Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIDomainsStorage Forensics and File System Analysis
CHFIFree — No Signup

Storage Forensics and File System Analysis

Practice CHFI Storage Forensics and File System Analysis questions with full explanations on every answer.

172questions

Start practicing

Storage Forensics and File System Analysis — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CHFI Domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice Storage Forensics and File System Analysis questions

10Q20Q30Q50Q

All CHFI Storage Forensics and File System Analysis questions (172)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An analyst recovers a hard drive from a suspect's computer. The drive has a partition table that uses a 32-bit identifier and a maximum partition size of 2 TB. Which partition table type is present?

2

During a forensic investigation, an examiner wants to recover deleted files from a FAT32 file system. Which structure is most critical for file recovery?

3

Which tool is specifically designed for file carving and can recover files based on headers and footers without relying on file system metadata?

4

An analyst notices that a file on an NTFS volume occupies 4096 bytes on disk but its actual data is only 100 bytes. The extra space contains remnants of a previously deleted file. What is this extra space called?

5

A forensic investigator is analyzing a Linux ext4 file system. They suspect a file was deleted but its inode may still be intact. Which tool can be used to recover the file by referencing the inode?

6

During a forensic examination of an NTFS drive, an investigator finds that a file 'notes.txt' has an additional data stream named 'hidden.txt' attached. Which feature of NTFS allows this?

7

A security analyst is investigating a compromised Windows system and wants to see which processes were running at the time of memory capture. Which Volatility command should they use?

8

An examiner acquires a forensic image of an SSD from a suspect's laptop. The SSD was connected to a system with TRIM enabled. What challenge will the examiner most likely face when trying to recover deleted files?

9

During a forensic analysis of a drive, the examiner discovers a Host Protected Area (HPA). What is the primary purpose of an HPA?

10

An investigator is analyzing a RAID 5 array consisting of three disks. One disk fails and is replaced. After rebuilding, the file system appears corrupted. What is the MOST likely cause?

11

During memory analysis, an examiner uses the Volatility 'malfind' plugin and discovers a process with executable code in an executable heap. Which technique is most likely being used by malware to avoid detection?

12

An investigator uses FTK Imager to capture a forensic image of a suspect's hard drive. During acquisition, the tool reports that the DCO (Device Configuration Overlay) is present. What does this indicate?

13

Which TWO of the following are file systems that use journaling to maintain integrity?

14

Which THREE of the following are techniques used to hide data on a hard drive?

15

Which TWO of the following are challenges specific to SSD forensics compared to HDD forensics?

16

During a forensic examination of a Windows 10 system, an investigator runs the following command: 'fsutil usn readjournal C: > usn_output.txt'. What is the primary purpose of this action?

17

An analyst recovers a disk image from a Linux server that used ext4. The image shows a superblock backup at multiple offsets. Which dd command would correctly extract the backup superblock located at offset 32768 bytes?

18

Which file system artifact in NTFS is used to hide data by appending a stream to an existing file without affecting its primary data stream?

19

During a forensic investigation, an analyst finds a file with a creation timestamp earlier than the volume's formatted timestamp. Which of the following is the most likely explanation?

20

In an ext3 file system, after deleting a file, the inode's link count drops to 0, but the data blocks remain. Which of the following is true regarding recovery?

21

An investigator uses the Volatility framework on a memory dump from a Windows 10 system. Which command would list all processes, including those hidden by rootkits?

22

What is the primary purpose of the Host Protected Area (HPA) on a hard disk drive?

23

A forensic investigator is examining a Mac system with APFS. Which artifact would be most useful for determining the exact time a file was moved to the Trash?

24

In a RAID 5 array with three disks, one disk fails. The investigator images the remaining two disks and wants to reconstruct the missing data. Which approach is most appropriate?

25

An analyst runs 'foremost -i disk.dd -o output' and recovers several JPEG files. However, some files are corrupted or incomplete. What is the most likely cause?

26

Which tool is specifically designed to acquire RAM from a Linux system for forensic analysis?

27

An investigator notes that a file on an NTFS volume has a resident data size of 900 bytes, but the $DATA attribute lists an allocated size of 1024 bytes. What does this indicate?

28

Which TWO of the following are valid methods for hiding data on an NTFS volume without using third-party tools? (Select 2)

29

Which THREE of the following are challenges specific to forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives? (Select 3)

30

An investigator is analyzing a memory dump with Volatility and wants to identify network connections. Which TWO commands can provide information about TCP and UDP connections? (Select 2)

31

A forensic analyst finds a partition that uses the Master Boot Record (MBR) scheme. Which of the following is TRUE about the MBR partition table?

