Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Storage Forensics and File System Analysis practice sets

CHFI Storage Forensics and File System Analysis • Complete Question Bank

CHFI Storage Forensics and File System Analysis — All Questions With Answers

Complete CHFI Storage Forensics and File System Analysis question bank — all 0 questions with answers and detailed explanations.

172
Questions
Free
No signup
Certifications/CHFI/Practice Test/Storage Forensics and File System Analysis/All Questions
Question 1easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst recovers a hard drive from a suspect's computer. The drive has a partition table that uses a 32-bit identifier and a maximum partition size of 2 TB. Which partition table type is present?

Question 2easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation, an examiner wants to recover deleted files from a FAT32 file system. Which structure is most critical for file recovery?

Question 3easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which tool is specifically designed for file carving and can recover files based on headers and footers without relying on file system metadata?

Question 4mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst notices that a file on an NTFS volume occupies 4096 bytes on disk but its actual data is only 100 bytes. The extra space contains remnants of a previously deleted file. What is this extra space called?

Question 5mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic investigator is analyzing a Linux ext4 file system. They suspect a file was deleted but its inode may still be intact. Which tool can be used to recover the file by referencing the inode?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of an NTFS drive, an investigator finds that a file 'notes.txt' has an additional data stream named 'hidden.txt' attached. Which feature of NTFS allows this?

Question 7mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A security analyst is investigating a compromised Windows system and wants to see which processes were running at the time of memory capture. Which Volatility command should they use?

Question 8mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An examiner acquires a forensic image of an SSD from a suspect's laptop. The SSD was connected to a system with TRIM enabled. What challenge will the examiner most likely face when trying to recover deleted files?

Question 9mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic analysis of a drive, the examiner discovers a Host Protected Area (HPA). What is the primary purpose of an HPA?

Question 10hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator is analyzing a RAID 5 array consisting of three disks. One disk fails and is replaced. After rebuilding, the file system appears corrupted. What is the MOST likely cause?

Question 11hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During memory analysis, an examiner uses the Volatility 'malfind' plugin and discovers a process with executable code in an executable heap. Which technique is most likely being used by malware to avoid detection?

Question 12hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator uses FTK Imager to capture a forensic image of a suspect's hard drive. During acquisition, the tool reports that the DCO (Device Configuration Overlay) is present. What does this indicate?

Question 13mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are file systems that use journaling to maintain integrity?

Question 14mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following are techniques used to hide data on a hard drive?

Question 15hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are challenges specific to SSD forensics compared to HDD forensics?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Windows 10 system, an investigator runs the following command: 'fsutil usn readjournal C: > usn_output.txt'. What is the primary purpose of this action?

Question 17hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst recovers a disk image from a Linux server that used ext4. The image shows a superblock backup at multiple offsets. Which dd command would correctly extract the backup superblock located at offset 32768 bytes?

Question 18easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which file system artifact in NTFS is used to hide data by appending a stream to an existing file without affecting its primary data stream?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic investigation, an analyst finds a file with a creation timestamp earlier than the volume's formatted timestamp. Which of the following is the most likely explanation?

Question 20hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

In an ext3 file system, after deleting a file, the inode's link count drops to 0, but the data blocks remain. Which of the following is true regarding recovery?

Question 21mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator uses the Volatility framework on a memory dump from a Windows 10 system. Which command would list all processes, including those hidden by rootkits?

Question 22easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

What is the primary purpose of the Host Protected Area (HPA) on a hard disk drive?

Question 23mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic investigator is examining a Mac system with APFS. Which artifact would be most useful for determining the exact time a file was moved to the Trash?

Question 24hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

In a RAID 5 array with three disks, one disk fails. The investigator images the remaining two disks and wants to reconstruct the missing data. Which approach is most appropriate?

Question 25mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst runs 'foremost -i disk.dd -o output' and recovers several JPEG files. However, some files are corrupted or incomplete. What is the most likely cause?

Question 26easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which tool is specifically designed to acquire RAM from a Linux system for forensic analysis?

