Practice CHFI Mobile and Malware Forensics questions with full explanations on every answer.
Start practicing
Mobile and Malware Forensics — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?
2A security analyst is reviewing output from a Cuckoo Sandbox analysis of a suspicious executable. The report shows that the process created a mutex named 'Global\GLOBAL_MUTEX_123' and modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Which behavioral indicator is MOST evident?
3In an Android forensic investigation, an examiner extracts the /data/data/com.whatsapp/databases/msgstore.db file. The database contains a table 'messages' with columns 'key_remote_jid', 'data', and 'timestamp'. Which SQL query would retrieve all messages sent to a specific contact with a phone number ending in '1234'?
4A forensic analyst is examining a Windows malware sample using static analysis. Which tool is BEST suited for viewing the PE header structure, including sections, imports, and exports?
5During an iOS forensic examination, an analyst extracts an iTunes backup and finds the file '3d0d7e5fb2ce288813306e4d4636395e047a3d28'. Which type of data does this file typically contain?
6A forensic examiner is analyzing an Android device that has been factory reset. Which artefact is MOST likely to persist after a factory reset, providing potential evidence of prior usage?
7An analyst runs 'regshot' before and after executing a suspicious binary. The report shows that the binary added a value to HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to C:\Windows\system32\malware.exe and 'Start' set to 2. What is the MOST likely purpose?
8A malware analyst uses Cuckoo Sandbox to analyze a sample. The report shows that the sample sends HTTP POST requests to 'http://malicious.example.com/gate.php' with encrypted data. Which type of indicator of compromise (IoC) is this?
9Which mobile forensics tool is specifically designed for physical extraction of iOS devices, including bypassing passcodes and extracting full file system images?
10During dynamic analysis of a malware sample, an analyst uses Process Monitor to capture registry and file system activity. Which filter would be MOST effective in identifying attempts to create a persistence mechanism?
11An iOS forensic analyst extracts the Keychain from an iTunes backup. Within the Keychain, they find an entry with class 'Generic Password', service 'com.apple.sbd', and account 'iCloud'. What type of data does this entry MOST likely contain?
12A security analyst detects that a system's 'SeDebugPrivilege' is enabled for a suspicious process. Which technique is the malware MOST likely attempting to use?
13A forensic examiner is analyzing a mobile device that may have been tampered with to erase evidence. Which TWO anti-forensic techniques are commonly encountered in mobile forensics? (Select TWO.)
14A malware analyst is performing static analysis on a packed executable. Which THREE techniques are effective for unpacking or analyzing packed malware? (Select THREE.)
15An analyst is investigating a potential data breach on an Android device. Which TWO artefacts are MOST useful for determining which third-party apps were installed and used? (Select TWO.)
16During an iOS forensic examination, an analyst extracts an iTunes backup and finds a file named 'SMS.db'. Which of the following tools is BEST suited to parse and analyze this SQLite database for SMS and iMessage content?
17A security analyst runs a dynamic analysis of a suspected malware sample using Cuckoo Sandbox. The report shows that the sample created a mutex named 'Global\MyMaliciousMutex', added a registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and attempted to communicate with an IP address 185.10.68.12 on port 443. Which of the following is the BEST immediate indicator of compromise (IoC) to share with the threat intelligence team?
18In Android forensics, which of the following acquisition methods provides the most complete and forensically sound image of the device's internal storage?
19During a malware analysis session, an analyst uses Process Monitor (Procmon) to observe a suspicious executable. Which of the following behavioral indicators would MOST strongly suggest the malware is attempting to establish persistence?
20An iOS forensic analyst is examining data from an iCloud backup and finds a file named 'call_history.db'. Which SQLite table within this database is MOST likely to contain the duration and timestamp of each phone call?
21A forensic investigator is analyzing a malware sample that appears to be packed. Using PEiD, the analyst detects an entropy value of 7.8 and the entry point section is named 'UPX0'. Which of the following tools should the analyst use NEXT to unpack the malware for static analysis?
22Which of the following is a key difference between static analysis and dynamic analysis in malware forensics?
