EC-Council · Free Practice Questions · Last reviewed May 2026
78real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
During a forensic investigation, an analyst discovers that the suspect's hard drive was encrypted using BitLocker. The analyst has obtained the recovery key. Which of the following is the best next step to ensure data integrity?
Decrypt the drive using the recovery key and then create a forensic image.
Run a live analysis tool to extract encryption keys from memory.
Create a forensic image of the encrypted drive, then decrypt the image.
This preserves the original encrypted state and allows analysis of the decrypted image.
Boot the suspect computer and copy files to an external drive.
A CHFI analyst is called to investigate a suspected data breach. The IT team has already shut down the server. Which of the following is the most appropriate order of actions to preserve evidence?
Immediately power on the server to check for running processes.
Copy all files from the server to an external USB drive.
Run antivirus scan to ensure no malware is present before imaging.
Secure the scene, photograph the setup, document connections, remove hard drives, and create forensic images using a write-blocker.
This follows proper forensic procedure: secure, document, collect, image with write-blocker.
An incident responder has acquired a forensic image of a Linux server suspected of being compromised. The image was taken using 'dd' with no compression. The analyst needs to verify the integrity of the image. Which command should be used and what should be compared?
Use 'cmp' to compare the image byte-by-byte with the original drive.
Use 'md5sum image.dd' and compare with the original file's MD5 hash provided by the system administrator.
Run 'fsck' on the image to check for filesystem errors.
Use 'sha256sum image.dd' and compare with the hash computed during acquisition from the source device.
SHA-256 is strong and comparing with the hash from the source verifies integrity.
Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?
Identification of potential evidence
Identification is the first step in the forensic process.
Data recovery from damaged media
Deletion of irrelevant data
Preservation of the integrity of evidence
Preservation is critical to maintain chain of custody.
Public disclosure of findings
An analyst executed the commands shown in the exhibit on a Windows system to prepare a forensic image for analysis. What is the most likely reason for the error message from e2fsck?
The analyst failed to properly dismount the source volume before imaging, leading to filesystem inconsistencies.
The fsutil dismount command was run on C:, but the image was taken later, possibly without ensuring the volume was cleanly unmounted.
The forensic image was not acquired with a write-blocker, causing data corruption.
The image file contains an NTFS filesystem, but e2fsck is designed for ext filesystems.
The e2fsck command syntax is incorrect; it should be 'e2fsck -f -n' instead.
You are a CHFI analyst responding to a security incident at a medium-sized financial firm. The IT team reports that an employee's workstation (Windows 10, single SSD) was used to access sensitive customer data without authorization. The workstation is still running, and the employee is currently logged in. The IT team has isolated the machine from the network but has not powered it off. You have been called to perform forensic acquisition. The company policy requires preservation of volatile data and a full disk image. The machine has 16 GB RAM and a 512 GB SSD. You have a forensic toolkit including FTK Imager, win32dd (for memory acquisition), and a write-blocker. Which of the following is the best course of action?
Use win32dd to capture the contents of RAM to an external drive, then use FTK Imager to create a physical image of the SSD over the network to a secure share.
This captures memory first (volatile data) and then acquires a disk image while the system is still running, preserving evidence.
Perform a graceful shutdown via the operating system, then remove the SSD and image it using a hardware write-blocker.
Boot the workstation from a forensic live CD, then use 'dd' to image the SSD to an external USB drive.
Immediately shut down the workstation by unplugging the power cord, remove the SSD, and create a forensic image using a write-blocker on a forensic workstation.
Want more Computer Forensics Investigation Process practice?
Practice this domainA first responder arrives at a crime scene where a computer is running. According to standard forensic procedure, what should the responder do FIRST?
Photograph the scene and secure the area
Securing and photographing the scene ensures preservation of the original state.
Connect a write blocker and create a forensic image immediately
Immediately shut down the computer to prevent data alteration
Pull the power cord to ensure the system does not shut down normally
During a forensic investigation, an analyst uses a hardware write blocker to connect a suspect hard drive to a forensic workstation. What is the primary purpose of using a hardware write blocker?
