Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Database and Application Forensics practice sets

CHFI Database and Application Forensics • Complete Question Bank

CHFI Database and Application Forensics — All Questions With Answers

Complete CHFI Database and Application Forensics question bank — all 0 questions with answers and detailed explanations.

17
Questions
Free
No signup
Certifications/CHFI/Practice Test/Database and Application Forensics/All Questions
Question 1mediummultiple choice
Read the full Database and Application Forensics explanation →

During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?

Question 2easymultiple choice
Read the full Database and Application Forensics explanation →

A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?

Question 3hardmultiple choice
Read the full Database and Application Forensics explanation →

An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?

Question 4mediummultiple choice
Read the full Database and Application Forensics explanation →

During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?

Question 5hardmultiple choice
Read the full Database and Application Forensics explanation →

A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?

Question 6easymulti select
Read the full Database and Application Forensics explanation →

Which TWO of the following are valid methods for collecting volatile data from a live database server during an incident response?

Question 7mediummulti select
Read the full Database and Application Forensics explanation →

Which THREE of the following are essential steps in the forensic analysis of a compromised web application that uses a MySQL backend?

Question 8mediummultiple choice
Read the full Database and Application Forensics explanation →

Refer to the exhibit. An analyst recovers this binary log entry from a MySQL server. What does the timestamp '190101 10:00:00' represent?

Exhibit

Refer to the exhibit.

```
MySQL Binary Log Entry:
# at 12345678
#190101 10:00:00 server id 1  end_log_pos 12345679 CRC32 0x12345678 	Query	thread_id=100	exec_time=0	error_code=0
SET TIMESTAMP=1546334400/*!*/;
DELETE FROM users WHERE id=5
/*!*/;
```
Question 9hardmultiple choice
Read the full Database and Application Forensics explanation →

You are a forensic investigator responding to an incident at a financial institution. The organization uses Microsoft SQL Server 2016 for its transaction processing system. The database is configured with full recovery model and transaction log backups are taken every 15 minutes. The incident response team has identified that an attacker gained access to the database server via compromised credentials and executed a series of malicious SQL statements, including data exfiltration and deletion of critical records. The time of the attack is estimated to be between 2:00 PM and 2:05 PM. The last full backup was taken at 12:00 AM (midnight) the same day. Transaction log backups are available for the entire day. The last transaction log backup before the attack was taken at 1:45 PM. The next transaction log backup after the attack was taken at 2:15 PM. The database is still online and being used by the business. Management wants to recover the database to a point just before the attack (2:00 PM) to minimize data loss, while preserving evidence for investigation. Which of the following actions should you take FIRST?

Question 10mediummulti select
Read the full Database and Application Forensics explanation →

During a database forensic investigation, an analyst finds that the SQL Server transaction log contains gaps. Which TWO actions should the analyst take to preserve evidence integrity and recover missing transactions?

Question 11easymultiple choice
Read the full Database and Application Forensics explanation →

Refer to the exhibit. An investigator runs the queries on an Oracle database during a live forensic acquisition. What does the output indicate about the database transaction state?

Exhibit

Refer to the exhibit.

```
SQL> SELECT * FROM v$transaction;

ADDR           XIDUSN XIDSLOT XIDSQN  UBAFIL  UBABLK  UBASQN  UBAOFF  STATUS   START_SCNBAS START_SCNWRP
-------------- ------ ------- ------  ------  ------  ------  ------  -------- ------------ ------------
00000000C0F8  10     12      123456  4       5678    890     0       ACTIVE   1234567890   1

SQL> SELECT COUNT(*) FROM v$transaction WHERE status='ACTIVE';

  COUNT(*)
----------
         1
```
Question 12hardmultiple choice
Read the full Database and Application Forensics explanation →

You are investigating a suspected data exfiltration incident at a financial institution. The database is MySQL 8.0 running on Linux. The security team suspects that a user with administrative privileges exported sensitive customer records via SELECT INTO OUTFILE and then deleted the output file. The MySQL general log is enabled and located at /var/log/mysql/mysql.log. However, the log file appears to be truncated and only contains entries from the last hour. The binary log is also enabled, and the binary log files are stored in /var/lib/mysql/binlog.000001 through binlog.000005. The database is actively being used. Which of the following is the BEST course of action to recover evidence of the SELECT INTO OUTFILE command that may have occurred 3 hours ago?

Question 13mediummultiple choice
Read the full Database and Application Forensics explanation →

During a database forensic investigation, an analyst recovers a MySQL binary log file (binlog.000012) from a compromised server. Which command should the analyst use to extract the actual SQL statements from this binary log in a human-readable format?

Question 14hardmultiple choice
Read the full Database and Application Forensics explanation →

Refer to the exhibit. A database administrator finds the above error log entries when attempting to start the MySQL service. The server was working fine yesterday. What is the most likely cause of this issue?

Exhibit

Refer to the exhibit.

Exhibit:
```
MySQL Error Log Entry:
[ERROR] Plugin 'InnoDB' init function returned error.
[ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
[ERROR] Unknown/unsupported storage engine: InnoDB
[ERROR] Aborting
```
Question 15easymultiple choice
Read the full Database and Application Forensics explanation →

A forensic investigator is analyzing a Microsoft SQL Server instance that was compromised. The investigator wants to identify all login attempts that failed due to incorrect passwords. Which system function or view should be queried?

Question 16mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to perform a forensic examination of a mobile device (Android) using Cellebrite UFED into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediummatching
Read the full Database and Application Forensics explanation →

Match each file carving technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses file signatures to find start and end

Uses internal file structure metadata

Reassembles fragmented files

Uses statistical models to identify file types

Handles files split into two fragments

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CHFI Practice Test 1 — 10 Questions→CHFI Practice Test 2 — 10 Questions→CHFI Practice Test 3 — 10 Questions→CHFI Practice Test 4 — 10 Questions→CHFI Practice Test 5 — 10 Questions→CHFI Practice Exam 1 — 20 Questions→CHFI Practice Exam 2 — 20 Questions→CHFI Practice Exam 3 — 20 Questions→CHFI Practice Exam 4 — 20 Questions→Free CHFI Practice Test 1 — 30 Questions→Free CHFI Practice Test 2 — 30 Questions→Free CHFI Practice Test 3 — 30 Questions→CHFI Practice Questions 1 — 50 Questions→CHFI Practice Questions 2 — 50 Questions→CHFI Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Computer Forensics Investigation ProcessComputer Forensics Fundamentals and ProcessStorage Forensics and File System AnalysisIncident Response and First Responder SkillsComputer Forensics LabEvidence Acquisition and DuplicationOS and Network ForensicsOS and File System ForensicsApplication, Email and Cloud ForensicsMobile and Malware ForensicsNetwork and Cloud ForensicsDatabase and Application ForensicsMalware Forensics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Database and Application Forensics setsAll Database and Application Forensics questionsCHFI Practice Hub