Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIDomainsMalware Forensics
CHFIFree — No Signup

Malware Forensics

Practice CHFI Malware Forensics questions with full explanations on every answer.

16questions

Start practicing

Malware Forensics — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CHFI Domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice Malware Forensics questions

10Q20Q30Q50Q

All CHFI Malware Forensics questions (16)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?

2

An organization suspects a stealthy malware infection on a critical server. Traditional antivirus and EDR solutions have not detected anything. Which forensic approach would be most effective in identifying the malware, given that it likely resides only in memory?

3

A security analyst is tasked with reverse engineering a suspected malware sample. Which initial step should the analyst take to ensure safe handling and prevent accidental infection?

4

During malware analysis, an investigator finds that a suspicious process is injecting code into a legitimate system process (e.g., explorer.exe). Which technique is being used?

5

Which TWO of the following are common indicators of a rootkit infection on a Windows system?

6

Which THREE of the following are best practices for conducting malware forensics in a safe and effective manner?

7

Refer to the exhibit. An investigator is examining a disk image using TSK. The output from 'fls' shows the directory structure. What is the significance of the entry 'V/V 113-128-1: $OrphanFiles'?

8

You are a forensic analyst investigating a suspected malware infection on a Windows 10 workstation. The user reports that the system has been slow and that unexpected pop-ups appear. You have acquired a memory dump and a disk image. During analysis, you find a suspicious process named 'svch0st.exe' running with PID 4567. The process has loaded several DLLs, including 'wininet.dll' and 'ws2_32.dll'. You also find that the process has an active TCP connection to an external IP address 203.0.113.5 on port 4444. In the disk image, you find an executable file at C:\Users\Public\svch0st.exe with a creation date that matches the start of symptoms. The file's hash is not in any known malware database. You decide to perform dynamic analysis by running the file in a sandbox. However, the sandbox environment has no network connectivity. The executable runs but does not exhibit any malicious behavior. What should you do next to determine if the file is malicious?

9

Which TWO techniques are commonly used to evade detection by antivirus software in packed malware?

10

Based on the exhibit, what is the most likely indication of malware persistence?

11

You are investigating a Windows 10 workstation that exhibits slow performance and frequent pop-ups. The user reports that the system started acting strangely after installing a 'PDF Converter' from an email attachment. You suspect malware. You have captured a memory dump using FTK Imager and a network capture during the infection. In the memory dump, you find a suspicious process 'conhost.exe' running from a non-standard location (C:\Users\Public\Temp). The process has an open handle to a file named 'config.ini' in the same directory. The network capture shows periodic HTTPS connections to 'malicious.com' on port 443 from the workstation's IP. Using Volatility, you extract the process's command line: 'conhost.exe -hidden -log C:\Users\Public\Temp\output.log'. Which of the following is the BEST immediate course of action to contain the threat and preserve evidence?

12

Refer to the exhibit. During a malware investigation, a forensic analyst runs the commands shown. What is the most likely conclusion?

13

Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)

14

You are a forensic analyst investigating a Windows workstation that shows signs of malware infection. The user reports that the system is slow, network activity is high, and several files have been encrypted with a .encrypted extension. A ransom note named README.txt has been left on the desktop demanding payment. You have acquired a memory dump using FTK Imager and a disk image using dd. You need to identify the malware family and gather indicators of compromise (IOCs). Which of the following is the MOST appropriate first step?

15

Drag and drop the steps to perform a forensic analysis of email headers to trace the origin of a spam email into the correct order.

16

Match each steganography technique to its carrier medium.

Other CHFI exam domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application Forensics

Frequently asked questions

What does the Malware Forensics domain cover on the CHFI exam?

The Malware Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.

How many Malware Forensics questions are in the CHFI question bank?

The Courseiva CHFI question bank contains 16 questions in the Malware Forensics domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Malware Forensics for CHFI?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Malware Forensics questions for CHFI?

Yes — the session launcher on this page draws questions exclusively from the Malware Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CHFI domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CEHCS0-003CISA