Practice CHFI Database and Application Forensics questions with full explanations on every answer.
Start practicing
Database and Application Forensics — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?
2A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?
3An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?
4During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?
5A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?
6Which TWO of the following are valid methods for collecting volatile data from a live database server during an incident response?
7Which THREE of the following are essential steps in the forensic analysis of a compromised web application that uses a MySQL backend?
8Refer to the exhibit. An analyst recovers this binary log entry from a MySQL server. What does the timestamp '190101 10:00:00' represent?
9You are a forensic investigator responding to an incident at a financial institution. The organization uses Microsoft SQL Server 2016 for its transaction processing system. The database is configured with full recovery model and transaction log backups are taken every 15 minutes. The incident response team has identified that an attacker gained access to the database server via compromised credentials and executed a series of malicious SQL statements, including data exfiltration and deletion of critical records. The time of the attack is estimated to be between 2:00 PM and 2:05 PM. The last full backup was taken at 12:00 AM (midnight) the same day. Transaction log backups are available for the entire day. The last transaction log backup before the attack was taken at 1:45 PM. The next transaction log backup after the attack was taken at 2:15 PM. The database is still online and being used by the business. Management wants to recover the database to a point just before the attack (2:00 PM) to minimize data loss, while preserving evidence for investigation. Which of the following actions should you take FIRST?
10During a database forensic investigation, an analyst finds that the SQL Server transaction log contains gaps. Which TWO actions should the analyst take to preserve evidence integrity and recover missing transactions?
11Refer to the exhibit. An investigator runs the queries on an Oracle database during a live forensic acquisition. What does the output indicate about the database transaction state?
12You are investigating a suspected data exfiltration incident at a financial institution. The database is MySQL 8.0 running on Linux. The security team suspects that a user with administrative privileges exported sensitive customer records via SELECT INTO OUTFILE and then deleted the output file. The MySQL general log is enabled and located at /var/log/mysql/mysql.log. However, the log file appears to be truncated and only contains entries from the last hour. The binary log is also enabled, and the binary log files are stored in /var/lib/mysql/binlog.000001 through binlog.000005. The database is actively being used. Which of the following is the BEST course of action to recover evidence of the SELECT INTO OUTFILE command that may have occurred 3 hours ago?
13During a database forensic investigation, an analyst recovers a MySQL binary log file (binlog.000012) from a compromised server. Which command should the analyst use to extract the actual SQL statements from this binary log in a human-readable format?
14Refer to the exhibit. A database administrator finds the above error log entries when attempting to start the MySQL service. The server was working fine yesterday. What is the most likely cause of this issue?
15A forensic investigator is analyzing a Microsoft SQL Server instance that was compromised. The investigator wants to identify all login attempts that failed due to incorrect passwords. Which system function or view should be queried?
16Drag and drop the steps to perform a forensic examination of a mobile device (Android) using Cellebrite UFED into the correct order.
17Match each file carving technique to its description.
The Database and Application Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.
The Courseiva CHFI question bank contains 17 questions in the Database and Application Forensics domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Database and Application Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included