Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIDomainsMobile and Malware Forensics
CHFIFree — No Signup

Mobile and Malware Forensics

Practice CHFI Mobile and Malware Forensics questions with full explanations on every answer.

164questions

Start practicing

Mobile and Malware Forensics — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CHFI Domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice Mobile and Malware Forensics questions

10Q20Q30Q50Q

All CHFI Mobile and Malware Forensics questions (164)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?

2

A security analyst is reviewing output from a Cuckoo Sandbox analysis of a suspicious executable. The report shows that the process created a mutex named 'Global\GLOBAL_MUTEX_123' and modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Which behavioral indicator is MOST evident?

3

In an Android forensic investigation, an examiner extracts the /data/data/com.whatsapp/databases/msgstore.db file. The database contains a table 'messages' with columns 'key_remote_jid', 'data', and 'timestamp'. Which SQL query would retrieve all messages sent to a specific contact with a phone number ending in '1234'?

4

A forensic analyst is examining a Windows malware sample using static analysis. Which tool is BEST suited for viewing the PE header structure, including sections, imports, and exports?

5

During an iOS forensic examination, an analyst extracts an iTunes backup and finds the file '3d0d7e5fb2ce288813306e4d4636395e047a3d28'. Which type of data does this file typically contain?

6

A forensic examiner is analyzing an Android device that has been factory reset. Which artefact is MOST likely to persist after a factory reset, providing potential evidence of prior usage?

7

An analyst runs 'regshot' before and after executing a suspicious binary. The report shows that the binary added a value to HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to C:\Windows\system32\malware.exe and 'Start' set to 2. What is the MOST likely purpose?

8

A malware analyst uses Cuckoo Sandbox to analyze a sample. The report shows that the sample sends HTTP POST requests to 'http://malicious.example.com/gate.php' with encrypted data. Which type of indicator of compromise (IoC) is this?

9

Which mobile forensics tool is specifically designed for physical extraction of iOS devices, including bypassing passcodes and extracting full file system images?

10

During dynamic analysis of a malware sample, an analyst uses Process Monitor to capture registry and file system activity. Which filter would be MOST effective in identifying attempts to create a persistence mechanism?

11

An iOS forensic analyst extracts the Keychain from an iTunes backup. Within the Keychain, they find an entry with class 'Generic Password', service 'com.apple.sbd', and account 'iCloud'. What type of data does this entry MOST likely contain?

12

A security analyst detects that a system's 'SeDebugPrivilege' is enabled for a suspicious process. Which technique is the malware MOST likely attempting to use?

13

A forensic examiner is analyzing a mobile device that may have been tampered with to erase evidence. Which TWO anti-forensic techniques are commonly encountered in mobile forensics? (Select TWO.)

14

A malware analyst is performing static analysis on a packed executable. Which THREE techniques are effective for unpacking or analyzing packed malware? (Select THREE.)

15

An analyst is investigating a potential data breach on an Android device. Which TWO artefacts are MOST useful for determining which third-party apps were installed and used? (Select TWO.)

16

During an iOS forensic examination, an analyst extracts an iTunes backup and finds a file named 'SMS.db'. Which of the following tools is BEST suited to parse and analyze this SQLite database for SMS and iMessage content?

17

A security analyst runs a dynamic analysis of a suspected malware sample using Cuckoo Sandbox. The report shows that the sample created a mutex named 'Global\MyMaliciousMutex', added a registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and attempted to communicate with an IP address 185.10.68.12 on port 443. Which of the following is the BEST immediate indicator of compromise (IoC) to share with the threat intelligence team?

18

In Android forensics, which of the following acquisition methods provides the most complete and forensically sound image of the device's internal storage?

19

During a malware analysis session, an analyst uses Process Monitor (Procmon) to observe a suspicious executable. Which of the following behavioral indicators would MOST strongly suggest the malware is attempting to establish persistence?

20

An iOS forensic analyst is examining data from an iCloud backup and finds a file named 'call_history.db'. Which SQLite table within this database is MOST likely to contain the duration and timestamp of each phone call?

21

A forensic investigator is analyzing a malware sample that appears to be packed. Using PEiD, the analyst detects an entropy value of 7.8 and the entry point section is named 'UPX0'. Which of the following tools should the analyst use NEXT to unpack the malware for static analysis?

