Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Application, Email and Cloud Forensics practice sets

CHFI Application, Email and Cloud Forensics • Complete Question Bank

CHFI Application, Email and Cloud Forensics — All Questions With Answers

Complete CHFI Application, Email and Cloud Forensics question bank — all 0 questions with answers and detailed explanations.

155
Questions
Free
No signup
Certifications/CHFI/Practice Test/Application, Email and Cloud Forensics/All Questions
Question 1easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

During an investigation, an analyst extracts email headers from a suspicious email. The header includes: Received: from mail.attacker.com (192.168.1.100); DKIM-Signature: v=1; a=rsa-sha256; d=legitbank.com; s=selector1; bh=...; The email claims to be from support@legitbank.com. Which indicator strongly suggests email spoofing?

Question 3hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?

Question 4mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A cloud forensics investigator is analyzing an incident in AWS. The suspect is alleged to have deleted an S3 bucket. Which AWS service log would contain the DeleteBucket API call details, including the source IP and user identity?

Question 5easymultiple choice
Read the full NAT/PAT explanation →

Which tool is specifically designed to analyze email headers and track the path an email took across mail servers?

Question 6mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An investigator examining a compromised web server finds a file named shell.aspx in the uploads directory. The file contains code that accepts commands via HTTP POST and executes them on the server. What is the MOST likely type of attack?

Question 7hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic examiner needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which tool is BEST suited to parse and extract emails, attachments, and metadata from the PST file?

Question 8mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An organization uses Azure. A security analyst needs to investigate a suspicious login event. Which Azure log contains details about user sign-ins, including IP address, timestamp, and success/failure status?

Question 9easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In database forensics, which type of log records every transaction (including INSERT, UPDATE, DELETE) and allows reconstruction of database changes over time?

Question 10mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst finds the following in an IIS log: 10.0.0.5, -, 02/15/2024, 14:23:56, GET /../../windows/system32/cmd.exe, 404, 0, 0, 0, Mozilla/4.0. Which attack technique does this log entry represent?

Question 11hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a cloud forensic investigation, the analyst discovers that the suspect used AWS IAM credentials to launch unauthorized EC2 instances. The suspect claims the credentials were stolen. Which log would the analyst examine to determine the source IP address from which the credentials were used?

Question 12mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which of the following is a significant challenge in cloud forensics compared to traditional digital forensics?

Question 13mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO pieces of information can be obtained from an email's Received headers to help trace the email's origin? (Select TWO)

Question 14hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

Which THREE of the following are common challenges specific to cloud forensics? (Select THREE)

Question 15easymulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are indicators of a webshell attack found in web server logs? (Select TWO)

Question 16mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst examining Apache access logs finds the following entry: 192.168.1.10 - - [10/Oct/2023:13:55:36 -0400] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5324 "-" "Mozilla/5.0". Which of the following attacks is MOST likely occurring?

Question 17easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a forensic investigation of a suspected data breach, you are asked to analyze email headers to trace the origin of a phishing email. Which header field provides the IP address of the sending SMTP server?

Question 18mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst is investigating a containerized application running on a Docker host. The analyst needs to collect forensic evidence from a stopped container without starting it. Which of the following Docker commands should be used to export the container's filesystem as a tar archive?

Question 19hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

While investigating a compromised web server, you discover a file named 'shell.php' in the web root. The file contains the following code: <?php system($_GET['cmd']); ?>. Which of the following best describes this file?

Question 20mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An incident responder is analyzing AWS CloudTrail logs to determine if an unauthorized user accessed an S3 bucket. Which of the following CloudTrail event fields should be examined to identify the IAM user or role that made the API call?

Question 21mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining a Microsoft Outlook PST file as part of an email investigation. Which tool is specifically designed to parse and analyze PST files and extract email metadata?

Question 22easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In cloud forensics, one of the major challenges is that data may be stored in multiple jurisdictions with different legal requirements. This challenge is known as:

Question 23hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst finds the following entry in an IIS access log: 10.0.0.5, -, 10/10/2023, 14:30:22, W3SVC1, WEB01, 192.168.1.100, 80, GET, /login.aspx, 200, 0, 1234, 567, Mozilla/5.0+. Based on the log format, which field contains the HTTP status code?

