Practice CHFI Computer Forensics Fundamentals and Process questions with full explanations on every answer.
Start practicing
Computer Forensics Fundamentals and Process — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A first responder arrives at a crime scene where a computer is running. According to standard forensic procedure, what should the responder do FIRST?
2During a forensic investigation, an analyst uses a hardware write blocker to connect a suspect hard drive to a forensic workstation. What is the primary purpose of using a hardware write blocker?
3A forensic investigator is preparing to acquire the contents of a live system's RAM. Which of the following tools is specifically designed for this purpose and captures memory without altering the system state?
4During a forensic investigation, an analyst creates a forensic image using `dcfldd` with the command: `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=10M`. What is the purpose of the `hashwindow` parameter?
5What is the primary goal of the chain of custody in a digital forensic investigation?
6A forensic analyst is examining a hard drive that was seized from a suspect's home. The analyst uses FTK Imager to create a forensic image. After imaging, the analyst computes the MD5 hash of the image and compares it to the hash computed at the scene. The hashes match. What does this confirm?
7During a forensic investigation, a first responder notices that a computer is running and suspects that volatile data may be present. According to best practices, what should the responder do to preserve the most volatile data first?
8Which of the following best describes the 'Best Evidence Rule' as it applies to digital evidence?
9An organization receives a legal hold notice regarding pending litigation. The IT department is instructed to preserve all relevant electronically stored information. What is the primary action the IT department should take?
10A forensic analyst is examining a hard drive that was imaged using a software write blocker. Which of the following is a potential disadvantage of using a software write blocker compared to a hardware write blocker?
11Which of the following is an example of Locard's Exchange Principle as applied to digital forensics?
12In the context of the US Fourth Amendment, what is typically required for law enforcement to seize a computer for forensic examination?
13Which TWO of the following are essential steps that a first responder should take when arriving at a digital crime scene? (Select TWO)
14Which THREE of the following are considered rules of evidence that digital evidence must satisfy to be admissible in court? (Select THREE)
15Which TWO of the following are valid justifications for a first responder to power off a computer at a crime scene? (Select TWO)
16What is the primary goal of computer forensics?
17Which principle states that every contact leaves a trace?
18A first responder arrives at a crime scene where a computer is turned on. What should the responder do FIRST?
19During a forensic investigation, an analyst creates a bit-for-bit copy of a suspect's hard drive using the 'dd' command with the following parameters: dd if=/dev/sda of=/evidence/image.dd bs=4k conv=noerror,sync. What is the purpose of 'conv=noerror,sync'?
20Which type of evidence is a witness's statement that they saw someone log into a computer?
21A forensic analyst needs to collect evidence from a running Windows system without altering the system state. Which tool should they use to acquire volatile memory?
22During an investigation, an analyst creates a forensic image of a hard drive using FTK Imager and computes the MD5 hash of the image. Later, the hash is re-computed and found to match. What does this confirm?
23A security analyst discovers unauthorized access to a server. The incident response team decides to preserve evidence. Which of the following actions is MOST critical to ensure the admissibility of evidence in court?
24In a UK-based investigation, the police seize a computer without a warrant. The suspect's lawyer argues that the evidence is inadmissible because it violates which law?
25An analyst runs 'dcfldd if=/dev/sdb of=/evidence/disk.dd hash=sha256 hashlog=/evidence/hash.log' on a Linux system. What is the primary advantage of using dcfldd over plain dd for forensic imaging?
26Which of the following BEST describes the purpose of a legal hold in e-discovery?
27A forensic examiner uses a hardware write blocker when imaging a suspect's hard drive. What is the primary function of a hardware write blocker?
28Which TWO of the following are requirements for evidence to be admissible in court? (Select two.)
29Which THREE of the following are steps in the forensic investigation process? (Select three.)
30Which TWO of the following are types of write blockers used in forensic imaging? (Select two.)
31A first responder arrives at a scene where a computer is powered on and the user is present. According to standard forensic first responder procedures, what should the responder do FIRST?
32During a forensic investigation, an analyst uses a hardware write blocker to connect a suspect hard drive to a forensic workstation. Which of the following is the PRIMARY reason for using a write blocker?
