The correct answer is C because the requirement is centralized and non-intrusive initial triage without touching the suspect endpoint. A SIEM platform is designed to collect, centralize, and analyze security data from across the environment, which makes it well suited to detecting unusual FTP transfer volumes or suspicious outbound transfer patterns at scale. That aligns closely with CHFI v11 objectives covering centralized logging, SIEM solutions, network forensics, and examination of data-exfiltration attempts. Option A requires direct review on the endpoint, which the scenario specifically wants to avoid. Option B is a containment action rather than a monitoring method and could disrupt evidence or business operations before triage is complete. Option D is intrusive and host-focused, again conflicting with the requirement for a centralized and non-endpoint method. In practical forensic terms, unusual aggregate FTP activity observed through centralized logging can quickly identify whether exfiltration is occurring, which systems are involved, and when the suspicious transfers began. For those reasons, monitoring aggregate FTP transfer volumes through a SIEM is the most appropriate first step.