According to the CHFI v11 curriculum under Network Forensics , investigators must be proficient in using packet sniffing tools to capture and analyze live network traffic. tcpdump is a widely used command-line packet analyzer that runs natively on Unix, Linux, and BSD-based systems. It allows investigators to capture packets in real time, apply powerful filters, and save traffic in PCAP format for further offline analysis using tools such as Wireshark.

In forensic investigations, tcpdump is especially valuable because it provides low-level visibility into network communications, including source and destination IP addresses, ports, protocols, TCP flags, and payload data. This enables investigators to detect suspicious behaviors such as unauthorized connections, port scans, malware command-and-control traffic, data exfiltration attempts, and denial-of-service activities. CHFI v11 specifically highlights tcpdump as a core tool for network traffic investigation and evidence gathering in Unix-based environments.

The other options are incorrect. Metashield Analyzer is used for file-based threat analysis, Timestomp is an anti-forensics tool used to manipulate file timestamps, and Billboard is not a recognized network forensic or packet sniffing tool.

The CHFI Exam Blueprint v4 emphasizes the importance of real-time packet capture tools for network investigations, making tcpdump the correct, forensically sound, and exam-aligned answer