Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCHFIFlashcards
Free — No Signup RequiredEC-Council· Updated 2026

CHFI Flashcards — Free Computer Hacking Forensic Investigator CHFI Study Cards

Reinforce CHFI concepts with active-recall study cards covering all 13 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.

1000+ study cards13 domains coveredActive recall methodFull explanations included
Start 30-card session50-card shuffle
Exam OverviewPractice TestMock ExamStudy GuideFlashcards

Study Sessions

CHFI Flashcards

Pick a session size:

⚡Quick 10📝20 Cards🎯30 Cards📊50 Cards💪100 Cards
1,000+ cards · All free

Domains

Computer Forensics Investigation Process
Computer Forensics Fundamentals and Process
Storage Forensics and File System Analysis
Incident Response and First Responder Skills
Computer Forensics Lab
Evidence Acquisition and Duplication

How to use CHFI flashcards effectively

Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For CHFI preparation, this means flashcards are one of the highest-return study tools available.

Attempt recall first

Read the CHFI question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.

Review wrong cards again

When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.

Study by domain

Group your CHFI flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real CHFI exam requires.

Short sessions beat marathon reviews

20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass CHFI.

CHFI flashcard preview

Sample cards from the CHFI flashcard bank. Read the question, think of the answer, then read the explanation below.

1

During a forensic investigation, an analyst discovers that the suspect's hard drive was encrypted using BitLocker. The analyst has obtained the recovery key. Which of the following is the best next step to ensure data integrity?

Computer Forensics Investigation Process

Create a forensic image of the encrypted drive, then decrypt the image.

Option C is correct because creating a forensic image of the encrypted drive before decryption preserves the original evidence in its pristine, unaltered state. Decrypting the image later using the recovery key ensures that the original encrypted data remains intact and verifiable, maintaining data integrity throughout the investigation.

2

A first responder arrives at a crime scene where a computer is running. According to standard forensic procedure, what should the responder do FIRST?

Computer Forensics Fundamentals and Process

Photograph the scene and secure the area

Option A is correct because the first priority at a live crime scene is to preserve the integrity of the scene and all potential evidence. Standard forensic procedure (e.g., from NIST SP 800-86 and ACPO guidelines) mandates that the first responder must photograph the scene to document the state of the computer (including screen contents, cables, and peripherals) and secure the area to prevent unauthorized access or tampering. Only after this documentation and scene stabilization can the responder proceed to handle the live system, such as capturing volatile data or creating a forensic image.

3

An analyst recovers a hard drive from a suspect's computer. The drive has a partition table that uses a 32-bit identifier and a maximum partition size of 2 TB. Which partition table type is present?

Storage Forensics and File System Analysis

MBR

The Master Boot Record (MBR) partition table uses a 32-bit identifier for partition entries and, with traditional 512-byte sectors, supports a maximum partition size of 2 TB. This matches the description exactly, making MBR the correct answer.

4

An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?

Incident Response and First Responder Skills

Capture a full memory dump using a tool like FTK Imager (Memory Capture) or DumpIt.

Capturing a full memory dump (option A) is the most appropriate first responder action because it preserves the volatile state of the suspicious process (PID 3342) and its associated artifacts (e.g., network connections, loaded DLLs, encryption keys) before any further system changes occur. This allows forensic analysis to identify the malware's behavior, such as command-and-control (C2) communication over port 443 (HTTPS), without altering evidence. Tools like FTK Imager (Memory Capture) or DumpIt acquire a raw .mem file that can be analyzed with Volatility or Rekall to extract process details, network sockets, and injected code.

5

During a forensic investigation, an analyst needs to acquire data from a live Windows system without altering the system's state. Which tool should the analyst use to capture the contents of RAM?

Computer Forensics Lab

FTK Imager Lite

FTK Imager Lite is designed for live forensic acquisition on Windows systems, including capturing RAM contents without altering the system state. It uses a lightweight, read-only approach that avoids writing to the disk or modifying memory pages, preserving the integrity of the evidence.

6

During a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?

Evidence Acquisition and Duplication

Belkasoft RAM Capturer

Belkasoft RAM Capturer is the most appropriate tool for acquiring RAM from a live Windows 10 system because it is designed specifically for live memory acquisition on Windows, uses a lightweight kernel-mode driver to read physical memory without causing system instability, and supports acquisition from 64-bit systems. Unlike other tools, it minimizes interaction with the target process list and avoids loading unnecessary user-mode components that could trigger crashes or alter the memory state.

7

A security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?