32

During an investigation, an analyst recovers deleted files from an NTFS volume. She notices that some files have data hidden in a stream that is not visible in regular directory listings. This stream is associated with a file but not stored in the $MFT. Which NTFS feature is being used to hide the data?

33

A security analyst suspects an attacker has hidden data in the Host Protected Area (HPA) of a suspect's hard drive. Which of the following tools is BEST suited to detect and access the HPA?

34

In FAT32, the File Allocation Table (FAT) is used to track which clusters are allocated to files. If a file is deleted, what happens to the FAT entries for that file?

35

During a forensic examination of an ext4 filesystem, the analyst discovers that a suspicious file was deleted but the inode still exists in the filesystem. Which of the following techniques would MOST likely recover the file's data?

36

An investigator images an SSD that has TRIM enabled. Which of the following challenges will MOST likely affect the recovery of deleted files from this SSD?

37

A forensic analyst is examining a disk image and needs to identify the file system structure. She looks for the Master File Table ($MFT) to begin analysis. Which file system is she most likely dealing with?

38

In a memory forensics investigation using Volatility, an analyst wants to see a list of processes that were active at the time of acquisition, including hidden processes. Which Volatility command should be used?

39

A forensic investigator is analyzing a RAID 0 array consisting of two disks. She uses FTK Imager to acquire the logical drive. However, the data appears interleaved. What additional step is necessary to properly assemble the image?

40

An analyst finds evidence that an attacker used steganography to hide data within image files on the suspect's computer. Which of the following tools is MOST appropriate for detecting steganography in these images?

41

What is slack space in a file system?

42

During a forensic examination, an analyst uses Autopsy to view the contents of the Recycle Bin on a Windows 10 system. However, some files that were deleted by the user do not appear in the Recycle Bin. What is the MOST likely reason?

43

Which TWO of the following are valid techniques for acquiring RAM in a Windows system?

44

Which THREE of the following are characteristics of the GPT (GUID Partition Table) compared to MBR?

45

Which TWO of the following tools are commonly used for file carving during forensic investigations?

46

During a forensic investigation, you find an NTFS volume with a file that has an alternate data stream (ADS). Which command in Windows can be used to list all ADS on a file?

47

An analyst is investigating a compromised Linux system and runs `ls -i` on a deleted file's directory. The inode number is 12345. Which tool can recover the file contents by referencing the inode?

48

During a forensic examination of a solid-state drive (SSD), you notice that files deleted several months ago cannot be recovered using traditional file carving tools. Which SSD feature is MOST likely preventing recovery?

49

An investigator needs to recover a deleted partition from a disk that originally used an MBR partition table. Which tool can scan the disk for lost partitions and rebuild the partition table?

50

In NTFS, the $MFT file contains metadata about every file and directory on the volume. When a file is deleted, its $MFT record is marked as free. What information in the $MFT record is MOST useful for recovering a deleted file?

51

A forensic analyst is investigating a Windows system and needs to examine the contents of the Recycle Bin. Which file artifact contains metadata about deleted files, including original file paths and deletion times?

52

An analyst is analyzing a disk image and finds a 512-byte sector at LBA 0 that contains a bootloader and a partition table. The partition table has four entries, each 16 bytes. What type of partition table is this?

53

During a forensic analysis of a compromised server, you discover that a rootkit has hidden itself by modifying the HPA (Host Protected Area) of the hard disk. Which tool can detect the presence of an HPA by comparing the reported size with the actual number of sectors?

54

An investigator is examining a FAT32 filesystem and needs to recover a deleted file. In FAT32, the directory entry for a deleted file has the first byte of the filename set to 0xE5. What does this indicate?

55

Which file system artifact in NTFS records file system events such as file creation, deletion, and modification, and is often used to track attacker activities?

56

A forensic examiner finds a file on an NTFS volume that appears to have data hidden in its alternate data stream. The file's size is reported as 10 KB, but the volume's cluster size is 4 KB. How many clusters of file slack could potentially contain hidden data in the primary stream?

57

During a forensic investigation, you need to acquire the RAM of a running Linux system. Which tool is specifically designed for memory acquisition on Linux?

58

Which TWO of the following are common challenges in SSD forensics that can hinder data recovery?

59

Which TWO tools are specifically designed for file carving (recovering files based on signatures) and are commonly used in digital forensics?