Question 24easymultiple choice
Read the full NAT/PAT explanation →

Which of the following tools is specifically designed to analyze email headers and track the path of an email, providing information about delays and potential spoofing?

Question 25mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a database forensic investigation, you need to review Microsoft SQL Server transaction logs to identify unauthorized data modifications. Which of the following SQL Server functions or commands is used to read the transaction log?

Question 26hardmultiple choice
Read the full NAT/PAT explanation →

An analyst is investigating a possible data exfiltration via email. The analyst notices that the email headers contain a DKIM-Signature field that is invalid. Which of the following does a failed DKIM check indicate?

Question 27mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic investigator needs to collect evidence from a Google Cloud Platform (GCP) environment. Which of the following GCP services provides audit logs for administrative activities and data access?

Question 28mediummulti select
Read the full NAT/PAT explanation →

Which TWO of the following are common indicators of a path traversal attack found in web server logs? (Select 2)

Question 29hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

Which THREE of the following are challenges specific to cloud forensics compared to traditional digital forensics? (Select 3)

Question 30easymulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are valid email header fields that can be used to detect email spoofing? (Select 2)

Question 31easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst examines the following Apache access log entry: 192.168.1.10 - - [10/Jan/2023:13:45:22 +0000] "GET /search.php?q=1%27%20UNION%20SELECT%201,2,3-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0". Which attack is MOST likely indicated?

Question 32mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a forensic investigation of a compromised web server, you find the following entry in the IIS log: 192.168.2.50, -, 10/Jan/2023, 14:32:15, W3SVC1, WEB01, 192.168.2.10, 80, POST, /uploads/shell.aspx, 200, 0, 0, 513, 0, Mozilla/4.0. Which action should the investigator prioritize?

Question 33hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In a database forensic investigation, you recover a MySQL binary log with the following entry: #230110 13:45:22 server id 1 end_log_pos 123456 Query thread_id=100 exec_time=0 error_code=0 SET TIMESTAMP=1673358322; SELECT * FROM customers INTO OUTFILE '/tmp/export.csv';. What does this indicate?

Question 34easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which tool is specifically designed for parsing and analyzing email headers to trace the origin of an email and detect spoofing?

Question 35mediummultiple choice
Read the full NAT/PAT explanation →

An email header shows the following Received line: Received: from mail.example.com (192.168.1.1) by smtp.server.com (Postfix). The DKIM-Signature header is missing, and the X-Originating-IP header shows an IP address different from the sender's domain MX record. What is the MOST likely conclusion?

Question 36hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a cloud forensic investigation, you review AWS CloudTrail logs and find the following event: {"eventSource":"ec2.amazonaws.com","eventName":"RunInstances","userIdentity":{"arn":"arn:aws:iam::123456789012:user/attacker"},"requestParameters":{"instanceType":"t2.micro","imageId":"ami-0abcdef1234567890"},"responseElements":{"instancesSet":{"items":[{"instanceId":"i-0a1b2c3d4e5f67890"}]}}}. What is the immediate forensic action?

Question 37easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In Docker forensics, which command is used to view the command history of a container, including how it was built?

Question 38mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst finds the following entry in the Apache access log: 10.0.0.5 - - [20/Jan/2023:08:12:44 +0000] "GET /../../../../etc/passwd HTTP/1.1" 404 345 "-" "curl/7.68.0". Which attack was attempted?

Question 39mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which of the following email headers is used to verify the domain of the sending server and is commonly used for authentication to prevent spoofing?

Question 40mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In cloud forensics, which AWS service logs API calls for governance, compliance, and operational auditing, and is the primary source for detecting unauthorized access?

Question 41hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a forensic investigation of a Microsoft SQL Server, you find the transaction log contains the following: LOP_BEGIN_XACT, LOP_INSERT_ROWS, LOP_COMMIT_XACT for a table named 'CreditCards', with a timestamp just before a known data breach. The log also shows a bulk insert operation. What does this indicate?

Question 42easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In email forensics, which artifact is stored in Outlook's Personal Folders (.pst) files and can be analyzed using tools like Aid4Mail or EmailTracker?