22

Which of the following is a key difference between static analysis and dynamic analysis in malware forensics?

23

A security analyst notices that a compromised Android device's /data/data/com.example.app/databases/ directory contains a database with tables named 'accounts', 'transactions', and 'settings'. Which type of forensic acquisition would be MOST appropriate to capture this app-specific data while preserving deleted records?

24

During a mobile forensic investigation, an analyst uses Cellebrite UFED to extract data from a locked iOS device. The extraction successfully retrieves the device's passcode, call logs, SMS messages, and application data. Which extraction method did the analyst MOST likely use?

25

A malware analyst is examining a PE file that has a section named '.tls' and imports from 'kernel32.dll' and 'ntdll.dll'. The entry point points to a small stub that decrypts the main code at runtime. Which of the following best describes this technique?

26

Which of the following mobile forensics tools is specifically designed to extract data from iOS devices by exploiting the device's bootrom vulnerability (e.g., checkm8) to perform a physical extraction?

27

During dynamic analysis of a malware sample in Any.run, an analyst observes that the malware writes a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and also creates a scheduled task named 'UpdateTask'. Which anti-forensic technique is the malware MOST likely attempting to counter?

28

A mobile forensic examiner is analyzing an Android device that has been factory reset. Which TWO of the following artefacts are MOST likely to still be recoverable after a factory reset? (Select TWO)

29

A malware analyst is analyzing a suspicious executable. Which THREE of the following are valid indicators of compromise (IoCs) that can be extracted from static analysis of the PE file? (Select THREE)

30

Which THREE of the following are common techniques used by malware to achieve persistence on a Windows system? (Select THREE)

31

During a mobile forensic investigation of an iPhone, the examiner extracts data using a physical acquisition method. Which of the following BEST describes the level of data recovery achieved by this method?

32

A forensic analyst is examining an iOS backup taken from a suspect's iPhone using iTunes. Which of the following SQLite databases would contain the suspect's call history?

33

A security analyst observes a process on a Windows system creating a mutex named "Global\{5B9E4E7E-8B2C-4F6D-A1A3-F2C8D9E0A1B2}" shortly after execution. The analyst also notes outbound connections to an IP address 203.0.113.50 on port 4444. Which malware behaviour indicator is MOST clearly demonstrated?

34

During a malware analysis, an analyst uses a tool to monitor registry changes, file system modifications, and process activity simultaneously. Which tool is BEST suited for this integrated monitoring?

35

Which of the following mobile forensic tools is specifically known for its ability to perform advanced extractions on iOS devices, including bypassing the lock screen on many models?

36

An Android forensic analyst connects a suspect device to their workstation and issues the command "adb backup -apk -shared -all -f backup.ab". Which type of acquisition is being performed?

37

During a malware investigation, an analyst identifies a suspicious file that appears to be a Windows executable. Using PEiD, the analyst detects the file is packed with UPX. After unpacking, the analyst runs the file in a sandbox and observes it modifies the following registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MalService. What behavioural indicator is primarily demonstrated?

38

Which of the following tools is BEST suited for performing static analysis of a malware binary to identify strings, headers, and imported functions without executing the file?

39

A forensic examiner is analyzing an Android device and wants to extract the database containing the user's text messages (SMS). In which directory would the examiner typically find the SMS database on a non-rooted device?

40

An incident responder analyzes a compromised system and finds evidence of timestomping: the Modified timestamp of a malicious DLL is earlier than the Creation timestamp. Additionally, the DLL is encrypted with an XOR key. Which anti-forensic techniques are being employed?

41

Which mobile forensic acquisition method is MOST likely to retrieve deleted text messages from an iPhone that was not jailbroken and has no passcode?

42

Which of the following is an indicator of compromise (IoC) that is LEAST likely to change when malware mutates through polymorphic techniques?

43

A forensic examiner is analyzing an iOS device backup and wants to extract the user's iCloud-related artefacts. Which TWO of the following are typical sources of iCloud artefacts in an iTunes backup?