60

Which THREE of the following are valid memory forensic artifacts that can be extracted using the Volatility framework?

61

A forensic investigator examines a hard drive and needs to recover deleted files. Which tool is specifically designed for file carving by scanning raw data for file headers and footers without relying on the file system?

62

During a forensic analysis of an NTFS volume, an investigator finds a file that appears to be hidden. Which NTFS feature allows data to be stored in a file without affecting the file's visible size in the directory listing?

63

An analyst is investigating a compromised Linux system. Which file system structure holds metadata about every file and directory, including permissions, ownership, timestamps, and pointers to data blocks?

64

A forensic examiner acquires a RAM image from a Windows 10 system and uses Volatility to analyze it. Which command would list all running processes along with their parent process IDs and command lines?

65

During a forensic investigation of a hard disk, the investigator finds that the partition table is missing. The disk was previously partitioned using GPT. Which area of the disk should be examined to recover the GPT partition table?

66

An investigator is analyzing a FAT32 drive and notices that a deleted file's directory entry still exists, but the first byte of the filename is changed to 0xE5. What does this indicate about the file?

67

In an ext4 file system, after a file is deleted, the inode's di_mode field is set to 0 and the block pointers are cleared. However, the file content may still be recoverable until what happens?

68

A forensic analyst is examining an SSD that may have had deleted files. The analyst is concerned about the TRIM command. What effect does TRIM have on forensic recovery of deleted files?

69

During a forensic investigation, an analyst uses a tool to capture the contents of RAM from a live Linux system. Which tool is specifically designed for this purpose and can acquire memory over a network or via a local kernel module?

70

A forensic examiner is analyzing a RAID 5 array consisting of three disks. One disk has failed and is not available. The remaining two disks contain data and parity. Which technique can be used to reconstruct the missing disk's data and recover the original data?

71

An analyst discovers that a Windows system has hidden data in the Host Protected Area (HPA) of the hard drive. Which tool or method can be used to detect and access the HPA?

72

During a forensic analysis of an APFS volume, the investigator needs to examine file metadata such as creation time, modification time, and extended attributes. Which APFS structure contains this information?

73

Which TWO of the following are valid methods to hide data on an NTFS volume? (Choose two.)

74

Which THREE of the following are characteristics of the Master File Table ($MFT) in NTFS? (Choose three.)

75

Which TWO of the following are challenges in SSD forensics compared to traditional HDD forensics? (Choose two.)

76

A forensic analyst is examining a Windows 10 system and needs to view the Master File Table ($MFT) to identify recently deleted files. Which tool is most appropriate for parsing the $MFT directly?

77

During a forensic examination of a Linux ext4 file system, an investigator runs the `ls -i` command and sees inode numbers. They need to examine the inode structure. Which command should they use to display detailed inode information?

78

An analyst discovers a hidden partition on a hard drive that does not appear in the standard MBR partition table. The drive uses GPT partitioning. Which area of the disk should be examined to find evidence of a hidden partition?

79

A forensic investigator is analyzing a USB drive formatted with FAT32 and finds that a deleted file's directory entry still exists but the first character of the filename is replaced with 0xE5. What does this indicate?

80

An investigator is using Autopsy to analyze a disk image from a suspected hacker's computer. They want to recover deleted JPEG images that may have been stored in unallocated clusters. Which Autopsy feature is best suited for this task?

81

During a forensic investigation of a Windows 10 system, you find that a suspect used the 'cipher /w:C:' command. What is the primary forensic implication of this action?

82

A forensic analyst needs to acquire RAM from a live Linux system for memory analysis. Which tool is specifically designed for this purpose and can capture memory without rebooting?

83

An investigator finds evidence of data hidden using Alternate Data Streams (ADS) on an NTFS volume. Which command would display all ADS associated with files in a directory?

84

During a forensic examination of a solid-state drive (SSD), the analyst notices that the TRIM command was enabled. What challenge does this pose for data recovery?

85

Which file system journal is commonly used in Linux ext3/ext4 to record metadata changes before they are committed to the main file system?

86

A security analyst examines a compromised Windows server and finds a file named 'readme.txt' that appears legitimate. However, using `dir /r`, they discover an alternate data stream named 'readme.txt:hidden.exe'. What is the most likely purpose of this alternate data stream?

87

An investigator uses the `volatility -f mem.dump netscan` command on a memory dump from a Windows 10 system. What information is this command primarily intended to reveal?

88

Which TWO of the following are features of the NTFS file system that can be used to hide data? (Select TWO.)

