Reinforce CHFI concepts with active-recall study cards covering all 13 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For CHFI preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the CHFI question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your CHFI flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real CHFI exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass CHFI.
Sample cards from the CHFI flashcard bank. Read the question, think of the answer, then read the explanation below.
During a forensic investigation, an analyst discovers that the suspect's hard drive was encrypted using BitLocker. The analyst has obtained the recovery key. Which of the following is the best next step to ensure data integrity?
Create a forensic image of the encrypted drive, then decrypt the image.
Option C is correct because creating a forensic image of the encrypted drive before decryption preserves the original evidence in its pristine, unaltered state. Decrypting the image later using the recovery key ensures that the original encrypted data remains intact and verifiable, maintaining data integrity throughout the investigation.
A first responder arrives at a crime scene where a computer is running. According to standard forensic procedure, what should the responder do FIRST?
Photograph the scene and secure the area
Option A is correct because the first priority at a live crime scene is to preserve the integrity of the scene and all potential evidence. Standard forensic procedure (e.g., from NIST SP 800-86 and ACPO guidelines) mandates that the first responder must photograph the scene to document the state of the computer (including screen contents, cables, and peripherals) and secure the area to prevent unauthorized access or tampering. Only after this documentation and scene stabilization can the responder proceed to handle the live system, such as capturing volatile data or creating a forensic image.
An analyst recovers a hard drive from a suspect's computer. The drive has a partition table that uses a 32-bit identifier and a maximum partition size of 2 TB. Which partition table type is present?
MBR
The Master Boot Record (MBR) partition table uses a 32-bit identifier for partition entries and, with traditional 512-byte sectors, supports a maximum partition size of 2 TB. This matches the description exactly, making MBR the correct answer.
An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?
Capture a full memory dump using a tool like FTK Imager (Memory Capture) or DumpIt.
Capturing a full memory dump (option A) is the most appropriate first responder action because it preserves the volatile state of the suspicious process (PID 3342) and its associated artifacts (e.g., network connections, loaded DLLs, encryption keys) before any further system changes occur. This allows forensic analysis to identify the malware's behavior, such as command-and-control (C2) communication over port 443 (HTTPS), without altering evidence. Tools like FTK Imager (Memory Capture) or DumpIt acquire a raw .mem file that can be analyzed with Volatility or Rekall to extract process details, network sockets, and injected code.
During a forensic investigation, an analyst needs to acquire data from a live Windows system without altering the system's state. Which tool should the analyst use to capture the contents of RAM?
FTK Imager Lite
FTK Imager Lite is designed for live forensic acquisition on Windows systems, including capturing RAM contents without altering the system state. It uses a lightweight, read-only approach that avoids writing to the disk or modifying memory pages, preserving the integrity of the evidence.
During a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?
Belkasoft RAM Capturer
Belkasoft RAM Capturer is the most appropriate tool for acquiring RAM from a live Windows 10 system because it is designed specifically for live memory acquisition on Windows, uses a lightweight kernel-mode driver to read physical memory without causing system instability, and supports acquisition from 64-bit systems. Unlike other tools, it minimizes interaction with the target process list and avoids loading unnecessary user-mode components that could trigger crashes or alter the memory state.
A security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?
A failed logon attempt
Event ID 4625 in the Windows Security log specifically indicates a failed logon attempt. This event is generated by the Local Security Authority Subsystem Service (LSASS) whenever an authentication attempt fails, regardless of the logon type (interactive, network, service, etc.). The event details include the account name, source IP address, and failure reason code (e.g., 0xC000006D for bad username/password).
During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?
Use 'foremost' to carve files based on file headers and footers.
Foremost is the correct choice because it performs file carving based on headers and footers, which can recover file content even when the filesystem metadata (such as inodes) is damaged or partially overwritten. Unlike undelete tools that rely on intact filesystem structures, foremost scans the raw disk blocks for known file signatures, making it effective for recovering files from an ext4 filesystem that has experienced partial overwriting.
A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?
SQL injection
The log entry shows a UNION SELECT statement appended to the id parameter, which is a classic SQL injection attempt.
During a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?
Physical acquisition
Physical acquisition provides the most comprehensive data extraction because it creates a bit-for-bit copy of the entire flash storage, including unallocated space and deleted file remnants. With the passcode known, the analyst could unlock the device and perform logical or file system acquisition, but these methods only capture accessible files and may miss forensic artifacts. Physical acquisition (e.g., via JTAG or chip-off) bypasses the operating system and extracts raw NAND data, yielding the fullest forensic picture.
An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?
Configure a SPAN port on the switch
A SPAN (Switched Port Analyzer) port, also known as a mirror port, copies all traffic from a specified source port or VLAN to a destination port where the forensic workstation is connected. This allows the investigator to capture traffic without injecting any frames or altering the forwarding behavior of the switch, thus preserving the integrity of the live network segment.
During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?
Parse the binary logs using mysqlbinlog to extract the DELETE statements and reconstruct the lost data.
MySQL binary logs record all changes to the database, including DELETE statements. The mysqlbinlog utility can parse these logs to reconstruct the exact DELETE operations, allowing the analyst to reverse-engineer the deleted rows by extracting the row data from the log events. This is the standard forensic method for recovering deleted data when binary logging is enabled.
During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?
The file is packed or obfuscated to prevent execution in a sandbox
Option D is correct because malware authors often use packing or obfuscation techniques to prevent the malicious payload from executing in an analysis environment. The packed code requires a specific unpacking routine or trigger (e.g., a specific system call, registry key, or timing condition) that the sandbox does not provide, causing the file to appear inert. This is a common anti-sandbox technique distinct from simple signature evasion.
The CHFI flashcard bank covers all 13 official blueprint domains published by EC-Council. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Computer Forensics Investigation Process
Computer Forensics Fundamentals and Process
Storage Forensics and File System Analysis
Incident Response and First Responder Skills
Computer Forensics Lab
Evidence Acquisition and Duplication
OS and Network Forensics
OS and File System Forensics
Application, Email and Cloud Forensics
Mobile and Malware Forensics
Network and Cloud Forensics
Database and Application Forensics
Malware Forensics
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that CHFI questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.CHFI questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective CHFI study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free CHFI flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1000+ original CHFI flashcards across all 13 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official EC-Council exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official CHFI exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included