Question 43mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are common challenges specific to cloud forensics? (Select TWO)

Question 44mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

Which THREE of the following are indicators of a webshell in web server logs? (Select THREE)

Question 45hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are valid methods to collect logs from Docker containers for forensic analysis? (Select TWO)

Question 46mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst reviews an Apache access log and finds the entry: '192.168.1.10 - - [10/Mar/2025:08:12:34 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 2345 "-" "Mozilla/5.0"'. Which attack is indicated?

Question 47easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which email header field is MOST reliable for identifying the true origin of an email, assuming no header tampering occurred at the initial MTA?

Question 48hardmultiple choice
Read the full NAT/PAT explanation →

During a cloud forensic investigation, an analyst discovers that an AWS EC2 instance was used to launch an attack. The instance has been terminated. Which source is MOST likely to contain evidence of the commands executed on the instance?

Question 49mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst examining an Outlook PST file wants to recover deleted emails that are no longer visible in the Deleted Items folder. Which technique is MOST effective?

Question 50mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A web server log shows the following request: 'GET /../../../../etc/passwd HTTP/1.1' with a 200 response code. The web server is running Apache on Linux. What attack has likely succeeded?

Question 51easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which cloud forensic challenge refers to the inability to physically access the storage media where data resides?

Question 52hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is investigating a Docker container that was used to launch a network attack. The container has been stopped but not removed. Which action should the analyst take FIRST to preserve volatile evidence?

Question 53mediummultiple choice
Read the full NAT/PAT explanation →

An email investigator receives a suspicious email and examines the headers. The 'Received-SPF: pass (google.com: domain of example.com designates 203.0.113.5 as permitted sender)' header is present. However, the 'From' address is 'admin@example.com' and the 'Return-Path' is 'admin@example.com'. What does this indicate?

Question 54easymultiple choice
Read the full NAT/PAT explanation →

Which tool is specifically designed to analyze email headers and track the path of an email across multiple servers?

Question 55hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is investigating a MySQL database server breach. Which log is MOST useful for identifying a series of queries that exfiltrated data, assuming the attacker used a compromised application account?

Question 56mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst discovers a suspicious file named 'cmd.aspx' in the uploads directory of an IIS web server. Analysis reveals the file contains code to execute system commands. What is this file most likely?

Question 57mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which Azure log source should an investigator query to identify who deleted a virtual machine and when?

Question 58mediummulti select
Read the full NAT/PAT explanation →

A security analyst is investigating a phishing email and notices the DKIM-Signature header is present but fails validation. Which TWO actions should the analyst take?

Question 59hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

A cloud forensic investigator is analyzing a GCP audit log entry for a Compute Engine instance. Which THREE fields are essential for identifying the user and operation performed?

Question 60easymulti select
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining a Docker container image for malware. Which TWO techniques can help analyze the image layers?

Question 61mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a forensic investigation of a compromised web server, an analyst examines the Apache access log and finds the following entry: '192.168.1.10 - - [12/Oct/2024:13:45:22 +0000] "GET /index.php?id=1 UNION SELECT username, password FROM users-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. What type of attack is MOST likely indicated?

Question 62easymultiple choice
Read the full NAT/PAT explanation →

An email forensic analyst receives a suspicious email and examines the full headers. Which header field is the MOST reliable for determining the true originating IP address of the sender, assuming no spoofing of the header?

Question 63hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In a Docker container forensics investigation, an analyst needs to examine the file system of a stopped container to look for malicious artifacts. Which command should the analyst run to create a recoverable snapshot of the container's file system without starting the container?

Question 64mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A cloud forensic investigator is examining AWS CloudTrail logs for signs of unauthorized access to an S3 bucket. Which of the following CloudTrail event names would indicate a successful attempt to list the objects in the bucket?

Question 65mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An investigator is analyzing a compromised MySQL database server. To determine the exact time and content of a suspect data exfiltration query, which MySQL log should be examined first, assuming it is enabled?

Question 66easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst needs to extract email artifacts from a Microsoft Outlook .OST file that is associated with an Exchange account. Which tool is specifically designed to parse and analyze .OST files?

Question 67hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a forensic investigation of a Google Cloud Platform (GCP) environment, an analyst reviews Audit Logs and sees a log entry with the method 'storage.objects.list' and a principal email 'attacker@gmail.com'. However, the identity is not from the organization's domain. What should the analyst conclude?