89

Which THREE of the following present unique challenges for forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives (HDDs)? (Select THREE.)

90

Which TWO of the following are commonly used tools for file carving (recovering files based on file signatures)? (Select TWO.)

91

During a forensic investigation, an analyst needs to recover recently deleted files from a FAT32 partition. Which of the following techniques is MOST effective for recovering files whose directory entries have been marked as deleted but the clusters have not yet been overwritten?

92

An examiner is analyzing an NTFS volume and suspects that a suspect hid data using Alternate Data Streams (ADS). Which tool or method is MOST appropriate to list all ADS on the volume?

93

During a memory forensics analysis using Volatility, an examiner runs 'python vol.py -f memory.dmp pslist' and sees a suspicious process named 'expl0rer.exe' with a PPID of 4. What does a PPID of 4 indicate, and what should the examiner do next?

94

An analyst is investigating a Linux server running ext4 and needs to recover deleted files that may have been overwritten partially. Which technique is BEST suited for recovering fragments of known file types when the inode metadata is lost?

95

A forensic examiner needs to acquire the RAM from a Windows 10 system without altering the contents. Which tool is MOST appropriate for this task?

96

During an investigation of a compromised system, the analyst discovers that the suspect used steganography to hide data within image files. Which forensic tool is BEST suited for detecting hidden data in images through statistical analysis?

97

A forensic analyst is examining a RAID 5 array consisting of three disks. One disk has failed and has been replaced. The array is rebuilt automatically. However, the analyst needs to recover deleted files that existed before the rebuild. What is the MOST significant challenge in this scenario?

98

An examiner is analyzing an SSD and notices that TRIM is enabled. Why does TRIM pose a challenge for digital forensics?

99

Which of the following partition table types uses a protective MBR and a GPT header, and is recommended for disks larger than 2 TB?

100

During a forensic examination of an NTFS drive, an analyst runs 'fsutil usn readjournal C:' and observes a large number of USN journal entries for a specific file after a certain date. The file's $MFT record shows a last modified timestamp far earlier than the journal entries. What does this discrepancy suggest?

101

An analyst is examining a hard drive that was seized from a suspect. The drive is detected as a smaller capacity than listed on the label. Which of the following is the MOST likely explanation?

102

An investigator needs to analyze the contents of the Windows Recycle Bin on a system running Windows 10. Which artifact(s) should the investigator examine to determine the original location and deletion time of a file in the Recycle Bin?

103

Which TWO of the following are valid methods to hide data on an NTFS file system without using external tools?

104

Which THREE of the following are challenges specific to SSD forensics compared to HDD forensics?

105

Which TWO of the following tools are commonly used for file carving in forensic investigations?

106

During a forensic analysis of a Windows 10 system, an investigator needs to locate the Master File Table ($MFT) to analyze file metadata. Which file system structure contains the $MFT?

107

An analyst suspects that sensitive data was hidden in the NTFS Alternate Data Streams (ADS) of a file on a suspect's drive. Which tool is specifically designed to enumerate and extract data from ADS on a live Windows system?

108

During a forensic examination of a Linux system, the investigator runs the command 'ls -i /home/user/file.txt' and sees inode number 12345. The file was recently deleted. Which of the following is the most effective method to recover the file, assuming the inode is still accessible?

109

An analyst is examining a RAID 5 array of three disks. One disk has failed and been replaced; the array is rebuilding. Which of the following is the most significant forensic challenge regarding data acquisition from this array?

110

In an investigation of a Windows system, the analyst uses Volatility's 'netscan' plugin and identifies a suspicious outbound connection to an IP address on port 4444. Which of the following is the most likely associated malicious activity?

111

An investigator needs to recover deleted files from a USB drive formatted with FAT32. Which of the following techniques would be most effective, assuming the files have not been overwritten?

112

During a forensic acquisition of a suspect's SSD, the analyst notices that the drive supports TRIM. Which of the following is the most important consideration when acquiring the drive to preserve deleted data?

113

An investigator is analyzing a memory dump from a compromised server using Volatility. The 'pslist' plugin shows a process with no parent PID (PPID). Which of the following is the most likely explanation?

114

Which of the following best describes the purpose of the Host Protected Area (HPA) on a hard disk drive?

115

An analyst is examining an Apple Mac system and needs to recover deleted files from an APFS volume. Which tool is most appropriate for this task?

116

During an investigation, an analyst recovers a file from unallocated space that contains fragments of a deleted document. The file size is 512 bytes, but the cluster size of the volume is 4096 bytes. What is the term for the unused bytes between the end of the file and the end of the last cluster?