44

During dynamic analysis of a malware sample in a sandbox, an analyst observes the following behaviours: (1) A file is created at C:\Windows\System32\drivers\etc\hosts, (2) A registry key is set at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateSvc, (3) Outbound TCP connections to 198.51.100.10 on port 8080. Which THREE of the following IoCs are MOST relevant to share with the threat intelligence team?

45

An Android forensic examiner performs a physical acquisition on a device. Which TWO of the following are typical artefacts that can be recovered from the /data/data/ directory on a non-rooted device if the acquisition method allows full file system access?

46

In mobile forensics, which acquisition method preserves the highest level of data integrity and captures the most data from an iOS device?

47

During an iOS forensic examination, an analyst extracts the SMS.db file from an iTunes backup. Which table within this database contains the actual message content and associated metadata such as timestamps and sender/recipient information?

48

A forensic analyst is examining an Android device that has been factory reset. Which of the following artefacts is MOST likely to persist after a factory reset and provide valuable evidence?

49

Which tool is specifically designed for performing physical extraction of iOS devices and is widely used by law enforcement for bypassing passcode restrictions on modern iPhones?

50

During a malware analysis, an analyst runs a suspicious executable in a Cuckoo Sandbox and observes that the process creates a mutex named 'Global\XPSS-1.0.0' and writes a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What do these actions MOST likely indicate?

51

An investigator recovers a suspicious file from a compromised system. Using PEiD, the file is detected as 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. What is the MOST appropriate next step in the analysis?

52

During an iOS forensic examination of an iCloud backup, an analyst finds that the SQLite database files for the Health app are encrypted. Which component is MOST likely responsible for encrypting this data, and what is required to decrypt it?

53

A security analyst suspects a mobile device is infected with malware that exfiltrates data via DNS queries. Which tool or technique would be MOST effective for detecting this behavior during dynamic analysis?

54

In Android forensics, which command is used to extract a full physical image of a device's flash memory over USB using the Android Debug Bridge (ADB)?

55

During a forensic investigation of a Windows system infected with ransomware, the analyst discovers that the malware deleted volume shadow copies using vssadmin.exe. Which anti-forensic technique does this represent, and what is its primary purpose?

56

An examiner is analyzing an Android device using Cellebrite UFED. The device is locked with a PIN, and the examiner has no PIN. Which acquisition type should the examiner attempt FIRST to maximize data recovery without destroying evidence?

57

In malware forensics, which of the following is an indicator of compromise (IoC) that can be used to detect a specific malware strain across multiple systems?

58

A forensic analyst is examining an iOS device backup and wants to extract call history records. Which SQLite databases and/or files contain relevant call history data? (Select TWO.)

59

A malware analyst is performing dynamic analysis of a suspected trojan in a sandbox environment. Which of the following behaviours are strong indicators that the malware is establishing persistence on the infected system? (Select THREE.)

60

During a mobile forensic investigation, an examiner wants to recover deleted WhatsApp messages from an Android device. Which of the following artefacts should the examiner examine? (Select TWO.)

61

During a mobile forensic examination of an iPhone, the examiner wants to acquire the most data possible, including deleted files and unallocated space. Which acquisition type should be used?

62

A security analyst discovers a suspicious file on a Windows system with the hash 'd41d8cd98f00b204e9800998ecf8427e'. Which type of indicator of compromise (IoC) is this hash most commonly associated with?

63

An analyst is performing malware analysis and executes a suspicious binary in a sandbox. The sandbox reports that the binary creates a mutex named 'Global\DRIVER_UPDATE_MTX' before attempting to connect to 'http://malicious.com/update'. Which tool would BEST capture the network traffic during dynamic analysis?

64

In an iOS forensic examination, an analyst extracts an encrypted iTunes backup. The backup contains a file named 'manifest.plist' which lists the backup version and encryption state. Which tool is specifically designed to brute-force the backup password using GPU acceleration?

65

During a forensic investigation of an Android device, the examiner uses ADB to extract data. Which command would create a full backup of the device's data partition, including app data and shared storage?

66

Which of the following is the primary purpose of performing static analysis on a suspicious binary?

67

A forensic analyst is examining an Android device that was factory reset before seizure. Which Google account artefacts are MOST likely still recoverable from the device's storage?