Question 68mediummultiple choice
Read the full NAT/PAT explanation →

An investigator examines an email header and sees the following: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...'. The email claims to be from 'support@example.com', but the DKIM signature validation fails. Which of the following is the MOST likely cause?

Question 69easymultiple choice
Read the full NAT/PAT explanation →

Which tool is commonly used to analyze email headers and trace the path of an email across servers by parsing 'Received' fields?

Question 70mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In an Azure environment, a forensic analyst needs to identify which user assigned a specific role to another user, leading to privilege escalation. Which Azure log should the analyst examine?

Question 71hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst discovers a suspicious file named 'cmd.aspx' in the web root of an IIS server. The file contains ASPX code that executes system commands. The IIS logs show a POST request to '/cmd.aspx' with a 200 status code. Which type of attack is indicated?

Question 72easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?

Question 73mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are valid indicators of email spoofing when analyzing email headers?

Question 74hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

Which THREE of the following are challenges specific to container forensics?

Question 75mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are appropriate techniques for identifying a webshell on a compromised web server?

Question 76mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst reviews an Apache access log entry: '192.168.1.10 - - [10/Oct/2023:13:55:36 +0000] "GET /index.php?id=1%27%20OR%20%271%27%3D%271 HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. Which attack does this log entry most likely indicate?

Question 77easymultiple choice
Read the full NAT/PAT explanation →

Which email header field is used to verify that an email was sent by the authorized mail server for the domain and has not been tampered with, using cryptographic signatures?

Question 78hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic investigator examining a compromised Linux server finds a base64-encoded string in the Apache access log: 'GET /cgi-bin/test.cgi?cmd=ZWNobyAiPD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/PiI+...' After decoding, the string contains a PHP webshell. Which of the following is the MOST effective method to confirm the webshell was executed on the server?

Question 79mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a cloud forensic investigation, an analyst needs to identify who deleted an S3 bucket in an AWS environment. Which AWS service log should the analyst examine to find the API call and the associated IAM user or role?

Question 80mediummultiple choice
Read the full NAT/PAT explanation →

An email forensic analyst receives a suspicious email and wants to verify the originating IP address. The analyst extracts the email headers and sees multiple 'Received' fields. Which 'Received' header should the analyst consider as the most trustworthy source of the sender's IP?

Question 81easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which tool is specifically designed to extract and analyze metadata from email messages, including headers, attachments, and embedded objects, for forensic investigations?

Question 82mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic examiner is investigating a Docker container suspected of being used for malicious activity. Which of the following is the BEST approach to collect volatile evidence from the container without altering its state?

Question 83hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During an investigation of a web application breach, an analyst reviews IIS logs and finds numerous entries with status code '200' and URIs containing '?cmd=' followed by encoded strings. The analyst also notices that some requests have a 'User-Agent' string resembling 'Microsoft-CryptoAPI/10.0'. What is the MOST likely conclusion?

Question 84mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An investigator needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which of the following tools is specifically designed for parsing and extracting emails, attachments, and metadata from PST files in a forensically sound manner?

Question 85easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In the context of cloud forensics, what is the primary challenge associated with volatile evidence in Infrastructure as a Service (IaaS) environments?

Question 86mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst is investigating a data exfiltration incident. The MySQL transaction logs show a series of unusual SELECT queries retrieving large amounts of data from the 'customers' table, executed by a user account 'webapp'. What should the analyst check NEXT to determine if the data was actually exfiltrated?

Question 87hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic investigator is analyzing a compromised web server. In the Apache access logs, the investigator finds the following request: 'GET /images/../../../etc/passwd HTTP/1.1' with a 200 status code. Which of the following is the MOST likely reason the server returned a 200 (OK) response?

Question 88mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining a Google Cloud Platform (GCP) environment after a security incident. Which TWO GCP services should the analyst use to audit API activity and resource changes? (Select TWO.)

Question 89hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

In an email forensics investigation, which THREE indicators suggest that an email is likely spoofed? (Select THREE.)

Question 90mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

A security analyst is investigating a potential container escape from a Docker container. Which THREE artifacts should the analyst collect to analyze the incident? (Select THREE.)

