During a late-night incident at an e-commerce site in Houston, Texas, analysts see bursts of...

The correct answer is D because the cs-uri-query field records the query portion of the requested URI, which is where appended attacker-supplied input typically appears. Microsoft’s IIS W3C logging documentation identifies cs-uri-query as the URI query field used to log the query string for dynamic requests. That is exactly the field investigators need when they want to isolate payloads appended to the URL and compare them against time-taken spikes or error bursts. The other fields do not provide the actual appended payload. sc-status records the HTTP status code, cs-method records the request method such as GET or POST, and cs-uri-stem captures only the path portion without the query string. CHFI v11 includes IIS web server architecture and logs as well as investigation of SQL injection and other web-based attacks, so candidates should know that malicious parameters are often preserved in the query component. When the forensic task is to inspect the exact strings appended to the URL, the proper IIS W3C field is cs-uri-query.