33A forensic analyst creates a forensic image of a hard drive using the dd command: dd if=/dev/sda of=/evidence/image.dd bs=4096 conv=noerror,sync. What is the purpose of the 'conv=noerror,sync' option?
34In a UK-based investigation under the Police and Criminal Evidence Act (PACE), a forensic examiner is asked to seize computers from a business premises. Which of the following actions is MOST compliant with PACE requirements?
35Which of the following BEST defines the chain of custody in digital forensics?
36A security analyst notices that a log file on a Linux server shows repeated failed SSH login attempts from an external IP address, but no successful login from that IP. However, the /var/log/auth.log file has been recently truncated. Which type of evidence is the truncated log file?
37During an e-discovery process, a legal hold is issued. What is the PRIMARY purpose of a legal hold?
38A forensic investigator uses FTK Imager to create a forensic image of a suspect's laptop. The acquisition generates both an E01 file and a corresponding hash file. Which statement accurately describes the integrity verification process in FTK Imager?
39According to Locard's exchange principle, which of the following is MOST relevant to digital forensics?
40In the context of US Fourth Amendment protections, which of the following scenarios would likely require a search warrant for a forensic examiner to legally seize and analyze a computer?
41An investigator creates a forensic image using dcfldd with the following command: dcfldd if=/dev/sdb of=image.dd hash=sha256 hashwindow=10M hashlog=hash.txt. What is the effect of the 'hashwindow=10M' parameter?
42Which of the following is a key requirement for digital evidence to be considered admissible in court?
43Which TWO of the following are essential duties of a first responder at a digital crime scene? (Select two.)
44Which THREE of the following correctly describe the rules of evidence as applied to digital forensics? (Select three.)
45Which TWO of the following are valid reasons for using a hardware write blocker over a software write blocker? (Select two.)
46A first responder arrives at a suspected intrusion scene. A desktop computer is powered on and logged in. The user claims they saw suspicious files being copied to a USB drive. Which of the following should the first responder do FIRST?
47Which of the following is the BEST definition of computer forensics?
48An analyst performs forensic imaging using the command: dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt bs=4096 conv=noerror,sync. What is the PRIMARY purpose of the 'hash=sha256' and 'hashlog=hash.txt' parameters?
49During a forensic investigation, a lawyer objects to the admissibility of a log file on the grounds that it is hearsay. Which of the following is the BEST argument to overcome this objection?
50An investigator needs to acquire data from a suspect's hard drive without altering any data. Which tool is MOST appropriate to ensure write-blocking at the hardware level?
51What is the PRIMARY purpose of a chain of custody document in a forensic investigation?
52An organization receives a legal hold notice for a civil lawsuit. An employee later deletes relevant emails from their mailbox. Which legal principle is MOST likely violated?
53A forensic investigator uses the 'dd' command to create a forensic image. The original drive has a SHA-256 hash of a1b2c3... and the image produces the same hash. Which rule of evidence does this satisfy?
54According to Locard's exchange principle, which of the following is TRUE in a digital forensic context?
55During a forensic examination of a Windows system, the investigator finds a file named 'notes.txt' that contains a list of passwords. The file's last modified timestamp is before the incident date, but its last accessed timestamp is during the incident. Which type of evidence is this file considered?
56An organization in the UK suspects an employee of data theft. The IT manager wants to search the employee's company-issued laptop without consent. Which law primarily governs this action?
57An investigator needs to testify in court as an expert witness. Which of the following qualifications is MOST important for the court to accept their testimony?
58Which TWO of the following are essential components of the forensic investigation process? (Select two.)
59Which THREE of the following are valid rules of evidence that digital evidence must satisfy to be admissible in court? (Select three.)
60Which TWO of the following are types of evidence recognized in legal proceedings? (Select two.)
61A security analyst arrives at a crime scene where a computer is turned on and the screen shows a document. What is the FIRST action the analyst should take according to forensic best practices?
62During a forensic investigation, a junior analyst suggests using a software write blocker to image a suspect's hard drive. Which of the following is the PRIMARY concern with relying solely on a software write blocker in a high-stakes legal case?