Question 91mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst reviews Apache access logs and finds the following entry: `192.168.1.10 - - [12/Jul/2024:10:15:30 -0400] "GET /search.php?q=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 5321 "-" "Mozilla/5.0"`. Which attack technique is most likely being attempted?

Question 92mediummultiple choice
Read the full NAT/PAT explanation →

During an email forensics investigation, an analyst examines headers and sees `Received: from mail.evil.com (192.168.1.100) by mail.victim.com` followed by `DKIM-Signature: v=1; a=rsa-sha256; d=evil.com; s=selector; bh=...; h=...; b=...`. The email claims to be from support@paypal.com. Which finding is the strongest indicator of spoofing?

Question 93easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which tool is specifically designed to extract and analyze email metadata, including headers, from various email client formats such as PST and OST files?

Question 94hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is investigating a suspected data exfiltration from a MySQL database. Which log source would be MOST useful to identify the exact SQL queries executed, including SELECT statements that retrieved large volumes of data?

Question 95mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In an AWS environment, a security analyst detects unusual API calls that created several IAM users with administrative privileges from an unfamiliar IP address. Which AWS service log should be examined first to identify the specific API calls and the IAM user that made them?

Question 96easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which of the following is a unique challenge in cloud forensics compared to traditional digital forensics?

Question 97hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a Docker forensics investigation, an analyst needs to identify the commands executed within a deleted container. Which of the following approaches is MOST effective to retrieve this information?

Question 98mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An IIS log entry shows: `2024-07-15 14:22:10 10.0.0.5 GET /../../windows/system32/cmd.exe 404 - Mozilla/5.0`. What attack technique does this log entry indicate?

Question 99easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In an email header, which field typically contains the IP address of the original sending client?

Question 100mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic investigator finds a suspicious file named `cmd.aspx` in the web root of a compromised IIS server. The file contains code that accepts command input via HTTP GET parameters and executes it on the server. What is the MOST likely classification of this file?

Question 101hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In a Google Cloud Platform (GCP) environment, a forensic investigator needs to determine who deleted a Cloud Storage bucket and when. Which log type should be queried to obtain this information?

Question 102easymultiple choice
Read the full NAT/PAT explanation →

Which of the following email authentication protocols uses a digital signature to verify the sender's domain and that the email has not been tampered with?

Question 103mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining Azure Activity Logs for signs of privilege escalation. Which TWO of the following activities would be MOST indicative of an attacker attempting to escalate privileges? (Choose two.)

Question 104hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

During a forensic analysis of a compromised web server, an investigator identifies the following log entries. Which THREE entries are the strongest indicators of a successful web shell upload? (Choose three.)

Question 105mediummulti select
Read the full NAT/PAT explanation →

An investigator is analyzing email headers and notices the following: The 'Received' headers show a path through multiple servers, the 'DKIM-Signature' domain matches the sender domain, and 'X-Originating-IP' is present. Which TWO pieces of information are MOST useful to trace the original sender's IP address? (Choose two.)

Question 106mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst reviews the following Apache access log entry: 192.168.1.10 - - [15/May/2025:10:15:23 +0000] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5321 "-" "Mozilla/5.0". Which type of attack is most likely indicated?

Question 107hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a forensic investigation of a compromised web server, you find a file named 'cmd.aspx' in the uploads directory. The file contains: <%@ Page Language="C#" %><% Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c "+Request.QueryString["cmd"])).StandardOutput.ReadToEnd(); %>. What is the most likely purpose of this file?

Question 108mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In MySQL forensics, which log file is most commonly used to detect unauthorized data exfiltration or changes to database records?

Question 109easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which email header field is specifically used to verify that an email was not tampered with during transit and is signed by the sender's domain?

Question 110easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An investigator needs to parse and analyze a Microsoft Outlook personal folders file (.pst). Which tool is specifically designed for this purpose?

Question 111mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In cloud forensics, which AWS service provides a centralized log of API calls made by users and services, often used to investigate unauthorized access or configuration changes?

Question 112hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining a Docker container that was used to launch a DDoS attack. Which layer of a Docker image is most likely to contain the attacker's malicious scripts?

Question 113mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which of the following is a primary challenge in cloud forensics due to shared infrastructure?

Question 114easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An analyst finds the following string in an IIS log: %3Cscript%3Ealert('XSS')%3C/script%3E. What does this indicate?