23A security analyst notices that a compromised Android device's /data/data/com.example.app/databases/ directory contains a database with tables named 'accounts', 'transactions', and 'settings'. Which type of forensic acquisition would be MOST appropriate to capture this app-specific data while preserving deleted records?
24During a mobile forensic investigation, an analyst uses Cellebrite UFED to extract data from a locked iOS device. The extraction successfully retrieves the device's passcode, call logs, SMS messages, and application data. Which extraction method did the analyst MOST likely use?
25A malware analyst is examining a PE file that has a section named '.tls' and imports from 'kernel32.dll' and 'ntdll.dll'. The entry point points to a small stub that decrypts the main code at runtime. Which of the following best describes this technique?
26Which of the following mobile forensics tools is specifically designed to extract data from iOS devices by exploiting the device's bootrom vulnerability (e.g., checkm8) to perform a physical extraction?
27During dynamic analysis of a malware sample in Any.run, an analyst observes that the malware writes a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and also creates a scheduled task named 'UpdateTask'. Which anti-forensic technique is the malware MOST likely attempting to counter?
28A mobile forensic examiner is analyzing an Android device that has been factory reset. Which TWO of the following artefacts are MOST likely to still be recoverable after a factory reset? (Select TWO)
29A malware analyst is analyzing a suspicious executable. Which THREE of the following are valid indicators of compromise (IoCs) that can be extracted from static analysis of the PE file? (Select THREE)
30Which THREE of the following are common techniques used by malware to achieve persistence on a Windows system? (Select THREE)
31During a mobile forensic investigation of an iPhone, the examiner extracts data using a physical acquisition method. Which of the following BEST describes the level of data recovery achieved by this method?
32A forensic analyst is examining an iOS backup taken from a suspect's iPhone using iTunes. Which of the following SQLite databases would contain the suspect's call history?
33A security analyst observes a process on a Windows system creating a mutex named "Global\{5B9E4E7E-8B2C-4F6D-A1A3-F2C8D9E0A1B2}" shortly after execution. The analyst also notes outbound connections to an IP address 203.0.113.50 on port 4444. Which malware behaviour indicator is MOST clearly demonstrated?
34During a malware analysis, an analyst uses a tool to monitor registry changes, file system modifications, and process activity simultaneously. Which tool is BEST suited for this integrated monitoring?
35Which of the following mobile forensic tools is specifically known for its ability to perform advanced extractions on iOS devices, including bypassing the lock screen on many models?
36An Android forensic analyst connects a suspect device to their workstation and issues the command "adb backup -apk -shared -all -f backup.ab". Which type of acquisition is being performed?
37During a malware investigation, an analyst identifies a suspicious file that appears to be a Windows executable. Using PEiD, the analyst detects the file is packed with UPX. After unpacking, the analyst runs the file in a sandbox and observes it modifies the following registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MalService. What behavioural indicator is primarily demonstrated?
38Which of the following tools is BEST suited for performing static analysis of a malware binary to identify strings, headers, and imported functions without executing the file?
39A forensic examiner is analyzing an Android device and wants to extract the database containing the user's text messages (SMS). In which directory would the examiner typically find the SMS database on a non-rooted device?
40An incident responder analyzes a compromised system and finds evidence of timestomping: the Modified timestamp of a malicious DLL is earlier than the Creation timestamp. Additionally, the DLL is encrypted with an XOR key. Which anti-forensic techniques are being employed?
41Which mobile forensic acquisition method is MOST likely to retrieve deleted text messages from an iPhone that was not jailbroken and has no passcode?
42Which of the following is an indicator of compromise (IoC) that is LEAST likely to change when malware mutates through polymorphic techniques?
43A forensic examiner is analyzing an iOS device backup and wants to extract the user's iCloud-related artefacts. Which TWO of the following are typical sources of iCloud artefacts in an iTunes backup?