63A forensic investigator is documenting evidence for a case. What is the PRIMARY purpose of maintaining an unbroken chain of custody for digital evidence?
64During a forensic examination, an analyst runs `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=1G` on a suspect drive. What is the PRIMARY advantage of using `hashwindow=1G` over a single hash at the end?
65In a corporate investigation, legal counsel issues a litigation hold to preserve electronically stored information (ESI) relevant to a lawsuit. Which of the following is the BEST description of a litigation hold?
66Locard's exchange principle is fundamental to forensic science. How does this principle apply to computer forensics?
67A forensic examiner needs to acquire an image of a suspect's laptop hard drive. The laptop is running, and the examiner wants to capture volatile data first. According to best practices, which order of steps should the examiner follow?
68During an investigation, an analyst uses `dd if=/dev/sdb of=evidence.img bs=4k conv=noerror,sync`. What is the purpose of the `conv=noerror,sync` option?
69Which US Constitutional amendment primarily governs the legality of searching and seizing digital devices?
70A forensic analyst is testifying in court as an expert witness. What is the PRIMARY role of an expert witness in digital forensics?
71In the context of e-discovery, what does the 'best evidence rule' require regarding digital documents?
72A first responder arrives at a scene where a computer is suspected to contain evidence of fraud. The computer is turned on and a file is open. Which of the following actions should the responder AVOID?
73Which TWO of the following are essential components of the rules of evidence for digital evidence to be admissible in court? (Choose two.)
74Which THREE of the following are considered types of evidence under the rules of evidence? (Choose three.)
75Which TWO of the following hashing algorithms are commonly used to verify the integrity of forensic images? (Choose two.)
76A first responder arrives at a scene where a computer is turned on and a user is logged in. What is the FIRST action the responder should take to preserve volatile evidence?
77During a forensic investigation, an analyst uses a tool to create a bit-for-bit copy of a hard drive while ensuring the original is not modified. Which of the following is a hardware write blocker that can be used for this purpose?
78A security analyst responds to a suspected data breach. The analyst documents the scene, photographs the computer, and labels the cables. Which phase of the forensic investigation process is being performed?
79During a forensic examination, an analyst uses the command 'dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt'. What is the primary purpose of including 'hash=sha256' in this command?
80In a legal context, which rule of evidence requires that the evidence presented be sufficient to prove a fact and not be misleading?
81What is the primary purpose of maintaining a chain of custody during a forensic investigation?
82A forensic analyst is preparing to acquire an image from a suspect's hard drive. The analyst connects the drive to a write blocker, then uses FTK Imager to create a forensic image. Which hashing algorithm is commonly used by FTK Imager to verify image integrity?
83An investigator seizes a computer that was involved in a crime. The suspect claims that the evidence was planted. Which forensic principle best helps to refute this claim by demonstrating that the evidence could only have been left by the suspect?
84Under the US Fourth Amendment, when is a warrant generally NOT required for a computer search and seizure?
85An expert witness is preparing to testify in a computer forensics case. Which of the following is a key requirement for the expert's testimony to be admissible under the Daubert standard?
86A company receives a legal hold notice regarding a lawsuit. What immediate action should the company take to comply?
87During a forensic investigation, an examiner finds a log entry: 'User JohnDoe accessed file contract.pdf at 10:32:45 AM'. This log is considered which type of evidence?
88Which TWO of the following are legal frameworks or regulations that govern search and seizure of digital evidence in the United Kingdom?
89Which THREE of the following are best practices for a first responder when arriving at a computer crime scene?
90Which TWO of the following are considered types of evidence under the rules of evidence?
91What is the primary goal of computer forensics?
92During the first response to a computer incident, which of the following actions is MOST critical for preserving evidence?
93Which type of evidence is based on information that is not directly from an eyewitness but is reported by someone else?
94A first responder arrives at a scene where a computer is on and logged in. There is a suspicion that the system contains volatile data that may be crucial to the investigation. According to best practices, what should the first responder do?
95In a UK-based investigation, which legal framework governs the search and seizure of digital evidence?