Question 115mediummultiple choice
Read the full NAT/PAT explanation →

Which tool is specifically designed to extract metadata from email messages, including tracking the route and identifying the originating IP address?

Question 116hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In an email header, an analyst notices the following: 'Received: from mail.attacker.com (192.168.2.100) by mail.victim.com (Postfix) with ESMTP id ABC123 for <user@victim.com>; ...'. The 'From' address appears as 'ceo@victim.com'. Which type of attack is most likely?

Question 117easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which cloud service's audit logs would an investigator examine to identify who deleted a virtual machine in an Azure subscription?

Question 118mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are indicators of a webshell on a web server? (Select TWO.)

Question 119hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

Which THREE of the following are challenges specific to container forensics? (Select THREE.)

Question 120mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

In email forensics, which TWO of the following headers are most useful for identifying the true origin of an email? (Select TWO.)

Question 121easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst is reviewing Apache access logs and finds the entry: 192.168.1.100 - - [10/Mar/2025:08:12:34 +0000] "GET /search?q=test' OR '1'='1 HTTP/1.1" 200 532. Which attack does this log entry most likely indicate?

Question 122mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During an investigation of a suspected data exfiltration, a forensic analyst examines MySQL general query logs and finds a large number of SELECT queries retrieving customer records, followed by DELETE queries. Which of the following is the most likely conclusion?

Question 123hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An incident responder is analyzing a compromised web server and finds a file named 'cmd.aspx' in the uploads directory. The file contains ASP.NET code that accepts commands via the 'cmd' parameter and executes them on the server. Which of the following best describes this artifact?

Question 124easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An email forensic analyst receives a suspicious email and wants to trace its origin. Which email header field provides the most reliable information about the IP address of the sending SMTP server?

Question 125mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a cloud forensics investigation of an AWS environment, an analyst extracts CloudTrail logs and notices many events with the error code 'AccessDenied' for a specific IAM user attempting to list an S3 bucket. Which of the following is the most appropriate next step?

Question 126hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining Docker container logs and finds a container that ran the command 'rm -rf /' and then stopped. The container was based on a custom image. Which of the following is the most effective way to recover deleted files from the container's filesystem?

Question 127mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is reviewing Microsoft IIS logs and finds the entry: 192.168.1.50, -, 10/Feb/2025:14:22:10 +0000, GET /scripts/..%c1%af../winnt/system32/cmd.exe, 404. Which attack technique is indicated by the encoded characters in the URI?

Question 128easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which of the following tools is specifically designed for parsing and analyzing email headers to detect spoofing and trace the origin of an email?

Question 129mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In an Azure environment, an investigator needs to review actions performed by a specific user over the past 30 days. Which Azure service provides the necessary audit logs for this purpose?

Question 130hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining a PST file extracted from a suspect's computer. The analyst wants to recover deleted emails that are no longer visible in the Outlook folder hierarchy. Which approach is most effective?

Question 131easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?

Question 132mediummultiple choice
Read the full NAT/PAT explanation →

During a database forensic investigation, a MSSQL transaction log analysis reveals a series of INSERT statements that added records to a customer table, followed by a TRUNCATE TABLE statement. What does this pattern most likely indicate?

Question 133mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is investigating a web application that was defaced. The Apache access logs show the following entries: (1) GET /cgi-bin/test.cgi HTTP/1.1 with status 200, (2) POST /cgi-bin/test.cgi HTTP/1.1 with status 200, (3) GET /index.html HTTP/1.1 with status 200, (4) GET /images/ HTTP/1.1 with status 301. Which TWO log entries are most suspicious and indicate a likely attack vector?

Question 134mediummulti select
Read the full NAT/PAT explanation →

An email investigation reveals that a phishing email was sent from a domain that uses DKIM and SPF. The email headers contain: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...' and 'Received-SPF: pass (example.com: domain of sender@example.com designates 203.0.113.5 as permitted sender)'. Which TWO conclusions can be drawn?

Question 135hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

A security analyst is investigating a potential data breach in a GCP environment. The analyst reviews the GCP audit logs and finds the following events: (1) A service account was granted the 'roles/storage.objectAdmin' role on a storage bucket containing sensitive data, (2) The service account then listed objects in the bucket, (3) The service account downloaded several objects. Which THREE actions should the analyst take immediately?