44During dynamic analysis of a malware sample in a sandbox, an analyst observes the following behaviours: (1) A file is created at C:\Windows\System32\drivers\etc\hosts, (2) A registry key is set at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateSvc, (3) Outbound TCP connections to 198.51.100.10 on port 8080. Which THREE of the following IoCs are MOST relevant to share with the threat intelligence team?
45An Android forensic examiner performs a physical acquisition on a device. Which TWO of the following are typical artefacts that can be recovered from the /data/data/ directory on a non-rooted device if the acquisition method allows full file system access?
46In mobile forensics, which acquisition method preserves the highest level of data integrity and captures the most data from an iOS device?
47During an iOS forensic examination, an analyst extracts the SMS.db file from an iTunes backup. Which table within this database contains the actual message content and associated metadata such as timestamps and sender/recipient information?
48A forensic analyst is examining an Android device that has been factory reset. Which of the following artefacts is MOST likely to persist after a factory reset and provide valuable evidence?
49Which tool is specifically designed for performing physical extraction of iOS devices and is widely used by law enforcement for bypassing passcode restrictions on modern iPhones?
50During a malware analysis, an analyst runs a suspicious executable in a Cuckoo Sandbox and observes that the process creates a mutex named 'Global\XPSS-1.0.0' and writes a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What do these actions MOST likely indicate?
51An investigator recovers a suspicious file from a compromised system. Using PEiD, the file is detected as 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. What is the MOST appropriate next step in the analysis?
52During an iOS forensic examination of an iCloud backup, an analyst finds that the SQLite database files for the Health app are encrypted. Which component is MOST likely responsible for encrypting this data, and what is required to decrypt it?
53A security analyst suspects a mobile device is infected with malware that exfiltrates data via DNS queries. Which tool or technique would be MOST effective for detecting this behavior during dynamic analysis?
54In Android forensics, which command is used to extract a full physical image of a device's flash memory over USB using the Android Debug Bridge (ADB)?
55During a forensic investigation of a Windows system infected with ransomware, the analyst discovers that the malware deleted volume shadow copies using vssadmin.exe. Which anti-forensic technique does this represent, and what is its primary purpose?
56An examiner is analyzing an Android device using Cellebrite UFED. The device is locked with a PIN, and the examiner has no PIN. Which acquisition type should the examiner attempt FIRST to maximize data recovery without destroying evidence?
57In malware forensics, which of the following is an indicator of compromise (IoC) that can be used to detect a specific malware strain across multiple systems?
58A forensic analyst is examining an iOS device backup and wants to extract call history records. Which SQLite databases and/or files contain relevant call history data? (Select TWO.)
59A malware analyst is performing dynamic analysis of a suspected trojan in a sandbox environment. Which of the following behaviours are strong indicators that the malware is establishing persistence on the infected system? (Select THREE.)
60During a mobile forensic investigation, an examiner wants to recover deleted WhatsApp messages from an Android device. Which of the following artefacts should the examiner examine? (Select TWO.)
61During a mobile forensic examination of an iPhone, the examiner wants to acquire the most data possible, including deleted files and unallocated space. Which acquisition type should be used?
62A security analyst discovers a suspicious file on a Windows system with the hash 'd41d8cd98f00b204e9800998ecf8427e'. Which type of indicator of compromise (IoC) is this hash most commonly associated with?
63An analyst is performing malware analysis and executes a suspicious binary in a sandbox. The sandbox reports that the binary creates a mutex named 'Global\DRIVER_UPDATE_MTX' before attempting to connect to 'http://malicious.com/update'. Which tool would BEST capture the network traffic during dynamic analysis?
64In an iOS forensic examination, an analyst extracts an encrypted iTunes backup. The backup contains a file named 'manifest.plist' which lists the backup version and encryption state. Which tool is specifically designed to brute-force the backup password using GPU acceleration?
65During a forensic investigation of an Android device, the examiner uses ADB to extract data. Which command would create a full backup of the device's data partition, including app data and shared storage?
66Which of the following is the primary purpose of performing static analysis on a suspicious binary?
67A forensic analyst is examining an Android device that was factory reset before seizure. Which Google account artefacts are MOST likely still recoverable from the device's storage?