OS and Network Forensics

A failed logon attempt

Event ID 4625 in the Windows Security log specifically indicates a failed logon attempt. This event is generated by the Local Security Authority Subsystem Service (LSASS) whenever an authentication attempt fails, regardless of the logon type (interactive, network, service, etc.). The event details include the account name, source IP address, and failure reason code (e.g., 0xC000006D for bad username/password).

8

During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?

OS and File System Forensics

Use 'foremost' to carve files based on file headers and footers.

Foremost is the correct choice because it performs file carving based on headers and footers, which can recover file content even when the filesystem metadata (such as inodes) is damaged or partially overwritten. Unlike undelete tools that rely on intact filesystem structures, foremost scans the raw disk blocks for known file signatures, making it effective for recovering files from an ext4 filesystem that has experienced partial overwriting.

9

A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?

Application, Email and Cloud Forensics

SQL injection

The log entry shows a UNION SELECT statement appended to the id parameter, which is a classic SQL injection attempt.

10

During a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?

Mobile and Malware Forensics

Physical acquisition

Physical acquisition provides the most comprehensive data extraction because it creates a bit-for-bit copy of the entire flash storage, including unallocated space and deleted file remnants. With the passcode known, the analyst could unlock the device and perform logical or file system acquisition, but these methods only capture accessible files and may miss forensic artifacts. Physical acquisition (e.g., via JTAG or chip-off) bypasses the operating system and extracts raw NAND data, yielding the fullest forensic picture.

11

An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?

Network and Cloud Forensics

Configure a SPAN port on the switch

A SPAN (Switched Port Analyzer) port, also known as a mirror port, copies all traffic from a specified source port or VLAN to a destination port where the forensic workstation is connected. This allows the investigator to capture traffic without injecting any frames or altering the forwarding behavior of the switch, thus preserving the integrity of the live network segment.

12

During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?

Database and Application Forensics

Parse the binary logs using mysqlbinlog to extract the DELETE statements and reconstruct the lost data.

MySQL binary logs record all changes to the database, including DELETE statements. The mysqlbinlog utility can parse these logs to reconstruct the exact DELETE operations, allowing the analyst to reverse-engineer the deleted rows by extracting the row data from the log events. This is the standard forensic method for recovering deleted data when binary logging is enabled.

13

During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?

Malware Forensics

The file is packed or obfuscated to prevent execution in a sandbox

Option D is correct because malware authors often use packing or obfuscation techniques to prevent the malicious payload from executing in an analysis environment. The packed code requires a specific unpacking routine or trigger (e.g., a specific system call, registry key, or timing condition) that the sandbox does not provide, causing the file to appear inert. This is a common anti-sandbox technique distinct from simple signature evasion.

Study all 1000+ CHFI cards

CHFI flashcards by domain

The CHFI flashcard bank covers all 13 official blueprint domains published by EC-Council. Cards are distributed proportionally, so domains with higher exam weight have more cards.

Domain Coverage

Computer Forensics Investigation Process

~1 cards

Computer Forensics Fundamentals and Process

~1 cards

Storage Forensics and File System Analysis

~1 cards

Incident Response and First Responder Skills

~1 cards

Computer Forensics Lab

~1 cards

Evidence Acquisition and Duplication

~1 cards

OS and Network Forensics

~1 cards

OS and File System Forensics

~1 cards

Application, Email and Cloud Forensics

~1 cards

Mobile and Malware Forensics

~1 cards

Network and Cloud Forensics

~1 cards

Database and Application Forensics

~1 cards

Malware Forensics

~1 cards

Flashcards vs practice tests: which is better for CHFI?

Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:

Flashcards — concept retention

Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that CHFI questions assume you know.

Best in: weeks 1–3

Practice tests — application

Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.CHFI questions test scenario reasoning — not just recall — so practice tests are essential.

Best in: weeks 3–6

The most effective CHFI study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.

CHFI flashcards — frequently asked questions

Are the CHFI flashcards free?

Yes. Courseiva provides free CHFI flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.

How many CHFI flashcards are on Courseiva?

Courseiva has 1000+ original CHFI flashcards across all 13 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official EC-Council exam objectives.

How are Courseiva flashcards different from Anki or Quizlet?

Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official CHFI exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.

Can I use CHFI flashcards offline?

Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.

Free forever · No credit card required

Track your CHFI flashcard progress

Save your results, see which domains need more work, and get spaced repetition recommendations — all free.

Sign Up Free

Free forever · Every certification included

Start Studying

⚡Quick 10 cards📝20-card session🎯30-card session📊50-card shuffle💪100-card marathon

Also Study With

Practice TestMock ExamStudy GuideExam Domains

Related Flashcards

CEHCS0-003CISA

Related Flashcard Sets

CEH

EC-Council CEH

CS0-003

CompTIA CySA+

CISA

ISACA CISA

Browse all certifications →