Question 27hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator notes that a file on an NTFS volume has a resident data size of 900 bytes, but the $DATA attribute lists an allocated size of 1024 bytes. What does this indicate?

Question 28mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are valid methods for hiding data on an NTFS volume without using third-party tools? (Select 2)

Question 29hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following are challenges specific to forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives? (Select 3)

Question 30mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

An investigator is analyzing a memory dump with Volatility and wants to identify network connections. Which TWO commands can provide information about TCP and UDP connections? (Select 2)

Question 31easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst finds a partition that uses the Master Boot Record (MBR) scheme. Which of the following is TRUE about the MBR partition table?

Question 32mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During an investigation, an analyst recovers deleted files from an NTFS volume. She notices that some files have data hidden in a stream that is not visible in regular directory listings. This stream is associated with a file but not stored in the $MFT. Which NTFS feature is being used to hide the data?

Question 33hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A security analyst suspects an attacker has hidden data in the Host Protected Area (HPA) of a suspect's hard drive. Which of the following tools is BEST suited to detect and access the HPA?

Question 34easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

In FAT32, the File Allocation Table (FAT) is used to track which clusters are allocated to files. If a file is deleted, what happens to the FAT entries for that file?

Question 35mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of an ext4 filesystem, the analyst discovers that a suspicious file was deleted but the inode still exists in the filesystem. Which of the following techniques would MOST likely recover the file's data?

Question 36hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator images an SSD that has TRIM enabled. Which of the following challenges will MOST likely affect the recovery of deleted files from this SSD?

Question 37easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is examining a disk image and needs to identify the file system structure. She looks for the Master File Table ($MFT) to begin analysis. Which file system is she most likely dealing with?

Question 38mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

In a memory forensics investigation using Volatility, an analyst wants to see a list of processes that were active at the time of acquisition, including hidden processes. Which Volatility command should be used?

Question 39hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic investigator is analyzing a RAID 0 array consisting of two disks. She uses FTK Imager to acquire the logical drive. However, the data appears interleaved. What additional step is necessary to properly assemble the image?

Question 40mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst finds evidence that an attacker used steganography to hide data within image files on the suspect's computer. Which of the following tools is MOST appropriate for detecting steganography in these images?

Question 41easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

What is slack space in a file system?

Question 42mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination, an analyst uses Autopsy to view the contents of the Recycle Bin on a Windows 10 system. However, some files that were deleted by the user do not appear in the Recycle Bin. What is the MOST likely reason?

Question 43mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are valid techniques for acquiring RAM in a Windows system?

Question 44hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following are characteristics of the GPT (GUID Partition Table) compared to MBR?

Question 45mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following tools are commonly used for file carving during forensic investigations?

Question 46easymultiple choice
Read the full NAT/PAT explanation →

During a forensic investigation, you find an NTFS volume with a file that has an alternate data stream (ADS). Which command in Windows can be used to list all ADS on a file?

Question 47mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is investigating a compromised Linux system and runs `ls -i` on a deleted file's directory. The inode number is 12345. Which tool can recover the file contents by referencing the inode?

Question 48hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a solid-state drive (SSD), you notice that files deleted several months ago cannot be recovered using traditional file carving tools. Which SSD feature is MOST likely preventing recovery?

Question 49mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator needs to recover a deleted partition from a disk that originally used an MBR partition table. Which tool can scan the disk for lost partitions and rebuild the partition table?

Question 50mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

In NTFS, the $MFT file contains metadata about every file and directory on the volume. When a file is deleted, its $MFT record is marked as free. What information in the $MFT record is MOST useful for recovering a deleted file?

Question 51easymultiple choice
Read the full NAT/PAT explanation →

A forensic analyst is investigating a Windows system and needs to examine the contents of the Recycle Bin. Which file artifact contains metadata about deleted files, including original file paths and deletion times?

Question 52mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is analyzing a disk image and finds a 512-byte sector at LBA 0 that contains a bootloader and a partition table. The partition table has four entries, each 16 bytes. What type of partition table is this?

