Practice CHFI Incident Response and First Responder Skills questions with full explanations on every answer.
Start practicing
Incident Response and First Responder Skills — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?
2A security team suspects a data breach via an external attacker. The incident response plan requires preservation of evidence for legal proceedings. Which order of volatility should the first responder follow?
3During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?
4A first responder arrives at a scene where a computer is powered on and a user is logged in. An incident is suspected. What should the responder do FIRST?
5You are responding to a suspected malware infection on a Windows 10 system. The system is still running. Which of the following should you collect FIRST?
6During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?
7A first responder is called to investigate a potential insider threat. The suspect's computer is turned off. What is the BEST procedure?
8A first responder is responding to a ransomware incident on a Windows server. Which TWO actions should be performed to preserve evidence? (Choose two.)
9During the initial response to a suspected data exfiltration, which THREE pieces of volatile data should be collected first? (Choose three.)
10Refer to the exhibit. A first responder runs netstat -ano on a Windows system. Which connection is MOST likely indicative of a potential C2 communication?
11Refer to the exhibit. A first responder runs the command on a Linux server. Which process should be considered MOST suspicious and investigated immediately?
12You are a first responder for a medium-sized company with 500 employees. The incident response team has been alerted to a possible data breach involving the CEO's laptop, which is a Windows 10 system. The CEO reports that the laptop has been acting strangely, with unusual pop-ups and slow performance. The laptop is currently powered on and connected to the corporate network via Wi-Fi. The CEO is logged in and has several applications open, including email and a web browser. The security team suspects malware may be exfiltrating sensitive documents. As the first responder, you must decide the best course of action to preserve evidence and contain the threat while minimizing impact on business operations. Which action should you take FIRST?
13During incident response, a first responder discovers a compromised system with signs of an active command-and-control (C2) connection. What is the MOST important immediate action to preserve evidence and prevent further damage?
14Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)
15Refer to the exhibit. During incident response, a first responder runs 'netstat -ano' on a compromised Windows system. Which connection is most likely to be the command-and-control (C2) channel and should be prioritized for isolation?
16You are a first responder for a medium-sized enterprise. The Help Desk received multiple reports that users cannot access the company's internal web application (app.example.com) hosted on a Windows Server 2019 VM. The server is also running a MySQL database and an FTP service for file transfers. You remote into the server and find that the web server (IIS) is still running, but the application pool is stopped. The event logs show multiple failed logon attempts from an external IP address (198.51.100.23) for the local administrator account around the time the issues started. The FTP service log shows successful anonymous logins from the same IP minutes before the web app failure. The MySQL log shows a query 'DROP TABLE users;' executed at 03:15 AM. The current time is 04:00 AM. What immediate action should you take?
17During the initial response to a suspected data breach, a first responder discovers a live system with active network connections. The responder needs to preserve evidence while minimizing alteration. Which of the following is the MOST appropriate first step?
18Which TWO actions are essential for a first responder when securing an incident scene involving a compromised server? (Select exactly two.)
19Refer to the exhibit. A first responder runs the netstat command on a compromised Windows workstation. Which of the following conclusions is BEST supported by the output?
20Drag and drop the steps to capture network traffic with Wireshark for forensic analysis into the correct order.
21Drag and drop the steps to perform a forensic analysis of a USB drive to identify the connected computer using Windows artifacts into the correct order.
22Match each file system to its typical maximum volume size (as commonly encountered).
23Match each log type to its typical content.
The Incident Response and First Responder Skills domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.
The Courseiva CHFI question bank contains 23 questions in the Incident Response and First Responder Skills domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Incident Response and First Responder Skills domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included