Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Computer Forensics Fundamentals and Process practice sets

CHFI Computer Forensics Fundamentals and Process • Complete Question Bank

CHFI Computer Forensics Fundamentals and Process — All Questions With Answers

Complete CHFI Computer Forensics Fundamentals and Process question bank — all 0 questions with answers and detailed explanations.

155
Questions
Free
No signup
Certifications/CHFI/Practice Test/Computer Forensics Fundamentals and Process/All Questions
Question 1easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a crime scene where a computer is running. According to standard forensic procedure, what should the responder do FIRST?

Question 2mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, an analyst uses a hardware write blocker to connect a suspect hard drive to a forensic workstation. What is the primary purpose of using a hardware write blocker?

Question 3hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic investigator is preparing to acquire the contents of a live system's RAM. Which of the following tools is specifically designed for this purpose and captures memory without altering the system state?

Question 4mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, an analyst creates a forensic image using `dcfldd` with the command: `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=10M`. What is the purpose of the `hashwindow` parameter?

Question 5easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

What is the primary goal of the chain of custody in a digital forensic investigation?

Question 6mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst is examining a hard drive that was seized from a suspect's home. The analyst uses FTK Imager to create a forensic image. After imaging, the analyst computes the MD5 hash of the image and compares it to the hash computed at the scene. The hashes match. What does this confirm?

Question 7hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, a first responder notices that a computer is running and suspects that volatile data may be present. According to best practices, what should the responder do to preserve the most volatile data first?

Question 8easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following best describes the 'Best Evidence Rule' as it applies to digital evidence?

Question 9mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An organization receives a legal hold notice regarding pending litigation. The IT department is instructed to preserve all relevant electronically stored information. What is the primary action the IT department should take?

Question 10hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst is examining a hard drive that was imaged using a software write blocker. Which of the following is a potential disadvantage of using a software write blocker compared to a hardware write blocker?

Question 11mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following is an example of Locard's Exchange Principle as applied to digital forensics?

Question 12easymultiple choice
Read the full NAT/PAT explanation →

In the context of the US Fourth Amendment, what is typically required for law enforcement to seize a computer for forensic examination?

Question 13mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are essential steps that a first responder should take when arriving at a digital crime scene? (Select TWO)

Question 14hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which THREE of the following are considered rules of evidence that digital evidence must satisfy to be admissible in court? (Select THREE)

Question 15mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are valid justifications for a first responder to power off a computer at a crime scene? (Select TWO)

Question 16easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

What is the primary goal of computer forensics?

Question 17easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which principle states that every contact leaves a trace?

Question 18easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a crime scene where a computer is turned on. What should the responder do FIRST?

Question 19mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, an analyst creates a bit-for-bit copy of a suspect's hard drive using the 'dd' command with the following parameters: dd if=/dev/sda of=/evidence/image.dd bs=4k conv=noerror,sync. What is the purpose of 'conv=noerror,sync'?

Question 20mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which type of evidence is a witness's statement that they saw someone log into a computer?

Question 21mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst needs to collect evidence from a running Windows system without altering the system state. Which tool should they use to acquire volatile memory?

Question 22mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During an investigation, an analyst creates a forensic image of a hard drive using FTK Imager and computes the MD5 hash of the image. Later, the hash is re-computed and found to match. What does this confirm?

Question 23hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A security analyst discovers unauthorized access to a server. The incident response team decides to preserve evidence. Which of the following actions is MOST critical to ensure the admissibility of evidence in court?

Question 24hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In a UK-based investigation, the police seize a computer without a warrant. The suspect's lawyer argues that the evidence is inadmissible because it violates which law?

Question 25hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An analyst runs 'dcfldd if=/dev/sdb of=/evidence/disk.dd hash=sha256 hashlog=/evidence/hash.log' on a Linux system. What is the primary advantage of using dcfldd over plain dd for forensic imaging?

Question 26mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following BEST describes the purpose of a legal hold in e-discovery?

Question 27mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic examiner uses a hardware write blocker when imaging a suspect's hard drive. What is the primary function of a hardware write blocker?

Question 28mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are requirements for evidence to be admissible in court? (Select two.)

Question 29hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which THREE of the following are steps in the forensic investigation process? (Select three.)

Question 30easymulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are types of write blockers used in forensic imaging? (Select two.)