68During malware analysis, an analyst discovers that a sample uses a technique to modify its own code at runtime to evade signature detection. Which anti-forensic technique does this describe?
69An iOS forensic examiner recovers a Keychain dump from an iPhone. Which of the following types of data is typically NOT stored in the iOS Keychain?
70During dynamic analysis of a Windows malware sample, Process Monitor shows repeated writes to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. What does this behaviour indicate?
71Which mobile forensic tool is commonly used for physical extraction of iOS devices via checkm8 exploit?
72A security analyst notices a process named 'svchost.exe' running from the directory 'C:\Users\Public\svchost.exe'. This is suspicious because legitimate svchost.exe runs from 'C:\Windows\System32'. What type of indicator is this?
73Which TWO of the following are SQLite databases commonly analysed during iOS forensic examinations?
74A malware analyst is performing dynamic analysis of a trojan. Which THREE of the following tools are commonly used to monitor system changes during execution?
75Which TWO of the following are valid acquisition types in mobile forensics, ranked from most to least data recovered?
76During a mobile device investigation, an examiner needs to acquire the maximum amount of data from a locked iOS device without modifying it. Which acquisition type should be used?
77A security analyst is reviewing the output from a forensic tool examining an iOS Keychain. The analyst finds an entry with the attribute 'kSecAttrAccessible' set to 'kSecAttrAccessibleWhenUnlockedThisDeviceOnly'. What does this indicate?
78An investigator extracts the SMS.db file from an iOS backup. Which table within this database would contain the actual message content for sent and received messages?
79During an Android forensic examination, an analyst uses ADB to perform a backup of a device. The resulting .ab file is encrypted. Which of the following is the most likely reason for the encryption?
80Which tool is specifically designed to perform physical extraction of data from mobile devices, including bypassing lock screens on many iOS and Android devices?
81A malware analyst runs a suspicious executable in Cuckoo Sandbox. The report shows that the process created a mutex named 'Global\MyMalwareMutex'. What is the significance of this mutex?
82During static analysis of a PE file, an analyst uses PEiD and detects the signature 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. What should the analyst do next?
83An investigator is analyzing an Android device and finds a database file in /data/data/com.whatsapp/databases/msgstore.db. Which type of information is MOST likely stored in this database?
84During dynamic analysis of a malware sample, an analyst uses Process Monitor to monitor file system activity. The malware creates a file named 'C:\Users\Admin\AppData\Roaming\svchost.exe'. What does this likely indicate?
85Which of the following is an example of an indicator of compromise (IoC) that can be used to detect malware on a network?
86After a factory reset on an Android device, a forensic examiner attempts to recover user data. Which of the following statements is most accurate regarding the recoverability of data?
87A security analyst discovers a suspicious registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate. The key points to a file in AppData. What is the most likely purpose of this registry key?
88Which TWO tools are commonly used for static analysis of malware binaries?
89Which TWO of the following are anti-forensic techniques used by malware to evade detection?
90Which THREE artefacts are typically recoverable from an iOS iTunes backup?
91During a mobile forensics investigation, an examiner needs to acquire data from an iPhone running iOS 14. Which of the following acquisition methods provides the MOST complete data extraction?
92A security analyst suspects malware infection on a Windows workstation. They run Process Monitor and observe that a process named 'svch0st.exe' creates a mutex named 'Global\Mutex_1234' and writes to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which malware persistence mechanism is being used?
93During a malware analysis session, an analyst uses a tool to view the import address table (IAT) of a suspicious PE file. The tool shows imports from ws2_32.dll and wininet.dll. Which of the following tools would BEST allow the analyst to statically analyze the binary and view the IAT?
94An Android phone is found at a crime scene. The phone is locked with a PIN. The forensic examiner wants to extract data without bypassing the lock. Which of the following is the MOST appropriate logical acquisition method?
95A forensic analyst is examining a SQLite database from an iOS device backup. The database contains a table named 'message' with columns 'ROWID', 'text', 'handle_id', and 'date'. This database is MOST likely part of which iOS system database?