To prevent the operating system from writing to the source drive
This is the core function: blocking write commands to preserve evidence.
To speed up the data transfer rate during imaging
To compress the forensic image to save storage space
To automatically hash the drive contents for integrity verification
A forensic investigator is preparing to acquire the contents of a live system's RAM. Which of the following tools is specifically designed for this purpose and captures memory without altering the system state?
Tableau write blocker
EnCase
FTK Imager
FTK Imager includes a memory capture feature that preserves the system state.
dd
During a forensic investigation, an analyst creates a forensic image using `dcfldd` with the command: `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=10M`. What is the purpose of the `hashwindow` parameter?
It limits the total amount of data to hash to 10 MB
It creates a hash for every 10 MB block of data
This allows verification of each 10 MB segment independently.
It sets the hash algorithm to SHA-256
It enables error correction for every 10 MB
What is the primary goal of the chain of custody in a digital forensic investigation?
To maintain the integrity and admissibility of evidence
This is the main purpose: to show that evidence has not been tampered with.
To encrypt the evidence during transport
To speed up the forensic analysis process
To ensure that the forensic tools used are properly licensed
A forensic analyst is examining a hard drive that was seized from a suspect's home. The analyst uses FTK Imager to create a forensic image. After imaging, the analyst computes the MD5 hash of the image and compares it to the hash computed at the scene. The hashes match. What does this confirm?
The file system is intact and readable
The image is an exact bit-for-bit copy of the original drive
Hash matching verifies data integrity.
The drive contains malware
The drive was not encrypted
Want more Computer Forensics Fundamentals and Process practice?
Practice this domainAn analyst recovers a hard drive from a suspect's computer. The drive has a partition table that uses a 32-bit identifier and a maximum partition size of 2 TB. Which partition table type is present?
HFS+
GPT
APFS
MBR
MBR uses 32-bit partition table entries with a maximum partition size of 2 TB.
During a forensic investigation, an examiner wants to recover deleted files from a FAT32 file system. Which structure is most critical for file recovery?
File Allocation Table (FAT)
FAT stores cluster chains; deleted files may have their directory entries and FAT chains intact.
Master File Table (MFT)
Journal
Inode table
Which tool is specifically designed for file carving and can recover files based on headers and footers without relying on file system metadata?
FTK Imager
Foremost
Foremost is a command-line file carver that recovers files based on headers, footers, and data structures.
Autopsy
Volatility
An analyst notices that a file on an NTFS volume occupies 4096 bytes on disk but its actual data is only 100 bytes. The extra space contains remnants of a previously deleted file. What is this extra space called?
Volume slack
Free space
RAM slack
File slack
File slack is the unused space in the last cluster of a file that may contain data from other files.
A forensic investigator is analyzing a Linux ext4 file system. They suspect a file was deleted but its inode may still be intact. Which tool can be used to recover the file by referencing the inode?
dd
scalpel
foremost
debugfs
debugfs can be used to inspect and recover files from ext file systems by inode.
During a forensic examination of an NTFS drive, an investigator finds that a file 'notes.txt' has an additional data stream named 'hidden.txt' attached. Which feature of NTFS allows this?
USN Journal
MFT
Alternate Data Streams (ADS)
ADS allows hiding data in separate streams attached to a file.
Slack space
Want more Storage Forensics and File System Analysis practice?
Practice this domainAn analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?
Capture a full memory dump using a tool like FTK Imager (Memory Capture) or DumpIt.
Memory capture preserves running processes, network connections, and other volatile data crucial for analysis.
Immediately disconnect the system from the network to contain the threat.
Check the Windows Event Logs for related entries.
Reboot the system to clear any malicious processes from memory.
A security team suspects a data breach via an external attacker. The incident response plan requires preservation of evidence for legal proceedings. Which order of volatility should the first responder follow?
Capture disk image, then memory, then network connections.
Record network connections, capture disk image, then memory.
