Practice CHFI Application, Email and Cloud Forensics questions with full explanations on every answer.
Start practicing
Application, Email and Cloud Forensics — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?
2During an investigation, an analyst extracts email headers from a suspicious email. The header includes: Received: from mail.attacker.com (192.168.1.100); DKIM-Signature: v=1; a=rsa-sha256; d=legitbank.com; s=selector1; bh=...; The email claims to be from support@legitbank.com. Which indicator strongly suggests email spoofing?
3A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?
4A cloud forensics investigator is analyzing an incident in AWS. The suspect is alleged to have deleted an S3 bucket. Which AWS service log would contain the DeleteBucket API call details, including the source IP and user identity?
5Which tool is specifically designed to analyze email headers and track the path an email took across mail servers?
6An investigator examining a compromised web server finds a file named shell.aspx in the uploads directory. The file contains code that accepts commands via HTTP POST and executes them on the server. What is the MOST likely type of attack?
7A forensic examiner needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which tool is BEST suited to parse and extract emails, attachments, and metadata from the PST file?
8An organization uses Azure. A security analyst needs to investigate a suspicious login event. Which Azure log contains details about user sign-ins, including IP address, timestamp, and success/failure status?
9In database forensics, which type of log records every transaction (including INSERT, UPDATE, DELETE) and allows reconstruction of database changes over time?
10An analyst finds the following in an IIS log: 10.0.0.5, -, 02/15/2024, 14:23:56, GET /../../windows/system32/cmd.exe, 404, 0, 0, 0, Mozilla/4.0. Which attack technique does this log entry represent?
11During a cloud forensic investigation, the analyst discovers that the suspect used AWS IAM credentials to launch unauthorized EC2 instances. The suspect claims the credentials were stolen. Which log would the analyst examine to determine the source IP address from which the credentials were used?
12Which of the following is a significant challenge in cloud forensics compared to traditional digital forensics?
13Which TWO pieces of information can be obtained from an email's Received headers to help trace the email's origin? (Select TWO)
14Which THREE of the following are common challenges specific to cloud forensics? (Select THREE)
15Which TWO of the following are indicators of a webshell attack found in web server logs? (Select TWO)
16An analyst examining Apache access logs finds the following entry: 192.168.1.10 - - [10/Oct/2023:13:55:36 -0400] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5324 "-" "Mozilla/5.0". Which of the following attacks is MOST likely occurring?
17During a forensic investigation of a suspected data breach, you are asked to analyze email headers to trace the origin of a phishing email. Which header field provides the IP address of the sending SMTP server?
18A security analyst is investigating a containerized application running on a Docker host. The analyst needs to collect forensic evidence from a stopped container without starting it. Which of the following Docker commands should be used to export the container's filesystem as a tar archive?
19While investigating a compromised web server, you discover a file named 'shell.php' in the web root. The file contains the following code: <?php system($_GET['cmd']); ?>. Which of the following best describes this file?
20An incident responder is analyzing AWS CloudTrail logs to determine if an unauthorized user accessed an S3 bucket. Which of the following CloudTrail event fields should be examined to identify the IAM user or role that made the API call?
21A forensic analyst is examining a Microsoft Outlook PST file as part of an email investigation. Which tool is specifically designed to parse and analyze PST files and extract email metadata?
22In cloud forensics, one of the major challenges is that data may be stored in multiple jurisdictions with different legal requirements. This challenge is known as:
23An analyst finds the following entry in an IIS access log: 10.0.0.5, -, 10/10/2023, 14:30:22, W3SVC1, WEB01, 192.168.1.100, 80, GET, /login.aspx, 200, 0, 1234, 567, Mozilla/5.0+. Based on the log format, which field contains the HTTP status code?
24Which of the following tools is specifically designed to analyze email headers and track the path of an email, providing information about delays and potential spoofing?
25During a database forensic investigation, you need to review Microsoft SQL Server transaction logs to identify unauthorized data modifications. Which of the following SQL Server functions or commands is used to read the transaction log?
26An analyst is investigating a possible data exfiltration via email. The analyst notices that the email headers contain a DKIM-Signature field that is invalid. Which of the following does a failed DKIM check indicate?
27A forensic investigator needs to collect evidence from a Google Cloud Platform (GCP) environment. Which of the following GCP services provides audit logs for administrative activities and data access?