68

During malware analysis, an analyst discovers that a sample uses a technique to modify its own code at runtime to evade signature detection. Which anti-forensic technique does this describe?

69

An iOS forensic examiner recovers a Keychain dump from an iPhone. Which of the following types of data is typically NOT stored in the iOS Keychain?

70

During dynamic analysis of a Windows malware sample, Process Monitor shows repeated writes to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. What does this behaviour indicate?

71

Which mobile forensic tool is commonly used for physical extraction of iOS devices via checkm8 exploit?

72

A security analyst notices a process named 'svchost.exe' running from the directory 'C:\Users\Public\svchost.exe'. This is suspicious because legitimate svchost.exe runs from 'C:\Windows\System32'. What type of indicator is this?

73

Which TWO of the following are SQLite databases commonly analysed during iOS forensic examinations?

74

A malware analyst is performing dynamic analysis of a trojan. Which THREE of the following tools are commonly used to monitor system changes during execution?

75

Which TWO of the following are valid acquisition types in mobile forensics, ranked from most to least data recovered?

76

During a mobile device investigation, an examiner needs to acquire the maximum amount of data from a locked iOS device without modifying it. Which acquisition type should be used?

77

A security analyst is reviewing the output from a forensic tool examining an iOS Keychain. The analyst finds an entry with the attribute 'kSecAttrAccessible' set to 'kSecAttrAccessibleWhenUnlockedThisDeviceOnly'. What does this indicate?

78

An investigator extracts the SMS.db file from an iOS backup. Which table within this database would contain the actual message content for sent and received messages?

79

During an Android forensic examination, an analyst uses ADB to perform a backup of a device. The resulting .ab file is encrypted. Which of the following is the most likely reason for the encryption?

80

Which tool is specifically designed to perform physical extraction of data from mobile devices, including bypassing lock screens on many iOS and Android devices?

81

A malware analyst runs a suspicious executable in Cuckoo Sandbox. The report shows that the process created a mutex named 'Global\MyMalwareMutex'. What is the significance of this mutex?

82

During static analysis of a PE file, an analyst uses PEiD and detects the signature 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. What should the analyst do next?

83

An investigator is analyzing an Android device and finds a database file in /data/data/com.whatsapp/databases/msgstore.db. Which type of information is MOST likely stored in this database?

84

During dynamic analysis of a malware sample, an analyst uses Process Monitor to monitor file system activity. The malware creates a file named 'C:\Users\Admin\AppData\Roaming\svchost.exe'. What does this likely indicate?

85

Which of the following is an example of an indicator of compromise (IoC) that can be used to detect malware on a network?

86

After a factory reset on an Android device, a forensic examiner attempts to recover user data. Which of the following statements is most accurate regarding the recoverability of data?

87

A security analyst discovers a suspicious registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate. The key points to a file in AppData. What is the most likely purpose of this registry key?

88

Which TWO tools are commonly used for static analysis of malware binaries?

89

Which TWO of the following are anti-forensic techniques used by malware to evade detection?

90

Which THREE artefacts are typically recoverable from an iOS iTunes backup?

91

During a mobile forensics investigation, an examiner needs to acquire data from an iPhone running iOS 14. Which of the following acquisition methods provides the MOST complete data extraction?

92

A security analyst suspects malware infection on a Windows workstation. They run Process Monitor and observe that a process named 'svch0st.exe' creates a mutex named 'Global\Mutex_1234' and writes to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which malware persistence mechanism is being used?

93

During a malware analysis session, an analyst uses a tool to view the import address table (IAT) of a suspicious PE file. The tool shows imports from ws2_32.dll and wininet.dll. Which of the following tools would BEST allow the analyst to statically analyze the binary and view the IAT?

94

An Android phone is found at a crime scene. The phone is locked with a PIN. The forensic examiner wants to extract data without bypassing the lock. Which of the following is the MOST appropriate logical acquisition method?

95

A forensic analyst is examining a SQLite database from an iOS device backup. The database contains a table named 'message' with columns 'ROWID', 'text', 'handle_id', and 'date'. This database is MOST likely part of which iOS system database?