Capture memory, record network connections, acquire disk image, then collect backups.
This follows the correct order of volatility from most to least volatile.
Collect backups first, then disk image, then memory.
During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?
Use dd if=/dev/sda of=/mnt/evidence/image.dd conv=noerror,sync
Use dd if=/dev/sda of=/mnt/evidence/image.dd bs=4M
dd copying the entire disk (/dev/sda) creates a complete forensic image.
Use dd if=/dev/mapper/root of=/mnt/evidence/image.dd
Use dd if=/dev/sda1 of=/mnt/evidence/image.dd
A first responder arrives at a scene where a computer is powered on and a user is logged in. An incident is suspected. What should the responder do FIRST?
Begin capturing a memory dump using a forensic tool.
Power off the computer immediately to preserve the disk.
Photograph the screen to document the current state.
Documentation of the live state is critical before any collection.
Ask the user to log off so the system can be imaged.
You are responding to a suspected malware infection on a Windows 10 system. The system is still running. Which of the following should you collect FIRST?
Acquire a memory dump using a tool like WinPmem.
Memory is the most volatile and must be captured first.
Collect the Windows Event Logs.
Export the contents of the Windows Registry.
Create a forensic image of the hard drive.
During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?
Use a write blocker when acquiring the disk image.
Compute a SHA-256 hash of the acquired image immediately after collection and record it in the chain of custody form.
Hashing provides a verifiable integrity check.
Document every person who handled the evidence.
Place the evidence in an evidence bag and lock it in a secure room.
Want more Incident Response and First Responder Skills practice?
Practice this domainDuring a forensic investigation, an analyst needs to acquire data from a live Windows system without altering the system's state. Which tool should the analyst use to capture the contents of RAM?
dd
FTK Imager Lite
FTK Imager Lite is designed to capture RAM from a live system without altering the system's state.
EnCase
WinHex
A forensic lab is designing a network architecture to ensure the integrity of evidence during acquisition. What is the most critical design consideration?
Deploy multiple forensic workstations to parallelize tasks
Use a segmented network to isolate forensic tools
Encrypt all data in transit over the network
Implement hardware write-blockers on all acquisition stations
Write-blockers prevent any writes to the source drive, ensuring integrity.
A forensic analyst is troubleshooting a write-blocker that is not working correctly. The analyst connected the write-blocker between the suspect drive and the forensic workstation, but the workstation still shows the drive as writable. What is the most likely cause?
The suspect drive was connected before the write-blocker was powered on
Connecting the drive before powering the write-blocker can bypass the write-block.
The write-blocker does not have external power
The suspect drive uses SATA but the write-blocker is USB-only
The write-blocker is connected to the suspect drive's output port
A forensic lab is establishing a chain of custody procedure. Which practice is considered best according to CHFI guidelines?
Require biometric authentication for all lab personnel
Store evidence in a secure room with limited access
Use encryption to protect evidence files
Document every transfer of evidence with signatures and timestamps
Documentation is key to maintaining chain of custody.
Which TWO of the following are essential components of a computer forensics lab according to CHFI best practices?
Server farm for data processing
Evidence storage area with controlled access
Critical for evidence integrity.
Public-facing website for case management
Coffee machine for staff convenience
Forensic workstation with specialized software
Required for analysis.
Which THREE of the following are recommended practices for maintaining the integrity of digital evidence in a forensics lab?
Maintain a detailed chain of custody log
Documents handling and prevents tampering.
Generate cryptographic hashes of evidence files
Hashes verify that evidence has not been altered.
Use hardware write-blockers during acquisition
Prevents modification of source drive.
Perform regular backups of all evidence
Run antivirus scans on evidence before analysis
Want more Computer Forensics Lab practice?
Practice this domainDuring a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?
LiME
DumpIt
FTK Imager
Belkasoft RAM Capturer
Belkasoft RAM Capturer is designed for Windows live RAM acquisition and is stable.