Question 53hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic analysis of a compromised server, you discover that a rootkit has hidden itself by modifying the HPA (Host Protected Area) of the hard disk. Which tool can detect the presence of an HPA by comparing the reported size with the actual number of sectors?

Question 54mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator is examining a FAT32 filesystem and needs to recover a deleted file. In FAT32, the directory entry for a deleted file has the first byte of the filename set to 0xE5. What does this indicate?

Question 55easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which file system artifact in NTFS records file system events such as file creation, deletion, and modification, and is often used to track attacker activities?

Question 56hardmultiple choice
Read the full NAT/PAT explanation →

A forensic examiner finds a file on an NTFS volume that appears to have data hidden in its alternate data stream. The file's size is reported as 10 KB, but the volume's cluster size is 4 KB. How many clusters of file slack could potentially contain hidden data in the primary stream?

Question 57mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation, you need to acquire the RAM of a running Linux system. Which tool is specifically designed for memory acquisition on Linux?

Question 58mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are common challenges in SSD forensics that can hinder data recovery?

Question 59mediummulti select
Read the full NAT/PAT explanation →

Which TWO tools are specifically designed for file carving (recovering files based on signatures) and are commonly used in digital forensics?

Question 60hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following are valid memory forensic artifacts that can be extracted using the Volatility framework?

Question 61easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic investigator examines a hard drive and needs to recover deleted files. Which tool is specifically designed for file carving by scanning raw data for file headers and footers without relying on the file system?

Question 62easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic analysis of an NTFS volume, an investigator finds a file that appears to be hidden. Which NTFS feature allows data to be stored in a file without affecting the file's visible size in the directory listing?

Question 63easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is investigating a compromised Linux system. Which file system structure holds metadata about every file and directory, including permissions, ownership, timestamps, and pointers to data blocks?

Question 64mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic examiner acquires a RAM image from a Windows 10 system and uses Volatility to analyze it. Which command would list all running processes along with their parent process IDs and command lines?

Question 65mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation of a hard disk, the investigator finds that the partition table is missing. The disk was previously partitioned using GPT. Which area of the disk should be examined to recover the GPT partition table?

Question 66mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator is analyzing a FAT32 drive and notices that a deleted file's directory entry still exists, but the first byte of the filename is changed to 0xE5. What does this indicate about the file?

Question 67mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

In an ext4 file system, after a file is deleted, the inode's di_mode field is set to 0 and the block pointers are cleared. However, the file content may still be recoverable until what happens?

Question 68mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is examining an SSD that may have had deleted files. The analyst is concerned about the TRIM command. What effect does TRIM have on forensic recovery of deleted files?

Question 69mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation, an analyst uses a tool to capture the contents of RAM from a live Linux system. Which tool is specifically designed for this purpose and can acquire memory over a network or via a local kernel module?

Question 70hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic examiner is analyzing a RAID 5 array consisting of three disks. One disk has failed and is not available. The remaining two disks contain data and parity. Which technique can be used to reconstruct the missing disk's data and recover the original data?

Question 71hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst discovers that a Windows system has hidden data in the Host Protected Area (HPA) of the hard drive. Which tool or method can be used to detect and access the HPA?

Question 72hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic analysis of an APFS volume, the investigator needs to examine file metadata such as creation time, modification time, and extended attributes. Which APFS structure contains this information?

Question 73mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are valid methods to hide data on an NTFS volume? (Choose two.)

Question 74mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following are characteristics of the Master File Table ($MFT) in NTFS? (Choose three.)

Question 75hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are challenges in SSD forensics compared to traditional HDD forensics? (Choose two.)

Question 76easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is examining a Windows 10 system and needs to view the Master File Table ($MFT) to identify recently deleted files. Which tool is most appropriate for parsing the $MFT directly?

Question 77mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Linux ext4 file system, an investigator runs the `ls -i` command and sees inode numbers. They need to examine the inode structure. Which command should they use to display detailed inode information?

Question 78hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst discovers a hidden partition on a hard drive that does not appear in the standard MBR partition table. The drive uses GPT partitioning. Which area of the disk should be examined to find evidence of a hidden partition?