96

During malware dynamic analysis in a sandbox, a sample creates a file named 'C:\Users\Admin\AppData\Local\Temp\svchost.dll' and then executes 'rundll32.exe C:\Users\Admin\AppData\Local\Temp\svchost.dll,Start'. This behavior is indicative of which technique?

97

A forensic examiner uses Oxygen Forensic Detective to acquire data from an Android device. The tool reports that it performed a 'full file system' extraction. Which of the following is a prerequisite for this type of extraction?

98

Which of the following tools is designed specifically for dynamic analysis of malware by executing it in a controlled, isolated environment?

99

An investigator examines an iPhone backup file. Inside the backup manifest, they find a file path 'AppDomainGroup-group.com.example.app'. This indicates the data belongs to which type of app container?

100

During a forensic examination of a Windows system infected with ransomware, the analyst finds that the file timestamps (creation, modification, access) for several critical system files have been altered to match legitimate Windows files. Which anti-forensic technique is MOST likely being used?

101

A forensic analyst receives a mobile device that has been factory reset. Which of the following types of data is MOST likely to be recoverable using advanced forensic techniques?

102

A security analyst is using Wireshark during a malware analysis session. The analyst observes a series of DNS queries to a domain 'malware-c2.example.com' every 60 seconds. This behavior is indicative of which malware characteristic?

103

A forensic examiner is analyzing a malware sample that creates the following registry keys for persistence: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Malware', 'HKLM\System\CurrentControlSet\Services\MalService', and 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'. Which TWO of the following statements are TRUE regarding these persistence mechanisms?

104

Which THREE of the following are common indicators of compromise (IoCs) that can be used to detect malware infections?

105

During a mobile forensics investigation of an Android device, the examiner finds that the user's Google account data is stored locally. Which TWO of the following artefacts are typically stored in the device's /data/system/ or /data/data/ directories related to Google account information?

106

During an iOS forensic examination, an analyst extracts the iTunes backup of a suspect iPhone. The analyst wants to review deleted SMS messages. Which SQLite database file should be examined?

107

An Android phone is seized, and the forensic examiner needs to acquire the device in a forensically sound manner. The phone is running Android 12 and has USB debugging enabled. Which acquisition method provides the most complete data without physically modifying the device?

108

A malware analyst is examining a suspicious Windows executable. Running 'strings' reveals references to 'C:\Windows\System32\drivers\etc\hosts' and IP addresses 185.130.5.21 and 192.168.1.1. Dynamic analysis in a sandbox shows the binary modifies the hosts file and creates a mutex named 'Global\Mtx_Update'. Which behavioral indicator is MOST clearly associated with persistence?

109

A forensic investigator needs to analyze the keychain data from an iOS device backup. Which tool is specifically designed to decrypt and display iOS keychain contents?

110

During a malware investigation, an analyst uses Process Monitor to observe a suspicious executable. The tool reveals that the process attempts to write to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and creates a file named 'svchost.exe' in 'C:\Users\Public\'. What is the MOST likely goal of this behavior?

111

An Android device is found with factory reset performed. The forensic examiner wants to recover as much data as possible. Which of the following artefacts is MOST likely to survive a factory reset and provide useful evidence?

112

A forensic analyst is examining a malware sample that uses packing to obfuscate its code. Which static analysis tool is BEST suited to identify the packer used and potentially unpack the executable?

113

An incident responder receives an alert that a workstation is beaconing to a known malicious IP address. The responder captures network traffic and analyzes it with Wireshark. Which of the following would be an immediate indicator of compromise (IoC) visible in the traffic capture?

114

Which mobile forensic tool is commonly used to perform a physical extraction of an iOS device, including bypassing the lock screen on certain models?

115

A security analyst detects that a known malware sample writes to the registry key 'HKLM\SYSTEM\CurrentControlSet\Services\<malware>\ImagePath' and creates a service. This behavior is characteristic of which type of persistence mechanism?

116

During an Android forensic examination, the analyst uses ADB to run 'adb shell dumpsys batterystats --reset' before acquiring data. What is the MOST likely purpose of this command?

117

Which of the following is a key difference between static and dynamic malware analysis?

118

A forensic investigator is analyzing a Windows system suspected of malware infection. Which TWO of the following are common persistence mechanisms that malware may use?