You are imaging a suspect's hard drive using a write blocker and dd command. After imaging, you verify the hash of the original drive and the image file. The original drive hash is SHA1: A1B2C3D4E5..., and the image hash is SHA1: F6G7H8I9J0... What is the most likely cause of the mismatch?
The dd command used a different block size
The write blocker malfunctioned and allowed writes to the original drive
If the original drive was modified during acquisition, the hashes will differ.
The dd command compressed the output
The image file was corrupted during transfer
A forensic examiner needs to acquire a hard drive that is part of a RAID 5 array. The RAID controller is unavailable. What is the best approach to acquire the data?
Acquire each disk individually, then reconstruct the array using software
This is the standard method when the controller is unavailable.
Acquire only one disk because RAID 5 can be reconstructed from a single disk
Use a hardware write blocker that supports RAID
Connect the RAID array to a similar controller and acquire as a single drive
During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?
Nmap
Wireshark
Wireshark captures packets and can save them in standard formats.
Netcat
Tcpdump
You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?
Remove the drive and use a forensic bridge that supports SED
Power off the laptop and image the drive using a hardware write blocker
Acquire a logical image from the running operating system
Since the system is logged in, the data is decrypted and accessible.
Boot from a forensic live CD and image the drive
Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?
To decrypt the drive during acquisition
To prevent any writes to the original evidence drive
This ensures the integrity of the evidence.
To compress the acquired image
To increase the speed of the acquisition
Want more Evidence Acquisition and Duplication practice?
Practice this domainA security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?
A failed logon attempt
4625 is the event ID for failed logon.
A successful user logon
A service was installed
A new user account was created
During a forensic analysis of a compromised Linux server, you notice that the file /var/log/auth.log has been cleared. However, you find that the attacker's commands are still partially recoverable. Which artifact most likely contains the attacker's command history?
/var/log/syslog
~/.bash_history
This file logs commands entered in bash.
/proc/1/cmdline
/etc/shadow
A forensic analyst recovers a USB device from a suspect's computer. Which Windows registry key should be examined to determine the first time the USB device was connected?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Tracks USB storage devices and their first/last connect times.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
An analyst suspects that an attacker used a web shell to execute commands on a Windows web server. Which Windows event ID should the analyst look for to detect service installation that may have been used for persistence?
7045
Service installation event.
4624
4648
4720
A forensic examiner is analyzing a Mac system and wants to review system logs that record various activities, including application launches and kernel events. Which logging system on macOS should be examined?
.plist files
FSEvents
Unified logging (log command)
Centralized logging system for macOS.
Console.app logs
In Windows forensics, which artifact is used to track recently accessed files and folders via the 'Recent Items' feature?
Jump lists
ShellBags
Prefetch files
LNK files
LNK files track file access via shortcuts.
Want more OS and Network Forensics practice?
Practice this domainDuring a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?
Use 'foremost' to carve files based on file headers and footers.
Foremost is a file carving tool that recovers files by scanning for known headers/footers, making it effective for partially overwritten filesystems.
Use 'grep -a' to search the raw disk for file signatures.
Use 'scalpel' to perform a deep scan of the filesystem.
Use 'extundelete' to recover files from the ext4 filesystem.
A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?
NTUSER.DAT hive, key 'Control Panel\Desktop\'
SYSTEM hive, key 'CurrentControlSet\Control\Windows\', value 'ShutdownTime'
The 'ShutdownTime' value in this key records the last system shutdown time, which can be used to infer the last boot time (as the system boots after shutdown).
SOFTWARE hive, key 'Microsoft\Windows NT\CurrentVersion\'
SAM hive, key 'SAM\Domains\Account\Users\'
During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?
Use the 'dd' command to create a raw image without a write blocker.
Connect the drive to a forensic workstation and use the operating system's copy command.
Use a hardware write blocker and create a bit-stream image.
A write blocker ensures no data is altered on the original drive during acquisition.
Format the drive before imaging to ensure no hidden data is missed.
Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?
SYSTEM\CurrentControlSet\Enum\USBSTOR registry key
This key enumerates all USB storage devices that have been connected to the system.