96During malware dynamic analysis in a sandbox, a sample creates a file named 'C:\Users\Admin\AppData\Local\Temp\svchost.dll' and then executes 'rundll32.exe C:\Users\Admin\AppData\Local\Temp\svchost.dll,Start'. This behavior is indicative of which technique?
97A forensic examiner uses Oxygen Forensic Detective to acquire data from an Android device. The tool reports that it performed a 'full file system' extraction. Which of the following is a prerequisite for this type of extraction?
98Which of the following tools is designed specifically for dynamic analysis of malware by executing it in a controlled, isolated environment?
99An investigator examines an iPhone backup file. Inside the backup manifest, they find a file path 'AppDomainGroup-group.com.example.app'. This indicates the data belongs to which type of app container?
100During a forensic examination of a Windows system infected with ransomware, the analyst finds that the file timestamps (creation, modification, access) for several critical system files have been altered to match legitimate Windows files. Which anti-forensic technique is MOST likely being used?
101A forensic analyst receives a mobile device that has been factory reset. Which of the following types of data is MOST likely to be recoverable using advanced forensic techniques?
102A security analyst is using Wireshark during a malware analysis session. The analyst observes a series of DNS queries to a domain 'malware-c2.example.com' every 60 seconds. This behavior is indicative of which malware characteristic?
103A forensic examiner is analyzing a malware sample that creates the following registry keys for persistence: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Malware', 'HKLM\System\CurrentControlSet\Services\MalService', and 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'. Which TWO of the following statements are TRUE regarding these persistence mechanisms?
104Which THREE of the following are common indicators of compromise (IoCs) that can be used to detect malware infections?
105During a mobile forensics investigation of an Android device, the examiner finds that the user's Google account data is stored locally. Which TWO of the following artefacts are typically stored in the device's /data/system/ or /data/data/ directories related to Google account information?
106During an iOS forensic examination, an analyst extracts the iTunes backup of a suspect iPhone. The analyst wants to review deleted SMS messages. Which SQLite database file should be examined?
107An Android phone is seized, and the forensic examiner needs to acquire the device in a forensically sound manner. The phone is running Android 12 and has USB debugging enabled. Which acquisition method provides the most complete data without physically modifying the device?
108A malware analyst is examining a suspicious Windows executable. Running 'strings' reveals references to 'C:\Windows\System32\drivers\etc\hosts' and IP addresses 185.130.5.21 and 192.168.1.1. Dynamic analysis in a sandbox shows the binary modifies the hosts file and creates a mutex named 'Global\Mtx_Update'. Which behavioral indicator is MOST clearly associated with persistence?
109A forensic investigator needs to analyze the keychain data from an iOS device backup. Which tool is specifically designed to decrypt and display iOS keychain contents?
110During a malware investigation, an analyst uses Process Monitor to observe a suspicious executable. The tool reveals that the process attempts to write to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and creates a file named 'svchost.exe' in 'C:\Users\Public\'. What is the MOST likely goal of this behavior?
111An Android device is found with factory reset performed. The forensic examiner wants to recover as much data as possible. Which of the following artefacts is MOST likely to survive a factory reset and provide useful evidence?
112A forensic analyst is examining a malware sample that uses packing to obfuscate its code. Which static analysis tool is BEST suited to identify the packer used and potentially unpack the executable?
113An incident responder receives an alert that a workstation is beaconing to a known malicious IP address. The responder captures network traffic and analyzes it with Wireshark. Which of the following would be an immediate indicator of compromise (IoC) visible in the traffic capture?
114Which mobile forensic tool is commonly used to perform a physical extraction of an iOS device, including bypassing the lock screen on certain models?
115A security analyst detects that a known malware sample writes to the registry key 'HKLM\SYSTEM\CurrentControlSet\Services\<malware>\ImagePath' and creates a service. This behavior is characteristic of which type of persistence mechanism?
116During an Android forensic examination, the analyst uses ADB to run 'adb shell dumpsys batterystats --reset' before acquiring data. What is the MOST likely purpose of this command?