119

During a mobile forensic examination of an iOS device, the analyst encounters encrypted backups. Which THREE of the following are valid methods to access the data?

120

A malware analyst is performing dynamic analysis of a suspicious executable in a Cuckoo Sandbox environment. Which THREE of the following behavioural indicators would be considered suspicious and warrant further investigation?

121

A forensic analyst needs to acquire evidence from an iPhone 12 running iOS 15. The device is passcode-locked and cannot be unlocked. Which acquisition method should be used to obtain the MOST data possible?

122

Which Android file system location is MOST likely to contain user-installed app data, preferences, and cached information?

123

During a malware analysis, a suspicious executable is detected. The analyst runs `strings` on the binary and finds references to `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` and a URL `http://evil.com/beacon`. What does this indicate?

124

Which tool is specifically designed for dynamic analysis of malware by executing it in a controlled, isolated environment and logging its behavior?

125

A security analyst runs the command `regshot64.exe compare` after executing malware. Regshot reports that the following registry key was created: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SecureUpdate`. Which conclusion is MOST likely?

126

In iOS forensics, which database file typically contains the call history, including incoming, outgoing, and missed calls?

127

A forensic analyst is examining an Android device that has been factory reset. Which type of data is LEAST likely to be recoverable using forensic tools?

128

Which of the following is an example of an anti-forensics technique used to hide malicious activity?

129

During a malware investigation, you find that a process named `svchost.exe` is making outbound connections to an IP address known to be malicious. What tool would be BEST to capture the network traffic for further analysis?

130

An analyst extracts an iTunes backup from a Windows computer. The backup contains a file manifest.plist with cryptographic hashes. What is the primary purpose of these hashes in the backup process?

131

Which tool can be used to extract evidence from Android devices through the Android Debug Bridge (ADB) and is often used for logical acquisition?

132

In static malware analysis, what is the purpose of using a tool like PEiD?

133

A forensic analyst is examining an Android device for evidence of a specific app's usage. Which TWO locations are MOST likely to contain app-specific data that can be recovered through a logical acquisition?

134

During dynamic analysis of a malware sample, an analyst observes the following: creation of a mutex named `Global\{9A2D7E1C-3F4B-4A5E-9B8C-1D2E3F4A5B6C}`, a registry key under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` named `WindowsUpdate`, and outbound TCP traffic to `203.0.113.5:443`. Which THREE of the following indicators of compromise (IoCs) should be documented?

135

An incident responder is analyzing a compromised Windows workstation. Which TWO artifacts would provide the STRONGEST evidence of a malware persistence mechanism?

136

During a mobile forensic investigation of an iPhone, an examiner needs to recover deleted SMS messages. Which acquisition method provides the highest likelihood of retrieving deleted data from the device's flash memory?

137

An Android device is seized as evidence. The screen is locked with a PIN. Which tool or method is MOST appropriate for acquiring a physical image of the device without bypassing the lock screen, assuming the device is rooted?

138

A security analyst observes a suspicious process creating multiple mutexes with names like 'XxX_12345' and 'XxX_67890' and making outbound connections to an IP address 185.130.5.1 on port 443. Which behavioral indicator is MOST consistent with malware communication?

139

In malware static analysis, a PE file is examined. The section names include '.text', '.rdata', '.data', and '.rsrc'. The entry point is in the .text section. Which tool would be MOST appropriate to identify any packer that might be obfuscating the code?

140

During an iOS forensics investigation, an examiner wants to extract call history records from an iPhone backup. Which SQLite database file should be examined?

141

A forensic analyst is examining an Android device and wants to recover Google account artefacts, such as the last sync timestamp and cached email addresses. Where on the device (in /data/data/) would these artefacts MOST likely be stored?

142

During dynamic analysis of a suspicious executable in Cuckoo Sandbox, the report shows that the process created a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run named 'WindowsUpdate' and dropped a file 'svchost.exe' in %AppData%. Which conclusion is MOST consistent with these indicators?

143

An incident responder finds a file named 'photo.jpg' on a compromised system. The file size is 2 MB and it is located in a temp directory. The file's SHA256 hash is 5d41402abc4b2a76b9719d911017c592. What is the BEST next step to determine if this file is malicious?