Amcache.hve file
SetupAPI.dev.log file
This log file records Plug and Play device installations, including USB devices.
Event Logs with source 'Device Setup'
C:\Windows\Prefetch folder
You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?
Boot the server using a forensic live CD, connect an external USB drive to the server, and use 'dd' to create a raw image on the external drive.
Use the server's built-in backup utility to create a system state backup and copy it to a network share.
Remove the hard drive, connect it via a write blocker to the forensic workstation, and then use 'dd' over a network connection to send the image to a remote server.
Remove the hard drive, connect it via a write blocker to the forensic workstation, and create an EWF (E01) image stored locally on the forensic workstation's internal drive.
This method uses a write blocker to preserve integrity, and EWF format provides compression and metadata for efficient analysis.
During a forensic investigation of a Windows 10 system, you need to analyze the file system to recover deleted files. Which TWO file system artifacts would be most useful for this purpose?
$LogFile
The $LogFile records metadata changes, including deletions; can help reconstruct file history.
$Boot file
$MFT (Master File Table)
The MFT contains file records; even after deletion, the record may remain until overwritten.
$Volume
$Bitmap
Want more OS and File System Forensics practice?
Practice this domainA security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?
Cross-site scripting (XSS)
Path traversal
Remote file inclusion
SQL injection
The UNION SELECT clause indicates an attempt to extract data from the database.
During an investigation, an analyst extracts email headers from a suspicious email. The header includes: Received: from mail.attacker.com (192.168.1.100); DKIM-Signature: v=1; a=rsa-sha256; d=legitbank.com; s=selector1; bh=...; The email claims to be from support@legitbank.com. Which indicator strongly suggests email spoofing?
The email was sent on a weekend
The DKIM signature uses RSA-SHA256 algorithm
The X-Originating-IP header is present
The Received header shows the email came from a server not owned by legitbank.com
Legitimate emails from legitbank.com would originate from their own mail servers, not attacker.com.
A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?
Collect the container's log files from /var/log/
Create a memory dump of the container's process
Export the container's filesystem using docker export
docker export creates a tar archive of the container's filesystem, preserving persistent data.
Run docker attach to reconnect to the container
A cloud forensics investigator is analyzing an incident in AWS. The suspect is alleged to have deleted an S3 bucket. Which AWS service log would contain the DeleteBucket API call details, including the source IP and user identity?
AWS CloudTrail
CloudTrail is the audit log for API activity in AWS.
VPC Flow Logs
Amazon S3 access logs
AWS Config
Which tool is specifically designed to analyze email headers and track the path an email took across mail servers?
Wireshark
Volatility
EmailTracker
EmailTracker is purpose-built for email header forensics.
FTK Imager
An investigator examining a compromised web server finds a file named shell.aspx in the uploads directory. The file contains code that accepts commands via HTTP POST and executes them on the server. What is the MOST likely type of attack?
Server-side request forgery (SSRF)
SQL injection
Webshell
A webshell allows remote command execution via a script file placed on the server.
Cross-site request forgery (CSRF)
Want more Application, Email and Cloud Forensics practice?
Practice this domainDuring a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?
Physical acquisition
Physical acquisition creates a full image of the device's storage, retrieving all data including deleted files.
Manual acquisition
Logical acquisition
File system acquisition
A security analyst is reviewing output from a Cuckoo Sandbox analysis of a suspicious executable. The report shows that the process created a mutex named 'Global\GLOBAL_MUTEX_123' and modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Which behavioral indicator is MOST evident?
Command and control communication
Persistence mechanism
The 'Run' key is a common persistence location to launch malware at startup.
Anti-debugging technique
Privilege escalation
In an Android forensic investigation, an examiner extracts the /data/data/com.whatsapp/databases/msgstore.db file. The database contains a table 'messages' with columns 'key_remote_jid', 'data', and 'timestamp'. Which SQL query would retrieve all messages sent to a specific contact with a phone number ending in '1234'?