117Which of the following is a key difference between static and dynamic malware analysis?
118A forensic investigator is analyzing a Windows system suspected of malware infection. Which TWO of the following are common persistence mechanisms that malware may use?
119During a mobile forensic examination of an iOS device, the analyst encounters encrypted backups. Which THREE of the following are valid methods to access the data?
120A malware analyst is performing dynamic analysis of a suspicious executable in a Cuckoo Sandbox environment. Which THREE of the following behavioural indicators would be considered suspicious and warrant further investigation?
121A forensic analyst needs to acquire evidence from an iPhone 12 running iOS 15. The device is passcode-locked and cannot be unlocked. Which acquisition method should be used to obtain the MOST data possible?
122Which Android file system location is MOST likely to contain user-installed app data, preferences, and cached information?
123During a malware analysis, a suspicious executable is detected. The analyst runs `strings` on the binary and finds references to `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` and a URL `http://evil.com/beacon`. What does this indicate?
124Which tool is specifically designed for dynamic analysis of malware by executing it in a controlled, isolated environment and logging its behavior?
125A security analyst runs the command `regshot64.exe compare` after executing malware. Regshot reports that the following registry key was created: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SecureUpdate`. Which conclusion is MOST likely?
126In iOS forensics, which database file typically contains the call history, including incoming, outgoing, and missed calls?
127A forensic analyst is examining an Android device that has been factory reset. Which type of data is LEAST likely to be recoverable using forensic tools?
128Which of the following is an example of an anti-forensics technique used to hide malicious activity?
129During a malware investigation, you find that a process named `svchost.exe` is making outbound connections to an IP address known to be malicious. What tool would be BEST to capture the network traffic for further analysis?
130An analyst extracts an iTunes backup from a Windows computer. The backup contains a file manifest.plist with cryptographic hashes. What is the primary purpose of these hashes in the backup process?
131Which tool can be used to extract evidence from Android devices through the Android Debug Bridge (ADB) and is often used for logical acquisition?
132In static malware analysis, what is the purpose of using a tool like PEiD?
133A forensic analyst is examining an Android device for evidence of a specific app's usage. Which TWO locations are MOST likely to contain app-specific data that can be recovered through a logical acquisition?
134During dynamic analysis of a malware sample, an analyst observes the following: creation of a mutex named `Global\{9A2D7E1C-3F4B-4A5E-9B8C-1D2E3F4A5B6C}`, a registry key under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` named `WindowsUpdate`, and outbound TCP traffic to `203.0.113.5:443`. Which THREE of the following indicators of compromise (IoCs) should be documented?
135An incident responder is analyzing a compromised Windows workstation. Which TWO artifacts would provide the STRONGEST evidence of a malware persistence mechanism?
136During a mobile forensic investigation of an iPhone, an examiner needs to recover deleted SMS messages. Which acquisition method provides the highest likelihood of retrieving deleted data from the device's flash memory?
137An Android device is seized as evidence. The screen is locked with a PIN. Which tool or method is MOST appropriate for acquiring a physical image of the device without bypassing the lock screen, assuming the device is rooted?
138A security analyst observes a suspicious process creating multiple mutexes with names like 'XxX_12345' and 'XxX_67890' and making outbound connections to an IP address 185.130.5.1 on port 443. Which behavioral indicator is MOST consistent with malware communication?
139In malware static analysis, a PE file is examined. The section names include '.text', '.rdata', '.data', and '.rsrc'. The entry point is in the .text section. Which tool would be MOST appropriate to identify any packer that might be obfuscating the code?
140During an iOS forensics investigation, an examiner wants to extract call history records from an iPhone backup. Which SQLite database file should be examined?
141A forensic analyst is examining an Android device and wants to recover Google account artefacts, such as the last sync timestamp and cached email addresses. Where on the device (in /data/data/) would these artefacts MOST likely be stored?
142During dynamic analysis of a suspicious executable in Cuckoo Sandbox, the report shows that the process created a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run named 'WindowsUpdate' and dropped a file 'svchost.exe' in %AppData%. Which conclusion is MOST consistent with these indicators?
