According to theCHFI v11 Network Forensics and Log Analysis objectives, monitoring authentication failures is a critical technique for detectingbrute-force and password cracking attacksagainst network services such as FTP. FTP servers communicate authentication outcomes using standardizedFTP response codes, which can be filtered and analyzed using tools likeWireshark.

The FTP response code530explicitly indicates“Not logged in”, which commonly occurs when a user providesinvalid credentials(incorrect username or password). During brute-force or password spraying attacks, repeated failed login attempts generate multiple530 response codes, making this filter highly effective for identifying malicious authentication activity.

In contrast,ftp.response.code == 230indicates asuccessful login, which is not relevant when tracking failed attempts. The532response code means that an account is required for login, not necessarily a password failure. The521response code indicates that the FTP service is unavailable, which reflects server-side issues rather than authentication failures.

CHFI v11 specifically emphasizes correlatingnetwork traffic patterns and protocol response codesto identify unauthorized access attempts and credential-based attacks. Filtering forftp.response.code == 530allows investigators to isolate failed authentication attempts accurately and build evidence of potential password cracking activity.

Therefore, the correct and CHFI-verified answer isftp.response.code == 530 (Option C).