144

Which mobile forensic tool is specifically designed to extract data from a wide range of mobile devices, including both iOS and Android, and is commonly used by law enforcement agencies?

145

During an iOS forensic analysis, an examiner recovers the Keychain data from a backup. Which type of information is commonly stored in the iOS Keychain and can be extracted during analysis?

146

A forensic examiner is analyzing an Android device that has been factory reset. Which of the following artefacts is MOST likely to still be recoverable from the device's flash memory after a factory reset, assuming no overwrite has occurred?

147

A malware analyst is using a tool to monitor registry and file system changes during the execution of a suspicious binary. Which tool is specifically designed to take snapshots of the registry and file system before and after execution to identify changes?

148

A forensic examiner is analyzing an Android device and needs to extract application data from the /data/data/ directory. Which TWO conditions must be met to access this directory? (Select TWO.)

149

During dynamic analysis of a suspected malware sample, an analyst observes the following behaviors: (1) The process creates a service named 'WindowsDefender' that starts automatically. (2) It writes an encrypted payload to the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. (3) It injects code into explorer.exe. (4) It attempts to resolve the domain 'malware-update.com'. (5) It creates a mutex named 'Global\MyMutex'. Which THREE behaviors are indicators of malware persistence? (Select THREE.)

150

A malware analyst is performing static analysis on a suspicious PE file. Which TWO of the following are examples of anti-forensic techniques that the malware might use to hinder analysis? (Select TWO.)

151

During a mobile forensic investigation, an examiner finds that the seized iPhone is locked with a passcode but is running iOS 11. Which acquisition method should the examiner prioritize to obtain the most data without bypassing the passcode?

152

An analyst suspects a Windows executable is packed. They run `strings` on the file and see few readable strings, and PEiD reports 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. Which static analysis technique should the analyst use NEXT to extract the original code?

153

During a malware investigation, a forensic analyst observes that a suspicious process creates a mutex named 'Global\MyMutex' and writes to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. What behavioral indicator does this represent?

154

A forensic examiner is analyzing an Android device that was factory reset. Which TWO artefacts or methods could the examiner use to potentially recover or identify data from before the reset?

155

An analyst is performing dynamic analysis of a malware sample in Cuckoo Sandbox. Which TWO of the following are typical indicators of command and control (C2) communication?

156

During an iOS forensics investigation, an examiner extracts an iTunes backup and finds the SQLite database files. Which TWO of the following databases are LEAST likely to contain forensically relevant artefacts for a communication analysis?

157

A security team is investigating a suspected Advanced Persistent Threat (APT) intrusion. They have identified several IoCs. Which THREE of the following are considered standard types of Indicators of Compromise?

158

A forensic analyst is performing static analysis of a Windows PE file. Which TWO of the following tools are specifically designed for static analysis of malware?

159

During a malware investigation, an analyst examines a suspicious file that appears to have been timestomped. Which THREE of the following techniques or tools can be used to detect timestamp manipulation on Windows?

160

A forensic examiner is analyzing an Android device for potential evidence of a specific app’s data. Which TWO locations within the device’s file system would MOST likely contain application-specific data?

161

Which TWO of the following are primary purposes of using the GrayKey tool in iOS forensics?

162

A security analyst observes a process making repeated network connections to an IP address 192.168.1.100 on TCP port 4444, and the process writes a DLL file to C:\Users\Public\. Which THREE actions should the analyst take immediately as part of dynamic analysis?

163

A forensic analyst is examining an Android device using ADB extraction. Which TWO statements about ADB extraction are true?

164

A malware sample creates the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareName. Which THREE of the following are appropriate next steps for the analyst?

Practice all 164 Mobile and Malware Forensics questions

Other CHFI exam domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Frequently asked questions

What does the Mobile and Malware Forensics domain cover on the CHFI exam?

The Mobile and Malware Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.

How many Mobile and Malware Forensics questions are in the CHFI question bank?

The Courseiva CHFI question bank contains 164 questions in the Mobile and Malware Forensics domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Mobile and Malware Forensics for CHFI?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Mobile and Malware Forensics questions for CHFI?

Yes — the session launcher on this page draws questions exclusively from the Mobile and Malware Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CHFI domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CEHCS0-003CISA