Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIDomainsEvidence Acquisition and Duplication
CHFIFree — No Signup

Evidence Acquisition and Duplication

Practice CHFI Evidence Acquisition and Duplication questions with full explanations on every answer.

20questions

Start practicing

Evidence Acquisition and Duplication — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CHFI Domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice Evidence Acquisition and Duplication questions

10Q20Q30Q50Q

All CHFI Evidence Acquisition and Duplication questions (20)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?

2

You are imaging a suspect's hard drive using a write blocker and dd command. After imaging, you verify the hash of the original drive and the image file. The original drive hash is SHA1: A1B2C3D4E5..., and the image hash is SHA1: F6G7H8I9J0... What is the most likely cause of the mismatch?

3

A forensic examiner needs to acquire a hard drive that is part of a RAID 5 array. The RAID controller is unavailable. What is the best approach to acquire the data?

4

During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?

5

You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?

6

Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?

7

During a forensic acquisition, you notice that the target drive has bad sectors. What is the best approach to acquire the drive?

8

Which TWO of the following are valid methods for acquiring volatile data from a live Windows system? (Choose two.)

9

Which THREE of the following are acceptable best practices when acquiring evidence from a mobile device? (Choose three.)

10

The command used to acquire a disk image resulted in an I/O error. What is the most likely cause?

11

Based on the acquisition log, what can be concluded about the integrity of the acquired image?

12

You are a forensic examiner responding to a data breach incident at a medium-sized company. The incident response team has identified a Windows Server 2019 that may contain evidence of unauthorized access. The server is running and logged in with administrative privileges. The server has 32 GB of RAM, a 1 TB SSD (bitlocker encrypted, but unlocked), and is connected to the corporate network. The server is running several critical business applications, and the IT manager asks you to minimize downtime. You have a forensic workstation with write blockers, a hardware acquisition tool, and various software tools. What is the best course of action to acquire evidence while preserving integrity and minimizing downtime?

13

During a forensic investigation, an analyst needs to acquire the contents of a live server's RAM without altering the evidence. Which tool and technique should the analyst use to minimize the footprint on the system?

14

Which TWO of the following are valid reasons for using a hardware write blocker during disk acquisition? (Choose two.)

15

You are a forensic investigator responding to a suspected data breach at a financial institution. The incident response team has isolated a Windows 10 workstation used by a former employee. The system is still powered on, and the login screen is displayed. Your task is to acquire forensic evidence in a defensible manner. The following actions are available: A. Immediately pull the power cord to perform a cold acquisition of the hard drive. B. Capture volatile data (RAM, network connections, running processes) using a trusted tool on a USB drive, then shut down normally and remove the hard drive for imaging. C. Boot the system from a forensic live CD and create a forensic image of the hard drive while the system is running. D. Use the built-in Windows backup to create a system image to an external drive. Which action is the most appropriate first step in this scenario?

16

During acquisition of a live Linux server, the forensic examiner runs the following command: # dd if=/dev/sda of=/mnt/evidence/disk.dd conv=noerror,sync bs=4k. Which TWO statements are true about this acquisition?

17

Refer to the exhibit. An investigator runs fsstat and dstat on a captured image. What is the total capacity of the volume?

18

You are a forensic investigator responding to a data breach at a financial institution. The compromised server is a Windows Server 2019 running a custom trading application. The server is still powered on and connected to the production network. The incident response team has instructed you to acquire forensic evidence while minimizing downtime. The server has 2 TB of storage with 500 GB used. You have a forensic workstation with a write-blocker and an empty 2 TB external drive. The server's RAM is 64 GB. You need to acquire both volatile data (RAM) and a forensic image of the disk. However, the legal team requires a verified bit-for-bit copy with cryptographic hash verification. Additionally, the server's performance is critical; acquiring RAM via network is not feasible due to bandwidth constraints. Which of the following is the best course of action?

19

Drag and drop the steps to conduct a memory acquisition using DumpIt on a Windows system into the correct order.

20

Match each network protocol to its well-known port number (TCP/UDP).

Practice all 20 Evidence Acquisition and Duplication questions

Other CHFI exam domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Frequently asked questions

What does the Evidence Acquisition and Duplication domain cover on the CHFI exam?

The Evidence Acquisition and Duplication domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.

How many Evidence Acquisition and Duplication questions are in the CHFI question bank?

The Courseiva CHFI question bank contains 20 questions in the Evidence Acquisition and Duplication domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Evidence Acquisition and Duplication for CHFI?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Evidence Acquisition and Duplication questions for CHFI?

Yes — the session launcher on this page draws questions exclusively from the Evidence Acquisition and Duplication domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CHFI domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CEHCS0-003CISA