During a cybersecurity investigation involving a data breach at a financial institution, an investigator is...

According to theCHFI v11 Forensic Investigation Process and Event Correlation objectives, the forensic technique that enables investigators toreconstruct the sequence of events and determine the root cause of an incidentisdata analysis. Data analysis is the phase where collected evidence is examined, correlated, and interpreted to extract meaningful insights about attacker behavior.

During data analysis, investigators examine logs, timestamps, file system metadata, registry entries, network traffic, memory artifacts, and security alerts to performtimeline analysis,event correlation, andkill chain reconstruction. CHFI v11 explicitly highlights techniques such astimeline creation, event deconfliction, and correlation analysisas essential for identifying thetime of attack,vulnerabilities exploited,methods used, andactions performed by the attacker.

The other options represent different forensic phases but do not directly achieve the stated goal.Data acquisitionfocuses on collecting evidence in a forensically sound manner, not interpreting it.Data duplicationinvolves creating forensic copies to preserve evidence integrity.Photographing the crime sceneapplies primarily to physical forensics and documentation, not digital event reconstruction.

CHFI v11 emphasizes that without properdata analysis, raw evidence remains unstructured and cannot support attribution, root cause analysis, or legal prosecution. Therefore, to uncover the complete sequence of malicious activities and generate an accurate incident timeline,Data analysisis the most effective forensic technique.

Hence, the correct and CHFI-verified answer isOption C.