SELECT * FROM messages WHERE key_remote_jid = '%1234%'
SELECT * FROM messages WHERE key_remote_jid LIKE '%1234%'
'key_remote_jid' contains the recipient's JID; LIKE '%1234%' matches any JID ending in 1234.
SELECT * FROM messages WHERE data LIKE '%1234%'
SELECT * FROM messages WHERE timestamp LIKE '%1234%'
A forensic analyst is examining a Windows malware sample using static analysis. Which tool is BEST suited for viewing the PE header structure, including sections, imports, and exports?
Strings
Ghidra
IDA Pro
PEiD
PEiD is a tool for analyzing PE files, detecting packers, and viewing header information.
During an iOS forensic examination, an analyst extracts an iTunes backup and finds the file '3d0d7e5fb2ce288813306e4d4636395e047a3d28'. Which type of data does this file typically contain?
Call history
SMS and iMessage conversations
Keychain data
Notes app data
The hash corresponds to the Notes app's SQLite database (NotesStore.sqlite).
A forensic examiner is analyzing an Android device that has been factory reset. Which artefact is MOST likely to persist after a factory reset, providing potential evidence of prior usage?
Google account artefacts
Google account credentials may be stored in the Google backup and could be restored after reset, or remnants may exist in the cloud.
App installation logs
Deleted SMS messages
Wi-Fi passwords
Want more Mobile and Malware Forensics practice?
Practice this domainAn investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?
Enable NetFlow on the router and capture flows
Configure a SPAN port on the switch
Port mirroring (SPAN) copies traffic to a monitor port without interrupting the original flow.
Deploy an ARP spoofing tool to redirect traffic
Set the NIC to promiscuous mode on the forensic workstation
During a cloud forensics investigation, the investigator discovers that the cloud provider uses shared storage for multiple tenants. Which challenge is MOST likely to arise when acquiring a forensic image?
Physical acquisition of the storage device is required
No API access to the storage system
Inability to decrypt data at rest
Data commingling with other tenants
Shared storage can result in data from multiple tenants occupying the same physical media, complicating isolation.
A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?
MAC address spoofing
Spoofing the MAC of an authorized device can allow the attacker to authenticate via 802.1X.
VLAN hopping using double tagging
DNS tunneling to exfiltrate data
ARP poisoning to redirect traffic
A security team needs to preserve network evidence for a potential legal case. What is the BEST practice for capturing volatile network data?
Wait until normal business hours to capture traffic
Only record summary logs from the firewall
Perform packet capture using a portable tool and store the capture with a cryptographic hash
This ensures minimal impact and integrity of the captured data.
Use a dedicated forensic workstation with a write blocker
In a cloud forensic investigation, the analyst needs to obtain a memory dump of a virtual machine. Which method is considered forensically sound?
Log into the VM and use a tool to create a crash dump
Copy the virtual disk file (.vmdk) and extract memory from it
Use a live forensic tool inside the VM to capture memory
Take a snapshot of the VM via the hypervisor and export the .vmem file
This method captures the VM's memory in a forensically sound manner.
An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?
Network latency delayed log delivery
Log rotation policy deleted logs prematurely
Time drift between the system and the SIEM
Clock skew can cause logs to appear missing or out of order.
The system's log level was set to ERROR only
Want more Network and Cloud Forensics practice?
Practice this domainDuring a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?
Restore the transaction log files from backup and mount them to recover the deleted rows.
Use the 'SHOW UNDO' command to retrieve the deleted rows from undo tablespace.
Query the information_schema database to retrieve deleted rows from the data dictionary.
Parse the binary logs using mysqlbinlog to extract the DELETE statements and reconstruct the lost data.
Binary logs record all data changes; mysqlbinlog can output the SQL statements, including deletes.
A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?
Control file
Redo log files
Listener log (listener.log)
With audit enabled, the listener log can capture SQL statements.
Alert log (alert_SID.log)
An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?
Restore the transaction log backup taken after the DROP TABLE and apply it to the database.
Use the RESTORE LOG statement with the NO_TRUNCATE option to recover the table.
