Practice CHFI OS and File System Forensics questions with full explanations on every answer.
Start practicing
OS and File System Forensics — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?
2A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?
3During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?
4Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?
5You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?
6During a forensic investigation of a Windows 10 system, you need to analyze the file system to recover deleted files. Which TWO file system artifacts would be most useful for this purpose?
7A forensic analyst is reviewing the syslog from a compromised Linux server. Based on the exhibit, what does the 'orphan inode deleted' message indicate?
8You are a forensic investigator responding to an incident on a Windows 10 workstation used by a finance manager. The user reports that a critical spreadsheet containing quarterly budget data was accidentally deleted from the Desktop yesterday at approximately 3:00 PM. The system has been used normally since then, and the user has not emptied the Recycle Bin. You have created a forensic image of the drive using FTK Imager. The Recycle Bin contains a file named 'Quarterly_Budget.xlsx', but it appears to be a shortcut (size 1 KB). The user insists the original file was several megabytes. You need to recover the original file. Which action should you take next?
9Drag and drop the steps to perform a forensic analysis of a Windows registry using RegRipper into the correct order.
10Match each forensic acquisition method to its description.
The OS and File System Forensics domain covers the key concepts tested in this area of the CHFI exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CHFI domains — no account required.
The Courseiva CHFI question bank contains 10 questions in the OS and File System Forensics domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the OS and File System Forensics domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included