Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIDomainsNetwork and Cloud Forensics
CHFIFree — No Signup

Network and Cloud Forensics

Practice CHFI Network and Cloud Forensics questions with full explanations on every answer.

27questions

Start practicing

Network and Cloud Forensics — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CHFI Domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice Network and Cloud Forensics questions

10Q20Q30Q50Q

All CHFI Network and Cloud Forensics questions (27)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?

2

During a cloud forensics investigation, the investigator discovers that the cloud provider uses shared storage for multiple tenants. Which challenge is MOST likely to arise when acquiring a forensic image?

3

A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?

4

A security team needs to preserve network evidence for a potential legal case. What is the BEST practice for capturing volatile network data?

5

In a cloud forensic investigation, the analyst needs to obtain a memory dump of a virtual machine. Which method is considered forensically sound?

6

An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?

7

During a network forensic investigation, the analyst recovers a PCAP file. What type of information can be directly extracted from this file?

8

An investigator is analyzing cloud storage logs and finds an entry showing that a file was accessed using the root credentials from an IP address in a different geographic region. The organization has strict policies against root usage. What should the investigator do FIRST?

9

A forensic analyst is examining a network intrusion detection system (NIDS) alert that triggered on a packet with the FIN, PSH, and URG flags set. What type of scan does this indicate?

10

Which TWO of the following are common challenges in cloud forensics?

11

Which THREE of the following are essential steps in network forensic investigation?

12

Which TWO of the following are effective methods for detecting a man-in-the-middle attack on a network?

13

Based on the ARP table exhibit, what is the most likely security issue?

14

An investigator finds the above IAM policy attached to an S3 bucket. What is the security concern?

15

Based on the log exhibit, what type of attack is occurring?

16

You are a forensic investigator for a healthcare organization that uses a hybrid cloud model. Your team receives an alert that a large amount of protected health information (PHI) was exfiltrated from an AWS S3 bucket to an external IP address. The organization uses AWS CloudTrail for API logging and VPC Flow Logs for network traffic. The incident occurred between 02:00 and 03:00 UTC. Upon reviewing CloudTrail logs, you see that the bucket policy was modified at 01:55 UTC to allow public read access, and then a series of GetObject requests from an IP address in a foreign country occurred. The VPC Flow Logs show outbound traffic from the bucket's VPC to that IP. The bucket policy change was made using the root user credentials of the AWS account. The organization has multi-factor authentication (MFA) enabled for all users, including root. However, the CloudTrail log for the policy change does not indicate MFA usage. You need to determine the most likely root cause of the breach. Which of the following is the most plausible explanation?

17

You are investigating a network breach at a financial institution. The organization uses a network-based intrusion detection system (NIDS) and maintains full packet capture (PCAP) for critical segments. The incident allegedly started with a spear-phishing email that delivered a remote access trojan (RAT). The security team has isolated the infected host and provided you with a disk image of the host and a PCAP file covering the network traffic from the host for the 24-hour period before isolation. In the PCAP, you see a series of TCP connections from the host to an external IP address on port 443 (HTTPS). The external IP is known to be associated with a command-and-control (C2) server. However, the disk image shows no evidence of the RAT binary or any malicious files. The host's antivirus logs are clean. Which of the following is the most likely explanation for the lack of evidence on the disk?

18

During a forensic investigation of a cloud environment, a forensic analyst discovers that the virtual machine (VM) used by a suspect was terminated three days prior. The cloud provider offers snapshots, backups, and instance metadata. Which of the following is the BEST course of action to recover forensic evidence?

19

A forensic investigator needs to capture network traffic from a SPAN port on a switch to analyze an ongoing compromise. Which tool should the investigator use to collect the full packet capture (pcap) for later analysis?

20

A cloud forensic analyst is tasked with preserving evidence from an AWS S3 bucket that may contain malicious files. The bucket is publicly accessible, and the analyst wants to create a forensically sound copy. Which method BEST ensures integrity and chain of custody?

21

Which TWO of the following are valid techniques for collecting volatile network evidence from a live system during incident response?

22

During a forensic investigation, the analyst runs netstat -ano on a compromised workstation. Based on the exhibit, which connection is MOST suspicious and should be investigated further?

23

You are a forensic investigator responding to a data breach at a mid-sized company. The company uses a hybrid cloud environment with AWS for production workloads and on-premises servers for legacy applications. The breach was detected when an internal monitoring system flagged unusual outbound traffic from an AWS EC2 instance (i-0a1b2c3d4e5f) to an external IP address (198.51.100.20) on TCP port 4444 during off-hours. The EC2 instance runs a Linux-based web server. The security team has already isolated the instance by removing its security group rules and stopping the instance. You have been provided with the following: (1) AWS CloudTrail logs for the past 72 hours, (2) VPC Flow Logs for the same period, (3) a snapshot of the instance’s root volume (EBS), and (4) the instance metadata log from the AWS console. The company’s incident response policy requires preservation of all volatile data before powering off the instance. Which of the following steps should you take FIRST to ensure a forensically sound investigation?

24

During a cloud forensic investigation of an AWS EC2 instance, which TWO sources should be preserved to capture volatile data before instance termination?

25

You are investigating a network breach at a financial institution. The perimeter firewall logs show an inbound connection from IP 203.0.113.5 to the internal web server (192.168.1.10) on TCP port 443 at 02:34:12 UTC. At 02:34:15, an outbound connection from the web server to an external IP 198.51.100.20 on TCP port 80 is logged. Simultaneously, a network intrusion detection system (NIDS) detected a SQL injection payload in the inbound HTTP request. The web server's access logs show a successful login to the admin panel at 02:34:18 from the same external IP 203.0.113.5. The database server (192.168.1.20) logs show a query execution at 02:34:20 that exported customer records. The company uses a jump box for administrative access, and all admin sessions are logged. The jump box logs show no activity during the incident. The web server hosts a public-facing application and is in a DMZ. The database server is in the internal network, with a firewall rule allowing only the web server to connect to it on TCP port 3306. Which course of action is MOST appropriate to determine the root cause and scope?

26

Drag and drop the steps to create a forensic timeline using the Sleuth Kit (TSK) and log2timeline into the correct order.

27

Match each forensic artifact to its location in Windows (typical).

Practice all 27 Network and Cloud Forensics questions

Other CHFI exam domains

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsDatabase and Application ForensicsMalware Forensics

Frequently asked questions

What does the Network and Cloud Forensics domain cover on the CHFI exam?

The Network and Cloud Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.

How many Network and Cloud Forensics questions are in the CHFI question bank?

The Courseiva CHFI question bank contains 27 questions in the Network and Cloud Forensics domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Network and Cloud Forensics for CHFI?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Network and Cloud Forensics questions for CHFI?

Yes — the session launcher on this page draws questions exclusively from the Network and Cloud Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CHFI domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CEHCS0-003CISA