Question 136mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst reviewing Apache access logs finds entries like: 192.168.1.10 - - [12/Jan/2023:15:23:11 +0000] "GET /search?q=1' OR '1'='1 HTTP/1.1" 200 5324. What attack is indicated?

Question 137easymultiple choice
Read the full NAT/PAT explanation →

Which tool is specifically designed to analyze email headers, track the path of an email, and extract metadata such as originating IP and authentication results?

Question 138hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a cloud forensics investigation, an analyst examines AWS CloudTrail logs and finds an event with "userIdentity":{"type":"AssumedRole","arn":"arn:aws:sts::123456789012:assumed-role/AdminRole/i-0abcd1234efgh5678"}. What does the 'i-0abcd1234efgh5678' portion most likely represent?

Question 139mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An email header contains the following line: "Received: from mail.evil.com (192.0.2.1) by mail.victim.com with ESMTP; Mon, 20 Mar 2023 10:00:00 -0500". The next Received line shows a different IP. What does this indicate?

Question 140mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

In Docker forensics, which of the following commands would you use to inspect the history of an image, including the commands that created each layer?

Question 141easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

An investigator needs to recover deleted emails from a Microsoft Outlook PST file. Which forensic technique is most appropriate?

Question 142hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is investigating a webshell on an IIS server. The access.log shows: 10.0.0.5, -, 12/Mar/2023:14:22:10 +0000, POST /uploads/cmd.aspx, 200, 0, 1234. Which log entry is most indicative of webshell activity?

Question 143easymultiple choice
Read the full Application, Email and Cloud Forensics explanation →

Which cloud service log is most appropriate for tracking API calls and resource changes in an AWS environment?

Question 144mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

A forensic analyst is examining MySQL binary logs to identify a data exfiltration event. Which TWO fields are most critical for reconstructing the stolen data?

Question 145hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

An Azure Activity Log shows a suspicious 'Delete Virtual Machine' operation from an IP address in a foreign country. Which THREE actions should the forensic investigator take immediately to preserve evidence and assess impact?

Question 146mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

A security analyst notices repeated entries in an IIS log: 10.0.0.2, -, 05/Feb/2023:08:12:34 +0000, GET /../../windows/system32/config/sam, 404, 0, 532. Which TWO of the following attack types are indicated by this log entry?

Question 147easymulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO tools are commonly used for email forensic analysis and metadata extraction?

Question 148mediummulti select
Read the full Application, Email and Cloud Forensics explanation →

A Docker container is suspected of malicious activity. Which THREE data sources should the investigator collect for forensic analysis?

Question 149hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

A GCP audit log shows a project owner granted 'iam.serviceAccountUser' role to a service account from a different project. Which TWO potential security implications should the investigator prioritize?

Question 150easymulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are common challenges specific to cloud forensics?

Question 151mediummultiple choice
Read the full Application, Email and Cloud Forensics explanation →

A security analyst is reviewing Apache access logs and finds repeated requests to /index.php?id=1' OR '1'='1. Which type of attack is MOST likely being attempted?

Question 152hardmultiple choice
Read the full Application, Email and Cloud Forensics explanation →

During a forensic investigation of a compromised web server, an analyst finds the following entry in the IIS access log: 192.168.1.5, -, 04/May/2024:14:23:11, GET /scripts/..%5c../windows/system32/cmd.exe, 200. What is the probable attack vector?

Question 153mediummultiple choice
Read the full NAT/PAT explanation →

An email forensic investigator examines a suspicious email and notices the following header: Received: from mail.evil.com (192.168.1.100) by mail.company.com. The DKIM-Signature header fails verification. What does this indicate?

Question 154easymulti select
Read the full Application, Email and Cloud Forensics explanation →

Which TWO of the following are common challenges in cloud forensics that are not typically encountered in traditional on-premises forensics?

Question 155hardmulti select
Read the full Application, Email and Cloud Forensics explanation →

An incident response team is investigating a breach involving a Docker container. Which THREE of the following actions should the team take to preserve forensic evidence?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Application, Email and Cloud Forensics setsAll Application, Email and Cloud Forensics questionsCHFI Practice Hub