117

An analyst is examining a USB drive that appears to have a smaller capacity than expected. The drive is detected as 8 GB but only 7 GB is accessible. Which of the following is the most likely cause?

118

Which two of the following are characteristics of the ext4 file system? (Choose TWO.)

119

Which three of the following are common techniques used to hide data on a storage device? (Choose THREE.)

120

Which two of the following are tools used for memory forensics acquisition? (Choose TWO.)

121

During a forensic investigation, an analyst examines a hard disk and notices that the partition table uses a 64-bit scheme with a maximum of 128 partitions. Which partition table type is in use?

122

A forensic analyst is examining a FAT32 file system and finds that the file allocation table indicates a cluster chain ending with 0x0FFFFFFF. What does this value signify?

123

When analyzing an NTFS volume, an investigator wants to identify files that were recently accessed or modified. Which NTFS artifact stores metadata about file system changes and can be parsed using tools like MFTEcmd or NTFSLogTracker?

124

A security analyst detects suspicious activity on a Windows workstation. They acquire RAM using WinPmem and analyze it with Volatility. Which Volatility command would list all active processes along with their parent process IDs?

125

During an investigation of a Linux system, an analyst runs `ls -li` and sees that a file's inode number is 0. What does this indicate about the file?

126

An investigator recovers a file from unallocated space on an NTFS drive using file carving. The file appears to contain alternate data streams (ADS). Which tool can be used to list all ADS associated with a file on a live Windows system?

127

A forensic examiner wants to recover deleted files from a USB drive formatted with FAT32. Which file carving tool is specifically designed to recover files based on file headers and footers?

128

During a forensic examination of an SSD, the analyst notes that TRIM is enabled. What challenge does TRIM pose for data recovery?

129

An analyst retrieves a forensic image of a hard drive and discovers that the size reported by the operating system is smaller than the actual physical capacity. The extra space is not accessible through standard partition tools. This hidden area is MOST likely:

130

In an ext4 file system, a forensic analyst needs to examine the journal to recover recently deleted files. Where is the journal typically stored?

131

Which of the following is a Windows-based forensic suite that provides timeline analysis, keyword search, and file system browsing for forensic investigations?

132

A forensic investigator analyzing a RAID 5 array of three disks notices that one disk has failed. Can the investigator still reconstruct the data?

133

An analyst is examining a memory dump using Volatility and wants to identify network connections. Which TWO Volatility plugins can be used to list network connections?

134

Which THREE of the following are types of slack space that can contain hidden data on a hard disk?

135

A forensic analyst is recovering deleted files from an ext3 file system. Which TWO methods can be used to recover deleted inodes?

136

During a forensic investigation, you encounter a Windows system with an NTFS volume. The suspect claims they never used the recycle bin, but you find files in the $Recycle.bin folder. Which artifact can help you determine the original file path and deletion time?

137

An analyst is investigating a Linux server that suffered a data breach. The attacker deleted several log files. The analyst runs `debugfs /dev/sda1` and issues the command `lsdel`. What is the purpose of this command in the context of file recovery?

138

A forensic investigator recovers a hard drive from a suspect's computer. The drive is detected as 120 GB in BIOS, but forensic tools report only 100 GB of addressable space. Which data hiding technique is MOST likely being used?

139

During a forensic examination of a Windows 10 system, you find a file with an ADS named `:hidden.txt` attached to `legal.docx`. Using FTK Imager, you extract the ADS and discover it contains a list of passwords. Which tool or technique could also be used to identify this hidden data?

140

A security analyst is investigating a compromised Windows server and wants to capture the contents of RAM for analysis. Which of the following tools is specifically designed for this purpose?

141

During a forensic investigation, you encounter a RAID 5 array consisting of three 1 TB disks. The array is failed, and you need to reconstruct the original data. Which of the following approaches is MOST appropriate for data recovery?

142

A forensic analyst is examining a USB drive formatted with FAT32. A suspect claims they deleted a file several weeks ago. The analyst uses a carving tool but cannot recover the file. What is the MOST likely reason for the failed recovery?

143

Which of the following best describes the purpose of the Master File Table (MFT) in the NTFS filesystem?

144

An investigator acquires an SSD from a laptop that has been turned off for 24 hours. The suspect recently deleted several incriminating files. Using a forensic imager, the investigator creates a bit-for-bit copy. However, when analyzing the image, the deleted files' data appears to be zeros. What is the MOST likely cause?