Question 79mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic investigator is analyzing a USB drive formatted with FAT32 and finds that a deleted file's directory entry still exists but the first character of the filename is replaced with 0xE5. What does this indicate?

Question 80mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator is using Autopsy to analyze a disk image from a suspected hacker's computer. They want to recover deleted JPEG images that may have been stored in unallocated clusters. Which Autopsy feature is best suited for this task?

Question 81hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation of a Windows 10 system, you find that a suspect used the 'cipher /w:C:' command. What is the primary forensic implication of this action?

Question 82easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst needs to acquire RAM from a live Linux system for memory analysis. Which tool is specifically designed for this purpose and can capture memory without rebooting?

Question 83mediummultiple choice
Read the full NAT/PAT explanation →

An investigator finds evidence of data hidden using Alternate Data Streams (ADS) on an NTFS volume. Which command would display all ADS associated with files in a directory?

Question 84hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a solid-state drive (SSD), the analyst notices that the TRIM command was enabled. What challenge does this pose for data recovery?

Question 85easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which file system journal is commonly used in Linux ext3/ext4 to record metadata changes before they are committed to the main file system?

Question 86mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst examines a compromised Windows server and finds a file named 'readme.txt' that appears legitimate. However, using `dir /r`, they discover an alternate data stream named 'readme.txt:hidden.exe'. What is the most likely purpose of this alternate data stream?

Question 87mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator uses the `volatility -f mem.dump netscan` command on a memory dump from a Windows 10 system. What information is this command primarily intended to reveal?

Question 88mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are features of the NTFS file system that can be used to hide data? (Select TWO.)

Question 89hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following present unique challenges for forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives (HDDs)? (Select THREE.)

Question 90easymulti select
Read the full NAT/PAT explanation →

Which TWO of the following are commonly used tools for file carving (recovering files based on file signatures)? (Select TWO.)

Question 91easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation, an analyst needs to recover recently deleted files from a FAT32 partition. Which of the following techniques is MOST effective for recovering files whose directory entries have been marked as deleted but the clusters have not yet been overwritten?

Question 92mediummultiple choice
Read the full NAT/PAT explanation →

An examiner is analyzing an NTFS volume and suspects that a suspect hid data using Alternate Data Streams (ADS). Which tool or method is MOST appropriate to list all ADS on the volume?

Question 93hardmultiple choice
Study the full Python automation breakdown →

During a memory forensics analysis using Volatility, an examiner runs 'python vol.py -f memory.dmp pslist' and sees a suspicious process named 'expl0rer.exe' with a PPID of 4. What does a PPID of 4 indicate, and what should the examiner do next?

Question 94mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is investigating a Linux server running ext4 and needs to recover deleted files that may have been overwritten partially. Which technique is BEST suited for recovering fragments of known file types when the inode metadata is lost?

Question 95easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic examiner needs to acquire the RAM from a Windows 10 system without altering the contents. Which tool is MOST appropriate for this task?

Question 96mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During an investigation of a compromised system, the analyst discovers that the suspect used steganography to hide data within image files. Which forensic tool is BEST suited for detecting hidden data in images through statistical analysis?

Question 97hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is examining a RAID 5 array consisting of three disks. One disk has failed and has been replaced. The array is rebuilt automatically. However, the analyst needs to recover deleted files that existed before the rebuild. What is the MOST significant challenge in this scenario?

Question 98mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An examiner is analyzing an SSD and notices that TRIM is enabled. Why does TRIM pose a challenge for digital forensics?

Question 99easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which of the following partition table types uses a protective MBR and a GPT header, and is recommended for disks larger than 2 TB?

Question 100hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of an NTFS drive, an analyst runs 'fsutil usn readjournal C:' and observes a large number of USN journal entries for a specific file after a certain date. The file's $MFT record shows a last modified timestamp far earlier than the journal entries. What does this discrepancy suggest?