143An incident responder finds a file named 'photo.jpg' on a compromised system. The file size is 2 MB and it is located in a temp directory. The file's SHA256 hash is 5d41402abc4b2a76b9719d911017c592. What is the BEST next step to determine if this file is malicious?
144Which mobile forensic tool is specifically designed to extract data from a wide range of mobile devices, including both iOS and Android, and is commonly used by law enforcement agencies?
145During an iOS forensic analysis, an examiner recovers the Keychain data from a backup. Which type of information is commonly stored in the iOS Keychain and can be extracted during analysis?
146A forensic examiner is analyzing an Android device that has been factory reset. Which of the following artefacts is MOST likely to still be recoverable from the device's flash memory after a factory reset, assuming no overwrite has occurred?
147A malware analyst is using a tool to monitor registry and file system changes during the execution of a suspicious binary. Which tool is specifically designed to take snapshots of the registry and file system before and after execution to identify changes?
148A forensic examiner is analyzing an Android device and needs to extract application data from the /data/data/ directory. Which TWO conditions must be met to access this directory? (Select TWO.)
149During dynamic analysis of a suspected malware sample, an analyst observes the following behaviors: (1) The process creates a service named 'WindowsDefender' that starts automatically. (2) It writes an encrypted payload to the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. (3) It injects code into explorer.exe. (4) It attempts to resolve the domain 'malware-update.com'. (5) It creates a mutex named 'Global\MyMutex'. Which THREE behaviors are indicators of malware persistence? (Select THREE.)
150A malware analyst is performing static analysis on a suspicious PE file. Which TWO of the following are examples of anti-forensic techniques that the malware might use to hinder analysis? (Select TWO.)
151During a mobile forensic investigation, an examiner finds that the seized iPhone is locked with a passcode but is running iOS 11. Which acquisition method should the examiner prioritize to obtain the most data without bypassing the passcode?
152An analyst suspects a Windows executable is packed. They run `strings` on the file and see few readable strings, and PEiD reports 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. Which static analysis technique should the analyst use NEXT to extract the original code?
153During a malware investigation, a forensic analyst observes that a suspicious process creates a mutex named 'Global\MyMutex' and writes to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. What behavioral indicator does this represent?
154A forensic examiner is analyzing an Android device that was factory reset. Which TWO artefacts or methods could the examiner use to potentially recover or identify data from before the reset?
155An analyst is performing dynamic analysis of a malware sample in Cuckoo Sandbox. Which TWO of the following are typical indicators of command and control (C2) communication?
156During an iOS forensics investigation, an examiner extracts an iTunes backup and finds the SQLite database files. Which TWO of the following databases are LEAST likely to contain forensically relevant artefacts for a communication analysis?
157A security team is investigating a suspected Advanced Persistent Threat (APT) intrusion. They have identified several IoCs. Which THREE of the following are considered standard types of Indicators of Compromise?
158A forensic analyst is performing static analysis of a Windows PE file. Which TWO of the following tools are specifically designed for static analysis of malware?
159During a malware investigation, an analyst examines a suspicious file that appears to have been timestomped. Which THREE of the following techniques or tools can be used to detect timestamp manipulation on Windows?
160A forensic examiner is analyzing an Android device for potential evidence of a specific app’s data. Which TWO locations within the device’s file system would MOST likely contain application-specific data?
161Which TWO of the following are primary purposes of using the GrayKey tool in iOS forensics?
162A security analyst observes a process making repeated network connections to an IP address 192.168.1.100 on TCP port 4444, and the process writes a DLL file to C:\Users\Public\. Which THREE actions should the analyst take immediately as part of dynamic analysis?
163A forensic analyst is examining an Android device using ADB extraction. Which TWO statements about ADB extraction are true?
164A malware sample creates the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareName. Which THREE of the following are appropriate next steps for the analyst?
The Mobile and Malware Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.
The Courseiva CHFI question bank contains 164 questions in the Mobile and Malware Forensics domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Mobile and Malware Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included