28Which TWO of the following are common indicators of a path traversal attack found in web server logs? (Select 2)
29Which THREE of the following are challenges specific to cloud forensics compared to traditional digital forensics? (Select 3)
30Which TWO of the following are valid email header fields that can be used to detect email spoofing? (Select 2)
31An analyst examines the following Apache access log entry: 192.168.1.10 - - [10/Jan/2023:13:45:22 +0000] "GET /search.php?q=1%27%20UNION%20SELECT%201,2,3-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0". Which attack is MOST likely indicated?
32During a forensic investigation of a compromised web server, you find the following entry in the IIS log: 192.168.2.50, -, 10/Jan/2023, 14:32:15, W3SVC1, WEB01, 192.168.2.10, 80, POST, /uploads/shell.aspx, 200, 0, 0, 513, 0, Mozilla/4.0. Which action should the investigator prioritize?
33In a database forensic investigation, you recover a MySQL binary log with the following entry: #230110 13:45:22 server id 1 end_log_pos 123456 Query thread_id=100 exec_time=0 error_code=0 SET TIMESTAMP=1673358322; SELECT * FROM customers INTO OUTFILE '/tmp/export.csv';. What does this indicate?
34Which tool is specifically designed for parsing and analyzing email headers to trace the origin of an email and detect spoofing?
35An email header shows the following Received line: Received: from mail.example.com (192.168.1.1) by smtp.server.com (Postfix). The DKIM-Signature header is missing, and the X-Originating-IP header shows an IP address different from the sender's domain MX record. What is the MOST likely conclusion?
36During a cloud forensic investigation, you review AWS CloudTrail logs and find the following event: {"eventSource":"ec2.amazonaws.com","eventName":"RunInstances","userIdentity":{"arn":"arn:aws:iam::123456789012:user/attacker"},"requestParameters":{"instanceType":"t2.micro","imageId":"ami-0abcdef1234567890"},"responseElements":{"instancesSet":{"items":[{"instanceId":"i-0a1b2c3d4e5f67890"}]}}}. What is the immediate forensic action?
37In Docker forensics, which command is used to view the command history of a container, including how it was built?
38A security analyst finds the following entry in the Apache access log: 10.0.0.5 - - [20/Jan/2023:08:12:44 +0000] "GET /../../../../etc/passwd HTTP/1.1" 404 345 "-" "curl/7.68.0". Which attack was attempted?
39Which of the following email headers is used to verify the domain of the sending server and is commonly used for authentication to prevent spoofing?
40In cloud forensics, which AWS service logs API calls for governance, compliance, and operational auditing, and is the primary source for detecting unauthorized access?
41During a forensic investigation of a Microsoft SQL Server, you find the transaction log contains the following: LOP_BEGIN_XACT, LOP_INSERT_ROWS, LOP_COMMIT_XACT for a table named 'CreditCards', with a timestamp just before a known data breach. The log also shows a bulk insert operation. What does this indicate?
42In email forensics, which artifact is stored in Outlook's Personal Folders (.pst) files and can be analyzed using tools like Aid4Mail or EmailTracker?
43Which TWO of the following are common challenges specific to cloud forensics? (Select TWO)
44Which THREE of the following are indicators of a webshell in web server logs? (Select THREE)
45Which TWO of the following are valid methods to collect logs from Docker containers for forensic analysis? (Select TWO)
46A security analyst reviews an Apache access log and finds the entry: '192.168.1.10 - - [10/Mar/2025:08:12:34 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 2345 "-" "Mozilla/5.0"'. Which attack is indicated?
47Which email header field is MOST reliable for identifying the true origin of an email, assuming no header tampering occurred at the initial MTA?
48During a cloud forensic investigation, an analyst discovers that an AWS EC2 instance was used to launch an attack. The instance has been terminated. Which source is MOST likely to contain evidence of the commands executed on the instance?
49An analyst examining an Outlook PST file wants to recover deleted emails that are no longer visible in the Deleted Items folder. Which technique is MOST effective?
50A web server log shows the following request: 'GET /../../../../etc/passwd HTTP/1.1' with a 200 response code. The web server is running Apache on Linux. What attack has likely succeeded?
51Which cloud forensic challenge refers to the inability to physically access the storage media where data resides?
52A forensic analyst is investigating a Docker container that was used to launch a network attack. The container has been stopped but not removed. Which action should the analyst take FIRST to preserve volatile evidence?
