According to the CHFI v11 Operating System and Malware Forensics objectives , Windows Event ID 5156 is generated by the Windows Filtering Platform (WFP) and indicates that a network connection has been permitted . This event is highly valuable in malware investigations because it records detailed information about process-level network activity , which is a common indicator of compromise.
Event ID 5156 logs typically include:
Process name and Process ID (PID) that initiated the network connection
Source and destination IP addresses
Source and destination ports
Protocol used (TCP/UDP)
Direction of the connection (inbound or outbound)
CHFI v11 explicitly highlights the importance of Windows Security Event Logs in tracing malware behavior, especially for identifying command-and-control (C2) communications , data exfiltration attempts, and lateral movement. By analyzing Event ID 5156, investigators can directly correlate a specific executable or malicious process with external IP addresses , helping establish attacker infrastructure and timelines.
The other options are incorrect because Event ID 5156 does not record credentials, file deletion paths, or registry modification details. Those artifacts are found in other event IDs or forensic sources such as registry hives, file system metadata, or Sysmon logs.
Therefore, the key forensic value of Event ID 5156 lies in revealing the process responsible for the network communication and the IP address it connected to , making Option D the correct and CHFI v11–verified answer.