Question 31easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a scene where a computer is powered on and the user is present. According to standard forensic first responder procedures, what should the responder do FIRST?

Question 32mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, an analyst uses a hardware write blocker to connect a suspect hard drive to a forensic workstation. Which of the following is the PRIMARY reason for using a write blocker?

Question 33mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst creates a forensic image of a hard drive using the dd command: dd if=/dev/sda of=/evidence/image.dd bs=4096 conv=noerror,sync. What is the purpose of the 'conv=noerror,sync' option?

Question 34hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In a UK-based investigation under the Police and Criminal Evidence Act (PACE), a forensic examiner is asked to seize computers from a business premises. Which of the following actions is MOST compliant with PACE requirements?

Question 35easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following BEST defines the chain of custody in digital forensics?

Question 36mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A security analyst notices that a log file on a Linux server shows repeated failed SSH login attempts from an external IP address, but no successful login from that IP. However, the /var/log/auth.log file has been recently truncated. Which type of evidence is the truncated log file?

Question 37mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During an e-discovery process, a legal hold is issued. What is the PRIMARY purpose of a legal hold?

Question 38hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic investigator uses FTK Imager to create a forensic image of a suspect's laptop. The acquisition generates both an E01 file and a corresponding hash file. Which statement accurately describes the integrity verification process in FTK Imager?

Question 39easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

According to Locard's exchange principle, which of the following is MOST relevant to digital forensics?

Question 40mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In the context of US Fourth Amendment protections, which of the following scenarios would likely require a search warrant for a forensic examiner to legally seize and analyze a computer?

Question 41hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An investigator creates a forensic image using dcfldd with the following command: dcfldd if=/dev/sdb of=image.dd hash=sha256 hashwindow=10M hashlog=hash.txt. What is the effect of the 'hashwindow=10M' parameter?

Question 42mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following is a key requirement for digital evidence to be considered admissible in court?

Question 43mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are essential duties of a first responder at a digital crime scene? (Select two.)

Question 44hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which THREE of the following correctly describe the rules of evidence as applied to digital forensics? (Select three.)

Question 45mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are valid reasons for using a hardware write blocker over a software write blocker? (Select two.)

Question 46mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a suspected intrusion scene. A desktop computer is powered on and logged in. The user claims they saw suspicious files being copied to a USB drive. Which of the following should the first responder do FIRST?

Question 47easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following is the BEST definition of computer forensics?

Question 48hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An analyst performs forensic imaging using the command: dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt bs=4096 conv=noerror,sync. What is the PRIMARY purpose of the 'hash=sha256' and 'hashlog=hash.txt' parameters?

Question 49mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, a lawyer objects to the admissibility of a log file on the grounds that it is hearsay. Which of the following is the BEST argument to overcome this objection?

Question 50mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An investigator needs to acquire data from a suspect's hard drive without altering any data. Which tool is MOST appropriate to ensure write-blocking at the hardware level?

Question 51easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

What is the PRIMARY purpose of a chain of custody document in a forensic investigation?

Question 52hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An organization receives a legal hold notice for a civil lawsuit. An employee later deletes relevant emails from their mailbox. Which legal principle is MOST likely violated?

Question 53mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic investigator uses the 'dd' command to create a forensic image. The original drive has a SHA-256 hash of a1b2c3... and the image produces the same hash. Which rule of evidence does this satisfy?

Question 54easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

According to Locard's exchange principle, which of the following is TRUE in a digital forensic context?

Question 55mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Windows system, the investigator finds a file named 'notes.txt' that contains a list of passwords. The file's last modified timestamp is before the incident date, but its last accessed timestamp is during the incident. Which type of evidence is this file considered?

Question 56hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An organization in the UK suspects an employee of data theft. The IT manager wants to search the employee's company-issued laptop without consent. Which law primarily governs this action?

Question 57mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An investigator needs to testify in court as an expert witness. Which of the following qualifications is MOST important for the court to accept their testimony?

Question 58mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are essential components of the forensic investigation process? (Select two.)

Question 59hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which THREE of the following are valid rules of evidence that digital evidence must satisfy to be admissible in court? (Select three.)

Question 60easymulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are types of evidence recognized in legal proceedings? (Select two.)

Question 61easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A security analyst arrives at a crime scene where a computer is turned on and the screen shows a document. What is the FIRST action the analyst should take according to forensic best practices?