Question 101mediummultiple choice
Read the full NAT/PAT explanation →

An analyst is examining a hard drive that was seized from a suspect. The drive is detected as a smaller capacity than listed on the label. Which of the following is the MOST likely explanation?

Question 102mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator needs to analyze the contents of the Windows Recycle Bin on a system running Windows 10. Which artifact(s) should the investigator examine to determine the original location and deletion time of a file in the Recycle Bin?

Question 103mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are valid methods to hide data on an NTFS file system without using external tools?

Question 104hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following are challenges specific to SSD forensics compared to HDD forensics?

Question 105mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following tools are commonly used for file carving in forensic investigations?

Question 106easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic analysis of a Windows 10 system, an investigator needs to locate the Master File Table ($MFT) to analyze file metadata. Which file system structure contains the $MFT?

Question 107mediummultiple choice
Read the full NAT/PAT explanation →

An analyst suspects that sensitive data was hidden in the NTFS Alternate Data Streams (ADS) of a file on a suspect's drive. Which tool is specifically designed to enumerate and extract data from ADS on a live Windows system?

Question 108mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Linux system, the investigator runs the command 'ls -i /home/user/file.txt' and sees inode number 12345. The file was recently deleted. Which of the following is the most effective method to recover the file, assuming the inode is still accessible?

Question 109hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is examining a RAID 5 array of three disks. One disk has failed and been replaced; the array is rebuilding. Which of the following is the most significant forensic challenge regarding data acquisition from this array?

Question 110mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

In an investigation of a Windows system, the analyst uses Volatility's 'netscan' plugin and identifies a suspicious outbound connection to an IP address on port 4444. Which of the following is the most likely associated malicious activity?

Question 111easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An investigator needs to recover deleted files from a USB drive formatted with FAT32. Which of the following techniques would be most effective, assuming the files have not been overwritten?

Question 112mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic acquisition of a suspect's SSD, the analyst notices that the drive supports TRIM. Which of the following is the most important consideration when acquiring the drive to preserve deleted data?

Question 113hardmultiple choice
Read the full NAT/PAT explanation →

An investigator is analyzing a memory dump from a compromised server using Volatility. The 'pslist' plugin shows a process with no parent PID (PPID). Which of the following is the most likely explanation?

Question 114mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which of the following best describes the purpose of the Host Protected Area (HPA) on a hard disk drive?

Question 115easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is examining an Apple Mac system and needs to recover deleted files from an APFS volume. Which tool is most appropriate for this task?

Question 116mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During an investigation, an analyst recovers a file from unallocated space that contains fragments of a deleted document. The file size is 512 bytes, but the cluster size of the volume is 4096 bytes. What is the term for the unused bytes between the end of the file and the end of the last cluster?

Question 117hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is examining a USB drive that appears to have a smaller capacity than expected. The drive is detected as 8 GB but only 7 GB is accessible. Which of the following is the most likely cause?

Question 118mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which two of the following are characteristics of the ext4 file system? (Choose TWO.)

Question 119hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which three of the following are common techniques used to hide data on a storage device? (Choose THREE.)

Question 120easymulti select
Read the full Storage Forensics and File System Analysis explanation →

Which two of the following are tools used for memory forensics acquisition? (Choose TWO.)

Question 121easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation, an analyst examines a hard disk and notices that the partition table uses a 64-bit scheme with a maximum of 128 partitions. Which partition table type is in use?

Question 122easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is examining a FAT32 file system and finds that the file allocation table indicates a cluster chain ending with 0x0FFFFFFF. What does this value signify?

Question 123mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

When analyzing an NTFS volume, an investigator wants to identify files that were recently accessed or modified. Which NTFS artifact stores metadata about file system changes and can be parsed using tools like MFTEcmd or NTFSLogTracker?

Question 124mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A security analyst detects suspicious activity on a Windows workstation. They acquire RAM using WinPmem and analyze it with Volatility. Which Volatility command would list all active processes along with their parent process IDs?

Question 125mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During an investigation of a Linux system, an analyst runs `ls -li` and sees that a file's inode number is 0. What does this indicate about the file?