145

A Linux system uses the ext4 filesystem. A forensic analyst needs to recover a recently deleted file. Which of the following methods is MOST likely to succeed if the file's inode has not been reallocated?

146

During a forensic examination of a Windows system, an analyst runs the Volatility plugin `netscan` on a memory dump. What information does this plugin primarily provide?

147

What is the primary difference between MBR and GPT partition tables?

148

Which TWO of the following are Volatility plugins used for process enumeration? (Select two.)

149

Which THREE of the following are challenges specific to forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives (HDDs)? (Select three.)

150

Which TWO of the following are examples of file carving tools? (Select two.)

151

A forensic analyst is examining a hard drive and needs to identify the number of sectors per track. Which component of the hard disk structure defines this?

152

During a forensic examination of a Windows system, an analyst finds a file that appears to be zero bytes in size when viewed in Windows Explorer, but the file's properties show a size on disk of 4 KB. What is the most likely explanation?

153

An analyst is investigating a Linux system that used ext4. The suspect deleted several files and then ran 'fstrim' on the partition. Which of the following best describes the challenge in recovering the deleted data?

154

A security analyst receives an image of a hard drive with a GPT partition table. Which of the following is a key difference between GPT and MBR that the analyst should consider?

155

Which file system uses a Master File Table ($MFT) as its central catalog for file metadata?

156

An analyst is recovering deleted files from a FAT32 file system. The file system uses a cluster size of 4096 bytes. The first cluster of a deleted file is cluster 100. Which structure contains the chain of clusters for this file?

157

During a forensic investigation, an analyst discovers data hidden in the Host Protected Area (HPA) of a hard drive. Which tool is commonly used to view and access the HPA?

158

An analyst is examining an NTFS volume and finds that a file's $MFT record indicates it is resident. What does this imply about the file's data?

159

Which forensic tool is specifically designed to recover lost partitions or file system structures and can also be used for data carving?

160

Which TWO of the following are challenges specific to SSD forensics compared to traditional HDD forensics?

161

An analyst is conducting memory forensics on a Windows system using Volatility. Which THREE commands can provide information about network connections?

162

Which TWO of the following are methods used to hide data within the NTFS file system?

163

In ext3/ext4 file systems, which THREE of the following are key structures used for file metadata and recovery?

164

Which TWO tools are commonly used for file carving during a forensic investigation?

165

Which TWO of the following are types of slack space that can contain forensic evidence?

166

During a forensic investigation, an analyst recovers a hard drive that uses GPT partitioning. The analyst needs to locate the backup GPT header to verify partition table integrity. Where is the backup GPT header typically stored on the disk?

167

An analyst is examining a Windows 10 system and discovers a file in the $Recycle.bin folder with a name like '$RABCDEF.txt'. The analyst wants to recover the original file path and deletion date. Which forensic artifact should the analyst examine?

168

During an investigation, an analyst uses the `volatility -f mem.dmp windows.pslist` command and observes a process named 'svchost.exe' with PID 1234. Further analysis shows that this process has no parent process (PPID = 0). What is the MOST likely explanation for this anomaly?

169

A forensic analyst is investigating a compromised Linux server running an ext4 file system. The analyst suspects the attacker deleted critical log files (e.g., /var/log/auth.log) and wants to recover them. Which TWO techniques would be MOST effective for recovering the deleted files?

170

An analyst is examining a Windows 10 system and suspects the use of NTFS alternate data streams (ADS) to hide malicious executables. Which THREE methods can the analyst use to detect hidden ADS on the system?

171

During a forensic analysis of an SSD, the analyst encounters challenges due to TRIM and wear-leveling. Which TWO statements accurately describe the impact of these features on data recovery?

172

An analyst is preparing to analyze a RAID 5 array of three disks. The analyst wants to reconstruct the logical volume for file system analysis. Which THREE steps are essential in this process?

Practice all 172 Storage Forensics and File System Analysis questions

Other CHFI exam domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Frequently asked questions

What does the Storage Forensics and File System Analysis domain cover on the CHFI exam?

The Storage Forensics and File System Analysis domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.

How many Storage Forensics and File System Analysis questions are in the CHFI question bank?

The Courseiva CHFI question bank contains 172 questions in the Storage Forensics and File System Analysis domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Storage Forensics and File System Analysis for CHFI?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Storage Forensics and File System Analysis questions for CHFI?

Yes — the session launcher on this page draws questions exclusively from the Storage Forensics and File System Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CHFI domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CEHCS0-003CISA