Perform a tail-log backup, then restore the full backup and all subsequent transaction log backups, stopping before the DROP TABLE.
Point-in-time restore allows recovery to just before the drop.
Restore the most recent full backup and ignore subsequent transaction log backups.
During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?
Journal (journal directory)
System log (mongod.log)
Audit log (auditLog)
Audit log records user actions when enabled.
Oplog (local.oplog.rs)
A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?
Review the pg_stat_activity view to see the history of queries executed.
Examine the archive_status directory to find the timestamp of the WAL file that contains the deletion.
Query the pg_audit table to retrieve a log of all DELETE statements.
Use the pg_waldump utility to parse the WAL files and identify DELETE operations with timestamps.
pg_waldump can decode WAL records, showing the exact operations and timestamps.
Which TWO of the following are valid methods for collecting volatile data from a live database server during an incident response?
Extract the file system journal
Take a backup of the database using mysqldump
Create a forensic image of the hard disk
Execute netstat -an to list active network connections
Netstat shows current connections, which are volatile.
Capture a memory dump using a tool like LiME or FTK Imager
Memory dump captures volatile data.
Want more Database and Application Forensics practice?
Practice this domainDuring a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?
The file is a false positive and is actually benign
The sandbox is not updated with the latest signatures
The file's metadata has been modified to evade analysis
The file is packed or obfuscated to prevent execution in a sandbox
Packing can prevent execution until unpacked, causing the sandbox to not observe malicious behavior.
An organization suspects a stealthy malware infection on a critical server. Traditional antivirus and EDR solutions have not detected anything. Which forensic approach would be most effective in identifying the malware, given that it likely resides only in memory?
Perform a full disk scan with updated antivirus signatures
Acquire a memory dump and perform memory forensics with tools like Volatility
Memory forensics captures the malware's code and artifacts in RAM for analysis.
Conduct a live analysis using built-in Windows tools like Task Manager
Analyze network traffic for anomalies using a NetFlow analyzer
A security analyst is tasked with reverse engineering a suspected malware sample. Which initial step should the analyst take to ensure safe handling and prevent accidental infection?
Create a bit-for-bit forensic image of the sample
A forensic copy preserves evidence and allows safe analysis.
Execute the sample in a debugger on a production machine
Disassemble the binary using IDA Pro directly
Connect the sample to an isolated network to observe behavior
During malware analysis, an investigator finds that a suspicious process is injecting code into a legitimate system process (e.g., explorer.exe). Which technique is being used?
API hooking
Process hollowing
Code injection
Code injection is the technique of inserting code into a running process.
DLL injection
Which TWO of the following are common indicators of a rootkit infection on a Windows system?
High CPU usage by svchost.exe
System calls returning inconsistent results
Rootkits hook system calls to return false information.
Unexpected open ports on the firewall
Presence of unsigned kernel drivers
Hidden processes not visible in Task Manager
Rootkits hide processes from standard system tools.
Which THREE of the following are best practices for conducting malware forensics in a safe and effective manner?
Use a dedicated forensic workstation that is not connected to any network
Prevents malware from spreading and ensures analysis integrity.
Delete the malware sample after analysis to prevent accidental infection
Always create a cryptographic hash of the malware sample before analysis
Hashing verifies integrity and aids in identifying known samples.
Use a virtual machine or sandbox for dynamic analysis
Isolates the malware to prevent damage to the host system.
Run all analysis using the same tools and versions as the attacker
Want more Malware Forensics practice?
Practice this domainThe CHFI exam has 125 questions and must be completed in 240 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 13 domains: Computer Forensics Investigation Process, Computer Forensics Fundamentals and Process, Storage Forensics and File System Analysis, Incident Response and First Responder Skills, Computer Forensics Lab, Evidence Acquisition and Duplication, OS and Network Forensics, OS and File System Forensics, Application, Email and Cloud Forensics, Mobile and Malware Forensics, Network and Cloud Forensics, Database and Application Forensics, Malware Forensics. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official EC-Council CHFI exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.