53An email investigator receives a suspicious email and examines the headers. The 'Received-SPF: pass (google.com: domain of example.com designates 203.0.113.5 as permitted sender)' header is present. However, the 'From' address is 'admin@example.com' and the 'Return-Path' is 'admin@example.com'. What does this indicate?
54Which tool is specifically designed to analyze email headers and track the path of an email across multiple servers?
55A forensic analyst is investigating a MySQL database server breach. Which log is MOST useful for identifying a series of queries that exfiltrated data, assuming the attacker used a compromised application account?
56An analyst discovers a suspicious file named 'cmd.aspx' in the uploads directory of an IIS web server. Analysis reveals the file contains code to execute system commands. What is this file most likely?
57Which Azure log source should an investigator query to identify who deleted a virtual machine and when?
58A security analyst is investigating a phishing email and notices the DKIM-Signature header is present but fails validation. Which TWO actions should the analyst take?
59A cloud forensic investigator is analyzing a GCP audit log entry for a Compute Engine instance. Which THREE fields are essential for identifying the user and operation performed?
60A forensic analyst is examining a Docker container image for malware. Which TWO techniques can help analyze the image layers?
61During a forensic investigation of a compromised web server, an analyst examines the Apache access log and finds the following entry: '192.168.1.10 - - [12/Oct/2024:13:45:22 +0000] "GET /index.php?id=1 UNION SELECT username, password FROM users-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. What type of attack is MOST likely indicated?
62An email forensic analyst receives a suspicious email and examines the full headers. Which header field is the MOST reliable for determining the true originating IP address of the sender, assuming no spoofing of the header?
63In a Docker container forensics investigation, an analyst needs to examine the file system of a stopped container to look for malicious artifacts. Which command should the analyst run to create a recoverable snapshot of the container's file system without starting the container?
64A cloud forensic investigator is examining AWS CloudTrail logs for signs of unauthorized access to an S3 bucket. Which of the following CloudTrail event names would indicate a successful attempt to list the objects in the bucket?
65An investigator is analyzing a compromised MySQL database server. To determine the exact time and content of a suspect data exfiltration query, which MySQL log should be examined first, assuming it is enabled?
66A forensic analyst needs to extract email artifacts from a Microsoft Outlook .OST file that is associated with an Exchange account. Which tool is specifically designed to parse and analyze .OST files?
67During a forensic investigation of a Google Cloud Platform (GCP) environment, an analyst reviews Audit Logs and sees a log entry with the method 'storage.objects.list' and a principal email 'attacker@gmail.com'. However, the identity is not from the organization's domain. What should the analyst conclude?
68An investigator examines an email header and sees the following: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...'. The email claims to be from 'support@example.com', but the DKIM signature validation fails. Which of the following is the MOST likely cause?
69Which tool is commonly used to analyze email headers and trace the path of an email across servers by parsing 'Received' fields?
70In an Azure environment, a forensic analyst needs to identify which user assigned a specific role to another user, leading to privilege escalation. Which Azure log should the analyst examine?
71An analyst discovers a suspicious file named 'cmd.aspx' in the web root of an IIS server. The file contains ASPX code that executes system commands. The IIS logs show a POST request to '/cmd.aspx' with a 200 status code. Which type of attack is indicated?
72Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?
73Which TWO of the following are valid indicators of email spoofing when analyzing email headers?
74Which THREE of the following are challenges specific to container forensics?
75Which TWO of the following are appropriate techniques for identifying a webshell on a compromised web server?
76An analyst reviews an Apache access log entry: '192.168.1.10 - - [10/Oct/2023:13:55:36 +0000] "GET /index.php?id=1%27%20OR%20%271%27%3D%271 HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. Which attack does this log entry most likely indicate?
77Which email header field is used to verify that an email was sent by the authorized mail server for the domain and has not been tampered with, using cryptographic signatures?
78A forensic investigator examining a compromised Linux server finds a base64-encoded string in the Apache access log: 'GET /cgi-bin/test.cgi?cmd=ZWNobyAiPD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/PiI+...' After decoding, the string contains a PHP webshell. Which of the following is the MOST effective method to confirm the webshell was executed on the server?
79During a cloud forensic investigation, an analyst needs to identify who deleted an S3 bucket in an AWS environment. Which AWS service log should the analyst examine to find the API call and the associated IAM user or role?
80An email forensic analyst receives a suspicious email and wants to verify the originating IP address. The analyst extracts the email headers and sees multiple 'Received' fields. Which 'Received' header should the analyst consider as the most trustworthy source of the sender's IP?