Question 62mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, a junior analyst suggests using a software write blocker to image a suspect's hard drive. Which of the following is the PRIMARY concern with relying solely on a software write blocker in a high-stakes legal case?

Question 63mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic investigator is documenting evidence for a case. What is the PRIMARY purpose of maintaining an unbroken chain of custody for digital evidence?

Question 64hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination, an analyst runs `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=1G` on a suspect drive. What is the PRIMARY advantage of using `hashwindow=1G` over a single hash at the end?

Question 65mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In a corporate investigation, legal counsel issues a litigation hold to preserve electronically stored information (ESI) relevant to a lawsuit. Which of the following is the BEST description of a litigation hold?

Question 66easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Locard's exchange principle is fundamental to forensic science. How does this principle apply to computer forensics?

Question 67mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic examiner needs to acquire an image of a suspect's laptop hard drive. The laptop is running, and the examiner wants to capture volatile data first. According to best practices, which order of steps should the examiner follow?

Question 68hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During an investigation, an analyst uses `dd if=/dev/sdb of=evidence.img bs=4k conv=noerror,sync`. What is the purpose of the `conv=noerror,sync` option?

Question 69easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which US Constitutional amendment primarily governs the legality of searching and seizing digital devices?

Question 70mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst is testifying in court as an expert witness. What is the PRIMARY role of an expert witness in digital forensics?

Question 71hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In the context of e-discovery, what does the 'best evidence rule' require regarding digital documents?

Question 72mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a scene where a computer is suspected to contain evidence of fraud. The computer is turned on and a file is open. Which of the following actions should the responder AVOID?

Question 73mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are essential components of the rules of evidence for digital evidence to be admissible in court? (Choose two.)

Question 74hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which THREE of the following are considered types of evidence under the rules of evidence? (Choose three.)

Question 75easymulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following hashing algorithms are commonly used to verify the integrity of forensic images? (Choose two.)

Question 76easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a scene where a computer is turned on and a user is logged in. What is the FIRST action the responder should take to preserve volatile evidence?

Question 77mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, an analyst uses a tool to create a bit-for-bit copy of a hard drive while ensuring the original is not modified. Which of the following is a hardware write blocker that can be used for this purpose?

Question 78mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A security analyst responds to a suspected data breach. The analyst documents the scene, photographs the computer, and labels the cables. Which phase of the forensic investigation process is being performed?

Question 79hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination, an analyst uses the command 'dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt'. What is the primary purpose of including 'hash=sha256' in this command?

Question 80mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In a legal context, which rule of evidence requires that the evidence presented be sufficient to prove a fact and not be misleading?

Question 81easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

What is the primary purpose of maintaining a chain of custody during a forensic investigation?

Question 82mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst is preparing to acquire an image from a suspect's hard drive. The analyst connects the drive to a write blocker, then uses FTK Imager to create a forensic image. Which hashing algorithm is commonly used by FTK Imager to verify image integrity?

Question 83hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An investigator seizes a computer that was involved in a crime. The suspect claims that the evidence was planted. Which forensic principle best helps to refute this claim by demonstrating that the evidence could only have been left by the suspect?

Question 84easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Under the US Fourth Amendment, when is a warrant generally NOT required for a computer search and seizure?

Question 85mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An expert witness is preparing to testify in a computer forensics case. Which of the following is a key requirement for the expert's testimony to be admissible under the Daubert standard?

Question 86mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A company receives a legal hold notice regarding a lawsuit. What immediate action should the company take to comply?

Question 87hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, an examiner finds a log entry: 'User JohnDoe accessed file contract.pdf at 10:32:45 AM'. This log is considered which type of evidence?

Question 88mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are legal frameworks or regulations that govern search and seizure of digital evidence in the United Kingdom?

Question 89hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which THREE of the following are best practices for a first responder when arriving at a computer crime scene?

Question 90mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are considered types of evidence under the rules of evidence?

Question 91easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

What is the primary goal of computer forensics?

Question 92easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During the first response to a computer incident, which of the following actions is MOST critical for preserving evidence?

Question 93easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which type of evidence is based on information that is not directly from an eyewitness but is reported by someone else?

Question 94mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a scene where a computer is on and logged in. There is a suspicion that the system contains volatile data that may be crucial to the investigation. According to best practices, what should the first responder do?

Question 95mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In a UK-based investigation, which legal framework governs the search and seizure of digital evidence?

