Computer Hacking Forensic Investigator (CHFI) v11 Practice Test 2026 - Free CHFI Practice Questions and Study Guide

Idle scanning uses a zombie host to send probes to the target while you observe how the zombie’s IP identification field changes. For this to work well, the zombie should be relatively quiet so its IPID sequence isn’t muddied by a lot of normal traffic. If Windows machines in the same network are constantly talking, that background chatter can obscure the correlation between the probes you send (via spoofed packets) and the zombie’s responses. That makes the technique harder to interpret reliably. In that scenario, Linux/Unix-based machines are preferred because they tend to have less disruptive background traffic, giving a cleaner, more predictable IPID behavior for the idle scan to exploit.