81Which tool is specifically designed to extract and analyze metadata from email messages, including headers, attachments, and embedded objects, for forensic investigations?
82A forensic examiner is investigating a Docker container suspected of being used for malicious activity. Which of the following is the BEST approach to collect volatile evidence from the container without altering its state?
83During an investigation of a web application breach, an analyst reviews IIS logs and finds numerous entries with status code '200' and URIs containing '?cmd=' followed by encoded strings. The analyst also notices that some requests have a 'User-Agent' string resembling 'Microsoft-CryptoAPI/10.0'. What is the MOST likely conclusion?
84An investigator needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which of the following tools is specifically designed for parsing and extracting emails, attachments, and metadata from PST files in a forensically sound manner?
85In the context of cloud forensics, what is the primary challenge associated with volatile evidence in Infrastructure as a Service (IaaS) environments?
86An analyst is investigating a data exfiltration incident. The MySQL transaction logs show a series of unusual SELECT queries retrieving large amounts of data from the 'customers' table, executed by a user account 'webapp'. What should the analyst check NEXT to determine if the data was actually exfiltrated?
87A forensic investigator is analyzing a compromised web server. In the Apache access logs, the investigator finds the following request: 'GET /images/../../../etc/passwd HTTP/1.1' with a 200 status code. Which of the following is the MOST likely reason the server returned a 200 (OK) response?
88A forensic analyst is examining a Google Cloud Platform (GCP) environment after a security incident. Which TWO GCP services should the analyst use to audit API activity and resource changes? (Select TWO.)
89In an email forensics investigation, which THREE indicators suggest that an email is likely spoofed? (Select THREE.)
90A security analyst is investigating a potential container escape from a Docker container. Which THREE artifacts should the analyst collect to analyze the incident? (Select THREE.)
91A security analyst reviews Apache access logs and finds the following entry: `192.168.1.10 - - [12/Jul/2024:10:15:30 -0400] "GET /search.php?q=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 5321 "-" "Mozilla/5.0"`. Which attack technique is most likely being attempted?
92During an email forensics investigation, an analyst examines headers and sees `Received: from mail.evil.com (192.168.1.100) by mail.victim.com` followed by `DKIM-Signature: v=1; a=rsa-sha256; d=evil.com; s=selector; bh=...; h=...; b=...`. The email claims to be from support@paypal.com. Which finding is the strongest indicator of spoofing?
93Which tool is specifically designed to extract and analyze email metadata, including headers, from various email client formats such as PST and OST files?
94A forensic analyst is investigating a suspected data exfiltration from a MySQL database. Which log source would be MOST useful to identify the exact SQL queries executed, including SELECT statements that retrieved large volumes of data?
95In an AWS environment, a security analyst detects unusual API calls that created several IAM users with administrative privileges from an unfamiliar IP address. Which AWS service log should be examined first to identify the specific API calls and the IAM user that made them?
96Which of the following is a unique challenge in cloud forensics compared to traditional digital forensics?
97During a Docker forensics investigation, an analyst needs to identify the commands executed within a deleted container. Which of the following approaches is MOST effective to retrieve this information?
98An IIS log entry shows: `2024-07-15 14:22:10 10.0.0.5 GET /../../windows/system32/cmd.exe 404 - Mozilla/5.0`. What attack technique does this log entry indicate?
99In an email header, which field typically contains the IP address of the original sending client?
100A forensic investigator finds a suspicious file named `cmd.aspx` in the web root of a compromised IIS server. The file contains code that accepts command input via HTTP GET parameters and executes it on the server. What is the MOST likely classification of this file?
101In a Google Cloud Platform (GCP) environment, a forensic investigator needs to determine who deleted a Cloud Storage bucket and when. Which log type should be queried to obtain this information?
102Which of the following email authentication protocols uses a digital signature to verify the sender's domain and that the email has not been tampered with?
103A forensic analyst is examining Azure Activity Logs for signs of privilege escalation. Which TWO of the following activities would be MOST indicative of an attacker attempting to escalate privileges? (Choose two.)
104During a forensic analysis of a compromised web server, an investigator identifies the following log entries. Which THREE entries are the strongest indicators of a successful web shell upload? (Choose three.)
105An investigator is analyzing email headers and notices the following: The 'Received' headers show a path through multiple servers, the 'DKIM-Signature' domain matches the sender domain, and 'X-Originating-IP' is present. Which TWO pieces of information are MOST useful to trace the original sender's IP address? (Choose two.)
