve the stated goal. Data acquisition focuses on collecting evidence in a forensically sound manner, not interpreting it. Data duplication involves creating forensic copies to preserve evidence integrity. Photographing the crime scene applies primarily to physical forensics and documentation, not digital event reconstruction.
CHFI v11 emphasizes that without proper data analysis , raw evidence remains unstructured and cannot support attribution, root cause analysis, or legal prosecution. Therefore, to uncover the complete sequence of malicious activities and generate an accurate incident timeline, Data analysis is the most effective forensic technique.
Hence, the correct and CHFI-verified answer is Option C .