Question 96mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following is the BEST description of Locard's exchange principle as applied to digital forensics?

Question 97mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic examiner needs to create a bit-for-bit copy of a suspect's hard drive for analysis. Which tool is specifically designed for this purpose and can also verify integrity using hashing?

Question 98mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, the examiner uses a write blocker to connect the suspect drive to the forensic workstation. What is the PRIMARY purpose of using a write blocker?

Question 99mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which hashing algorithm is commonly used in forensic imaging to verify the integrity of evidence and is considered more secure than MD5?

Question 100hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An organization receives a legal hold notice regarding a pending lawsuit. The IT department is instructed to preserve all relevant electronically stored information (ESI). Which of the following actions must be taken FIRST?

Question 101hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst is preparing to testify as an expert witness in court. Which of the following characteristics is MOST essential for the court to accept the analyst's testimony?

Question 102hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During an e-discovery process, a forensic examiner encounters a hard drive that is encrypted using BitLocker. The examiner has a valid password to unlock the drive. Which of the following is the MOST appropriate action to acquire the data while maintaining the chain of custody?

Question 103mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are essential components of chain of custody documentation?

Question 104hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a crime scene where a computer is running. Which THREE actions should the first responder take to preserve volatile evidence?

Question 105mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are hardware write blockers commonly used in forensic acquisitions?

Question 106easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a crime scene where a computer is powered on and displaying a desktop. According to best practices, which of the following actions should the responder take FIRST?

Question 107mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, an analyst acquires a hard drive using a hardware write blocker. Which of the following is the PRIMARY reason for using a hardware write blocker?

Question 108mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

After collecting digital evidence from a suspect's computer, the forensic examiner creates a forensic image using FTK Imager. The examiner then computes the MD5 hash of the original drive and the image file. Which of the following BEST describes the purpose of this hashing?

Question 109hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An organization receives a litigation hold notice regarding an ongoing lawsuit. The IT administrator is instructed to preserve all relevant electronic records. Which of the following actions is MOST consistent with proper legal hold implementation?

Question 110easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following principles states that when two objects come into contact, there is a transfer of material between them?

Question 111mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, the analyst needs to create a forensic image of a hard drive that also hashes the data during acquisition. Which command-line tool would be MOST appropriate for this task?

Question 112hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In a UK-based investigation, law enforcement officers seize a computer without a warrant. The suspect argues the seizure violated his rights under the Police and Criminal Evidence Act 1984 (PACE). Which of the following is a key consideration under PACE regarding the admissibility of the seized evidence?

Question 113mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst is testifying as an expert witness in court. The opposing counsel challenges the analyst's testimony based on the Frye standard. What does the Frye standard require for scientific evidence to be admissible?

Question 114mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination, the analyst encounters a file that is not automatically readable by forensic tools. The analyst suspects the file contains contraband images. Which of the following is the BEST approach to handle this evidence in accordance with the rules of evidence?

Question 115easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following BEST describes the chain of custody in digital forensics?

Question 116hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A company's legal department issues a legal hold notice for electronically stored information (ESI) related to a pending lawsuit. The IT department is tasked with preserving data. Which of the following actions is MOST likely to violate the legal hold requirements?

Question 117mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An investigator is examining a Windows system and needs to capture volatile data without altering the system. Which of the following tools would be MOST appropriate for acquiring the contents of RAM?

Question 118mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are considered forms of evidence under the rules of evidence? (Select two.)

Question 119hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which THREE of the following are essential steps in the digital forensics investigation process? (Select three.)

Question 120easymulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are common hashing algorithms used to verify the integrity of forensic images? (Select two.)

Question 121easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, the first responder arrives at a scene where a computer is powered on and a user is logged in. Which of the following is the MOST appropriate initial action?

Question 122mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst is creating a forensic image of a suspect's hard drive using a write blocker. Which of the following BEST describes the purpose of using a hardware write blocker?

Question 123hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, an analyst uses the following command: dd if=/dev/sda of=/mnt/evidence/image.dd bs=4096 conv=noerror,sync. What is the effect of the conv=noerror,sync option?

Question 124easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following is the BEST example of direct evidence in a computer forensics investigation?

Question 125mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic investigator is required to testify in court about the findings of a digital investigation. Which of the following roles does the investigator fulfill?