106A security analyst reviews the following Apache access log entry: 192.168.1.10 - - [15/May/2025:10:15:23 +0000] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5321 "-" "Mozilla/5.0". Which type of attack is most likely indicated?
107During a forensic investigation of a compromised web server, you find a file named 'cmd.aspx' in the uploads directory. The file contains: <%@ Page Language="C#" %><% Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c "+Request.QueryString["cmd"])).StandardOutput.ReadToEnd(); %>. What is the most likely purpose of this file?
108In MySQL forensics, which log file is most commonly used to detect unauthorized data exfiltration or changes to database records?
109Which email header field is specifically used to verify that an email was not tampered with during transit and is signed by the sender's domain?
110An investigator needs to parse and analyze a Microsoft Outlook personal folders file (.pst). Which tool is specifically designed for this purpose?
111In cloud forensics, which AWS service provides a centralized log of API calls made by users and services, often used to investigate unauthorized access or configuration changes?
112A forensic analyst is examining a Docker container that was used to launch a DDoS attack. Which layer of a Docker image is most likely to contain the attacker's malicious scripts?
113Which of the following is a primary challenge in cloud forensics due to shared infrastructure?
114An analyst finds the following string in an IIS log: %3Cscript%3Ealert('XSS')%3C/script%3E. What does this indicate?
115Which tool is specifically designed to extract metadata from email messages, including tracking the route and identifying the originating IP address?
116In an email header, an analyst notices the following: 'Received: from mail.attacker.com (192.168.2.100) by mail.victim.com (Postfix) with ESMTP id ABC123 for <user@victim.com>; ...'. The 'From' address appears as 'ceo@victim.com'. Which type of attack is most likely?
117Which cloud service's audit logs would an investigator examine to identify who deleted a virtual machine in an Azure subscription?
118Which TWO of the following are indicators of a webshell on a web server? (Select TWO.)
119Which THREE of the following are challenges specific to container forensics? (Select THREE.)
120In email forensics, which TWO of the following headers are most useful for identifying the true origin of an email? (Select TWO.)
121A security analyst is reviewing Apache access logs and finds the entry: 192.168.1.100 - - [10/Mar/2025:08:12:34 +0000] "GET /search?q=test' OR '1'='1 HTTP/1.1" 200 532. Which attack does this log entry most likely indicate?
122During an investigation of a suspected data exfiltration, a forensic analyst examines MySQL general query logs and finds a large number of SELECT queries retrieving customer records, followed by DELETE queries. Which of the following is the most likely conclusion?
123An incident responder is analyzing a compromised web server and finds a file named 'cmd.aspx' in the uploads directory. The file contains ASP.NET code that accepts commands via the 'cmd' parameter and executes them on the server. Which of the following best describes this artifact?
124An email forensic analyst receives a suspicious email and wants to trace its origin. Which email header field provides the most reliable information about the IP address of the sending SMTP server?
125During a cloud forensics investigation of an AWS environment, an analyst extracts CloudTrail logs and notices many events with the error code 'AccessDenied' for a specific IAM user attempting to list an S3 bucket. Which of the following is the most appropriate next step?
126A forensic analyst is examining Docker container logs and finds a container that ran the command 'rm -rf /' and then stopped. The container was based on a custom image. Which of the following is the most effective way to recover deleted files from the container's filesystem?
127A forensic analyst is reviewing Microsoft IIS logs and finds the entry: 192.168.1.50, -, 10/Feb/2025:14:22:10 +0000, GET /scripts/..%c1%af../winnt/system32/cmd.exe, 404. Which attack technique is indicated by the encoded characters in the URI?
128Which of the following tools is specifically designed for parsing and analyzing email headers to detect spoofing and trace the origin of an email?
129In an Azure environment, an investigator needs to review actions performed by a specific user over the past 30 days. Which Azure service provides the necessary audit logs for this purpose?
130A forensic analyst is examining a PST file extracted from a suspect's computer. The analyst wants to recover deleted emails that are no longer visible in the Outlook folder hierarchy. Which approach is most effective?
131Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?
132During a database forensic investigation, a MSSQL transaction log analysis reveals a series of INSERT statements that added records to a customer table, followed by a TRUNCATE TABLE statement. What does this pattern most likely indicate?