Question 126hardmultiple choice
Read the full NAT/PAT explanation →

An investigator recovers a file from unallocated space on an NTFS drive using file carving. The file appears to contain alternate data streams (ADS). Which tool can be used to list all ADS associated with a file on a live Windows system?

Question 127easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic examiner wants to recover deleted files from a USB drive formatted with FAT32. Which file carving tool is specifically designed to recover files based on file headers and footers?

Question 128mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of an SSD, the analyst notes that TRIM is enabled. What challenge does TRIM pose for data recovery?

Question 129hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst retrieves a forensic image of a hard drive and discovers that the size reported by the operating system is smaller than the actual physical capacity. The extra space is not accessible through standard partition tools. This hidden area is MOST likely:

Question 130mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

In an ext4 file system, a forensic analyst needs to examine the journal to recover recently deleted files. Where is the journal typically stored?

Question 131easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which of the following is a Windows-based forensic suite that provides timeline analysis, keyword search, and file system browsing for forensic investigations?

Question 132hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic investigator analyzing a RAID 5 array of three disks notices that one disk has failed. Can the investigator still reconstruct the data?

Question 133mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

An analyst is examining a memory dump using Volatility and wants to identify network connections. Which TWO Volatility plugins can be used to list network connections?

Question 134mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following are types of slack space that can contain hidden data on a hard disk?

Question 135hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is recovering deleted files from an ext3 file system. Which TWO methods can be used to recover deleted inodes?

Question 136mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic investigation, you encounter a Windows system with an NTFS volume. The suspect claims they never used the recycle bin, but you find files in the $Recycle.bin folder. Which artifact can help you determine the original file path and deletion time?

Question 137hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is investigating a Linux server that suffered a data breach. The attacker deleted several log files. The analyst runs `debugfs /dev/sda1` and issues the command `lsdel`. What is the purpose of this command in the context of file recovery?

Question 138mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic investigator recovers a hard drive from a suspect's computer. The drive is detected as 120 GB in BIOS, but forensic tools report only 100 GB of addressable space. Which data hiding technique is MOST likely being used?

Question 139mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Windows 10 system, you find a file with an ADS named `:hidden.txt` attached to `legal.docx`. Using FTK Imager, you extract the ADS and discover it contains a list of passwords. Which tool or technique could also be used to identify this hidden data?

Question 140easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A security analyst is investigating a compromised Windows server and wants to capture the contents of RAM for analysis. Which of the following tools is specifically designed for this purpose?

Question 141hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation, you encounter a RAID 5 array consisting of three 1 TB disks. The array is failed, and you need to reconstruct the original data. Which of the following approaches is MOST appropriate for data recovery?

Question 142mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is examining a USB drive formatted with FAT32. A suspect claims they deleted a file several weeks ago. The analyst uses a carving tool but cannot recover the file. What is the MOST likely reason for the failed recovery?

Question 143easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which of the following best describes the purpose of the Master File Table (MFT) in the NTFS filesystem?

Question 144hardmultiple choice
Read the full NAT/PAT explanation →

An investigator acquires an SSD from a laptop that has been turned off for 24 hours. The suspect recently deleted several incriminating files. Using a forensic imager, the investigator creates a bit-for-bit copy. However, when analyzing the image, the deleted files' data appears to be zeros. What is the MOST likely cause?

Question 145mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A Linux system uses the ext4 filesystem. A forensic analyst needs to recover a recently deleted file. Which of the following methods is MOST likely to succeed if the file's inode has not been reallocated?

Question 146mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Windows system, an analyst runs the Volatility plugin `netscan` on a memory dump. What information does this plugin primarily provide?

Question 147easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

What is the primary difference between MBR and GPT partition tables?

Question 148mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are Volatility plugins used for process enumeration? (Select two.)

Question 149hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

Which THREE of the following are challenges specific to forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives (HDDs)? (Select three.)

Question 150easymulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are examples of file carving tools? (Select two.)

Question 151easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is examining a hard drive and needs to identify the number of sectors per track. Which component of the hard disk structure defines this?