96Which of the following is the BEST description of Locard's exchange principle as applied to digital forensics?
97A forensic examiner needs to create a bit-for-bit copy of a suspect's hard drive for analysis. Which tool is specifically designed for this purpose and can also verify integrity using hashing?
98During a forensic investigation, the examiner uses a write blocker to connect the suspect drive to the forensic workstation. What is the PRIMARY purpose of using a write blocker?
99Which hashing algorithm is commonly used in forensic imaging to verify the integrity of evidence and is considered more secure than MD5?
100An organization receives a legal hold notice regarding a pending lawsuit. The IT department is instructed to preserve all relevant electronically stored information (ESI). Which of the following actions must be taken FIRST?
101A forensic analyst is preparing to testify as an expert witness in court. Which of the following characteristics is MOST essential for the court to accept the analyst's testimony?
102During an e-discovery process, a forensic examiner encounters a hard drive that is encrypted using BitLocker. The examiner has a valid password to unlock the drive. Which of the following is the MOST appropriate action to acquire the data while maintaining the chain of custody?
103Which TWO of the following are essential components of chain of custody documentation?
104A first responder arrives at a crime scene where a computer is running. Which THREE actions should the first responder take to preserve volatile evidence?
105Which TWO of the following are hardware write blockers commonly used in forensic acquisitions?
106A first responder arrives at a crime scene where a computer is powered on and displaying a desktop. According to best practices, which of the following actions should the responder take FIRST?
107During a forensic investigation, an analyst acquires a hard drive using a hardware write blocker. Which of the following is the PRIMARY reason for using a hardware write blocker?
108After collecting digital evidence from a suspect's computer, the forensic examiner creates a forensic image using FTK Imager. The examiner then computes the MD5 hash of the original drive and the image file. Which of the following BEST describes the purpose of this hashing?
109An organization receives a litigation hold notice regarding an ongoing lawsuit. The IT administrator is instructed to preserve all relevant electronic records. Which of the following actions is MOST consistent with proper legal hold implementation?
110Which of the following principles states that when two objects come into contact, there is a transfer of material between them?
111During a forensic investigation, the analyst needs to create a forensic image of a hard drive that also hashes the data during acquisition. Which command-line tool would be MOST appropriate for this task?
112In a UK-based investigation, law enforcement officers seize a computer without a warrant. The suspect argues the seizure violated his rights under the Police and Criminal Evidence Act 1984 (PACE). Which of the following is a key consideration under PACE regarding the admissibility of the seized evidence?
113A forensic analyst is testifying as an expert witness in court. The opposing counsel challenges the analyst's testimony based on the Frye standard. What does the Frye standard require for scientific evidence to be admissible?
114During a forensic examination, the analyst encounters a file that is not automatically readable by forensic tools. The analyst suspects the file contains contraband images. Which of the following is the BEST approach to handle this evidence in accordance with the rules of evidence?
115Which of the following BEST describes the chain of custody in digital forensics?
116A company's legal department issues a legal hold notice for electronically stored information (ESI) related to a pending lawsuit. The IT department is tasked with preserving data. Which of the following actions is MOST likely to violate the legal hold requirements?
117An investigator is examining a Windows system and needs to capture volatile data without altering the system. Which of the following tools would be MOST appropriate for acquiring the contents of RAM?
118Which TWO of the following are considered forms of evidence under the rules of evidence? (Select two.)
119Which THREE of the following are essential steps in the digital forensics investigation process? (Select three.)
120Which TWO of the following are common hashing algorithms used to verify the integrity of forensic images? (Select two.)
121During a forensic investigation, the first responder arrives at a scene where a computer is powered on and a user is logged in. Which of the following is the MOST appropriate initial action?
122A forensic analyst is creating a forensic image of a suspect's hard drive using a write blocker. Which of the following BEST describes the purpose of using a hardware write blocker?
123During a forensic investigation, an analyst uses the following command: dd if=/dev/sda of=/mnt/evidence/image.dd bs=4096 conv=noerror,sync. What is the effect of the conv=noerror,sync option?
124Which of the following is the BEST example of direct evidence in a computer forensics investigation?