Question 126mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During an investigation, a forensic analyst must preserve a hard drive that is part of a RAID array. Which of the following is the MOST appropriate method to preserve the evidence?

Question 127hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic examiner is presented with evidence that a suspect's computer was used to commit a fraud. The defense argues that the evidence was obtained without a warrant. Which US Constitutional Amendment is MOST relevant to this argument?

Question 128mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following tools is specifically designed for forensic imaging and can create compressed, segmented, or E01 format images?

Question 129easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Locard's exchange principle in digital forensics states that:

Question 130mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A legal hold is issued by an organization's legal department. What is the primary purpose of a legal hold?

Question 131hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During a forensic investigation, the analyst needs to verify the integrity of a forensic image. The analyst originally computed MD5 and SHA-1 hashes of the source drive. Which action BEST ensures the image has not been altered?

Question 132mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

In the context of the UK Police and Criminal Evidence Act (PACE), which of the following is a key requirement for the admissibility of digital evidence?

Question 133mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO.)

Question 134hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which THREE of the following are rules of evidence that must be satisfied for digital evidence to be admissible in court? (Select THREE.)

Question 135easymulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are considered best practices for a first responder at a digital crime scene? (Select TWO.)

Question 136mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A first responder arrives at a suspected data breach scene. The system is powered on and a user is logged in. Which of the following actions should the responder take FIRST to preserve volatile data?

Question 137easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following is the PRIMARY purpose of using a write blocker in computer forensics?

Question 138hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination, an analyst runs the following command: 'dd if=/dev/sda of=/mnt/evidence/image.dd bs=4k conv=noerror,sync'. The source drive has bad sectors. What is the effect of the 'conv=noerror,sync' option?

Question 139mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

An organization receives a litigation hold notice regarding an ongoing lawsuit. The IT department is instructed to preserve all relevant electronic data. Which of the following actions should be taken FIRST to comply with the legal hold?

Question 140easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following BEST describes Locard's exchange principle as applied to digital forensics?

Question 141mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic analyst needs to create a forensic image of a suspect's hard drive using FTK Imager. Which of the following image formats is MOST appropriate for maintaining evidence integrity and allowing compression?

Question 142hardmultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

During an internal investigation, an employee is suspected of leaking sensitive data. The security team finds that the employee's computer has been turned off. Which of the following evidence types would be LOST due to the system being powered off?

Question 143mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic examiner needs to verify the integrity of a forensic image after acquisition. Which of the following methods is the MOST reliable for ensuring the image has not been altered?

Question 144mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO)

Question 145hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

According to the US Fourth Amendment, which of the following THREE conditions generally allow law enforcement to search and seize digital evidence without a warrant? (Select THREE)

Question 146easymulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are examples of circumstantial evidence in a digital forensics investigation? (Select TWO)

Question 147mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic examiner is preparing to testify as an expert witness. Which THREE of the following qualities are essential for the examiner's testimony to be admissible under the Daubert standard? (Select THREE)

Question 148mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are BEST practices when using a hardware write blocker during forensic acquisition? (Select TWO)

Question 149hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

In the context of e-discovery, which THREE of the following are key steps in the Electronic Discovery Reference Model (EDRM)? (Select THREE)

Question 150mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are valid reasons for a first responder to power off a computer system at a crime scene? (Select TWO)

Question 151mediummultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

A security analyst arrives at a suspected computer crime scene. The computer is on and a user is logged in. The analyst needs to preserve volatile data. According to first responder duties, what should the analyst do FIRST?

Question 152hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination, an analyst uses the command 'dd if=/dev/sda of=/mnt/evidence/image.dd bs=4096 conv=noerror,sync'. What is the primary purpose of the 'conv=noerror,sync' option in this context?

Question 153easymultiple choice
Read the full Computer Forensics Fundamentals and Process explanation →

Which of the following is the BEST definition of Locard's exchange principle in computer forensics?

Question 154mediummulti select
Read the full Computer Forensics Fundamentals and Process explanation →

Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO)

Question 155hardmulti select
Read the full Computer Forensics Fundamentals and Process explanation →

A forensic examiner has acquired a disk image using FTK Imager and needs to ensure the image is an exact duplicate of the original drive. Which THREE of the following methods can be used to verify integrity? (Select THREE)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Computer Forensics Fundamentals and Process setsAll Computer Forensics Fundamentals and Process questionsCHFI Practice Hub