133A forensic analyst is investigating a web application that was defaced. The Apache access logs show the following entries: (1) GET /cgi-bin/test.cgi HTTP/1.1 with status 200, (2) POST /cgi-bin/test.cgi HTTP/1.1 with status 200, (3) GET /index.html HTTP/1.1 with status 200, (4) GET /images/ HTTP/1.1 with status 301. Which TWO log entries are most suspicious and indicate a likely attack vector?
134An email investigation reveals that a phishing email was sent from a domain that uses DKIM and SPF. The email headers contain: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...' and 'Received-SPF: pass (example.com: domain of sender@example.com designates 203.0.113.5 as permitted sender)'. Which TWO conclusions can be drawn?
135A security analyst is investigating a potential data breach in a GCP environment. The analyst reviews the GCP audit logs and finds the following events: (1) A service account was granted the 'roles/storage.objectAdmin' role on a storage bucket containing sensitive data, (2) The service account then listed objects in the bucket, (3) The service account downloaded several objects. Which THREE actions should the analyst take immediately?
136A security analyst reviewing Apache access logs finds entries like: 192.168.1.10 - - [12/Jan/2023:15:23:11 +0000] "GET /search?q=1' OR '1'='1 HTTP/1.1" 200 5324. What attack is indicated?
137Which tool is specifically designed to analyze email headers, track the path of an email, and extract metadata such as originating IP and authentication results?
138During a cloud forensics investigation, an analyst examines AWS CloudTrail logs and finds an event with "userIdentity":{"type":"AssumedRole","arn":"arn:aws:sts::123456789012:assumed-role/AdminRole/i-0abcd1234efgh5678"}. What does the 'i-0abcd1234efgh5678' portion most likely represent?
139An email header contains the following line: "Received: from mail.evil.com (192.0.2.1) by mail.victim.com with ESMTP; Mon, 20 Mar 2023 10:00:00 -0500". The next Received line shows a different IP. What does this indicate?
140In Docker forensics, which of the following commands would you use to inspect the history of an image, including the commands that created each layer?
141An investigator needs to recover deleted emails from a Microsoft Outlook PST file. Which forensic technique is most appropriate?
142A forensic analyst is investigating a webshell on an IIS server. The access.log shows: 10.0.0.5, -, 12/Mar/2023:14:22:10 +0000, POST /uploads/cmd.aspx, 200, 0, 1234. Which log entry is most indicative of webshell activity?
143Which cloud service log is most appropriate for tracking API calls and resource changes in an AWS environment?
144A forensic analyst is examining MySQL binary logs to identify a data exfiltration event. Which TWO fields are most critical for reconstructing the stolen data?
145An Azure Activity Log shows a suspicious 'Delete Virtual Machine' operation from an IP address in a foreign country. Which THREE actions should the forensic investigator take immediately to preserve evidence and assess impact?
146A security analyst notices repeated entries in an IIS log: 10.0.0.2, -, 05/Feb/2023:08:12:34 +0000, GET /../../windows/system32/config/sam, 404, 0, 532. Which TWO of the following attack types are indicated by this log entry?
147Which TWO tools are commonly used for email forensic analysis and metadata extraction?
148A Docker container is suspected of malicious activity. Which THREE data sources should the investigator collect for forensic analysis?
149A GCP audit log shows a project owner granted 'iam.serviceAccountUser' role to a service account from a different project. Which TWO potential security implications should the investigator prioritize?
150Which TWO of the following are common challenges specific to cloud forensics?
151A security analyst is reviewing Apache access logs and finds repeated requests to /index.php?id=1' OR '1'='1. Which type of attack is MOST likely being attempted?
152During a forensic investigation of a compromised web server, an analyst finds the following entry in the IIS access log: 192.168.1.5, -, 04/May/2024:14:23:11, GET /scripts/..%5c../windows/system32/cmd.exe, 200. What is the probable attack vector?
153An email forensic investigator examines a suspicious email and notices the following header: Received: from mail.evil.com (192.168.1.100) by mail.company.com. The DKIM-Signature header fails verification. What does this indicate?
154Which TWO of the following are common challenges in cloud forensics that are not typically encountered in traditional on-premises forensics?
155An incident response team is investigating a breach involving a Docker container. Which THREE of the following actions should the team take to preserve forensic evidence?
The Application, Email and Cloud Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.
The Courseiva CHFI question bank contains 155 questions in the Application, Email and Cloud Forensics domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Application, Email and Cloud Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included