According to the CHFI v11 objectives under Web Application Forensics and Log Analysis , knowing the default storage locations of web server logs is essential for reconstructing web-based attacks. On Windows Server operating systems, Internet Information Services (IIS) stores its HTTP and HTTPS request logs by default in the directory:

%SystemDrive%\inetpub\logs\LogFiles

This directory contains subfolders such as W3SVC1, W3SVC2, etc., where each folder corresponds to a specific IIS website instance. The log files stored here record critical forensic details including client IP addresses, timestamps, HTTP methods, requested URLs, status codes, user agents, and referrers . These artifacts allow investigators to identify attack vectors such as SQL injection, command injection, directory traversal, brute-force attempts, and web shell uploads.

The other options are incorrect because they do not represent default IIS log locations. %AppData% is user-profile specific, %ProgramFiles% contains application binaries rather than logs, and %SystemRoot%\Logs\IIS is not a standard IIS logging path.

The CHFI Exam Blueprint v4 explicitly covers IIS web server architecture and log analysis , emphasizing familiarity with default log paths to ensure timely evidence acquisition and accurate incident reconstruction. Therefore, %SystemDrive%\inetpub\logs\LogFiles is the correct and exam-aligned answer