125A forensic investigator is required to testify in court about the findings of a digital investigation. Which of the following roles does the investigator fulfill?
126During an investigation, a forensic analyst must preserve a hard drive that is part of a RAID array. Which of the following is the MOST appropriate method to preserve the evidence?
127A forensic examiner is presented with evidence that a suspect's computer was used to commit a fraud. The defense argues that the evidence was obtained without a warrant. Which US Constitutional Amendment is MOST relevant to this argument?
128Which of the following tools is specifically designed for forensic imaging and can create compressed, segmented, or E01 format images?
129Locard's exchange principle in digital forensics states that:
130A legal hold is issued by an organization's legal department. What is the primary purpose of a legal hold?
131During a forensic investigation, the analyst needs to verify the integrity of a forensic image. The analyst originally computed MD5 and SHA-1 hashes of the source drive. Which action BEST ensures the image has not been altered?
132In the context of the UK Police and Criminal Evidence Act (PACE), which of the following is a key requirement for the admissibility of digital evidence?
133Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO.)
134Which THREE of the following are rules of evidence that must be satisfied for digital evidence to be admissible in court? (Select THREE.)
135Which TWO of the following are considered best practices for a first responder at a digital crime scene? (Select TWO.)
136A first responder arrives at a suspected data breach scene. The system is powered on and a user is logged in. Which of the following actions should the responder take FIRST to preserve volatile data?
137Which of the following is the PRIMARY purpose of using a write blocker in computer forensics?
138During a forensic examination, an analyst runs the following command: 'dd if=/dev/sda of=/mnt/evidence/image.dd bs=4k conv=noerror,sync'. The source drive has bad sectors. What is the effect of the 'conv=noerror,sync' option?
139An organization receives a litigation hold notice regarding an ongoing lawsuit. The IT department is instructed to preserve all relevant electronic data. Which of the following actions should be taken FIRST to comply with the legal hold?
140Which of the following BEST describes Locard's exchange principle as applied to digital forensics?
141A forensic analyst needs to create a forensic image of a suspect's hard drive using FTK Imager. Which of the following image formats is MOST appropriate for maintaining evidence integrity and allowing compression?
142During an internal investigation, an employee is suspected of leaking sensitive data. The security team finds that the employee's computer has been turned off. Which of the following evidence types would be LOST due to the system being powered off?
143A forensic examiner needs to verify the integrity of a forensic image after acquisition. Which of the following methods is the MOST reliable for ensuring the image has not been altered?
144Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO)
145According to the US Fourth Amendment, which of the following THREE conditions generally allow law enforcement to search and seize digital evidence without a warrant? (Select THREE)
146Which TWO of the following are examples of circumstantial evidence in a digital forensics investigation? (Select TWO)
147A forensic examiner is preparing to testify as an expert witness. Which THREE of the following qualities are essential for the examiner's testimony to be admissible under the Daubert standard? (Select THREE)
148Which TWO of the following are BEST practices when using a hardware write blocker during forensic acquisition? (Select TWO)
149In the context of e-discovery, which THREE of the following are key steps in the Electronic Discovery Reference Model (EDRM)? (Select THREE)
150Which TWO of the following are valid reasons for a first responder to power off a computer system at a crime scene? (Select TWO)
151A security analyst arrives at a suspected computer crime scene. The computer is on and a user is logged in. The analyst needs to preserve volatile data. According to first responder duties, what should the analyst do FIRST?
152During a forensic examination, an analyst uses the command 'dd if=/dev/sda of=/mnt/evidence/image.dd bs=4096 conv=noerror,sync'. What is the primary purpose of the 'conv=noerror,sync' option in this context?
153Which of the following is the BEST definition of Locard's exchange principle in computer forensics?
154Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO)
155A forensic examiner has acquired a disk image using FTK Imager and needs to ensure the image is an exact duplicate of the original drive. Which THREE of the following methods can be used to verify integrity? (Select THREE)
The Computer Forensics Fundamentals and Process domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.
The Courseiva CHFI question bank contains 155 questions in the Computer Forensics Fundamentals and Process domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Computer Forensics Fundamentals and Process domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included