Question 152mediummultiple choice
Read the full NAT/PAT explanation →

During a forensic examination of a Windows system, an analyst finds a file that appears to be zero bytes in size when viewed in Windows Explorer, but the file's properties show a size on disk of 4 KB. What is the most likely explanation?

Question 153hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is investigating a Linux system that used ext4. The suspect deleted several files and then ran 'fstrim' on the partition. Which of the following best describes the challenge in recovering the deleted data?

Question 154mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

A security analyst receives an image of a hard drive with a GPT partition table. Which of the following is a key difference between GPT and MBR that the analyst should consider?

Question 155easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which file system uses a Master File Table ($MFT) as its central catalog for file metadata?

Question 156mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is recovering deleted files from a FAT32 file system. The file system uses a cluster size of 4096 bytes. The first cluster of a deleted file is cluster 100. Which structure contains the chain of clusters for this file?

Question 157mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation, an analyst discovers data hidden in the Host Protected Area (HPA) of a hard drive. Which tool is commonly used to view and access the HPA?

Question 158hardmultiple choice
Read the full Storage Forensics and File System Analysis explanation →

An analyst is examining an NTFS volume and finds that a file's $MFT record indicates it is resident. What does this imply about the file's data?

Question 159easymultiple choice
Read the full Storage Forensics and File System Analysis explanation →

Which forensic tool is specifically designed to recover lost partitions or file system structures and can also be used for data carving?

Question 160mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are challenges specific to SSD forensics compared to traditional HDD forensics?

Question 161hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

An analyst is conducting memory forensics on a Windows system using Volatility. Which THREE commands can provide information about network connections?

Question 162mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are methods used to hide data within the NTFS file system?

Question 163hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

In ext3/ext4 file systems, which THREE of the following are key structures used for file metadata and recovery?

Question 164mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO tools are commonly used for file carving during a forensic investigation?

Question 165easymulti select
Read the full Storage Forensics and File System Analysis explanation →

Which TWO of the following are types of slack space that can contain forensic evidence?

Question 166mediummultiple choice
Read the full Storage Forensics and File System Analysis explanation →

During a forensic investigation, an analyst recovers a hard drive that uses GPT partitioning. The analyst needs to locate the backup GPT header to verify partition table integrity. Where is the backup GPT header typically stored on the disk?

Question 167easymultiple choice
Read the full NAT/PAT explanation →

An analyst is examining a Windows 10 system and discovers a file in the $Recycle.bin folder with a name like '$RABCDEF.txt'. The analyst wants to recover the original file path and deletion date. Which forensic artifact should the analyst examine?

Question 168hardmultiple choice
Read the full NAT/PAT explanation →

During an investigation, an analyst uses the `volatility -f mem.dmp windows.pslist` command and observes a process named 'svchost.exe' with PID 1234. Further analysis shows that this process has no parent process (PPID = 0). What is the MOST likely explanation for this anomaly?

Question 169mediummulti select
Read the full Storage Forensics and File System Analysis explanation →

A forensic analyst is investigating a compromised Linux server running an ext4 file system. The analyst suspects the attacker deleted critical log files (e.g., /var/log/auth.log) and wants to recover them. Which TWO techniques would be MOST effective for recovering the deleted files?

Question 170mediummulti select
Read the full NAT/PAT explanation →

An analyst is examining a Windows 10 system and suspects the use of NTFS alternate data streams (ADS) to hide malicious executables. Which THREE methods can the analyst use to detect hidden ADS on the system?

Question 171hardmulti select
Read the full Storage Forensics and File System Analysis explanation →

During a forensic analysis of an SSD, the analyst encounters challenges due to TRIM and wear-leveling. Which TWO statements accurately describe the impact of these features on data recovery?

Question 172easymulti select
Read the full Storage Forensics and File System Analysis explanation →

An analyst is preparing to analyze a RAID 5 array of three disks. The analyst wants to reconstruct the logical volume for file system analysis. Which THREE steps are essential in this process?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Storage Forensics and File System Analysis setsAll Storage Forensics and File System Analysis questionsCHFI Practice Hub